Aruba Branch Access Point (AP) Configuration
This section describes the creation and configuration of the AP group to support wireless service in the branches.
Table of contents
How to Create Switch Group
Create an AP Group
This group was created in the “Preparing to Deploy” section. Do not follow this process if the group was created previously.
Step 1 In the left navigation pane, in the Maintain section, select Organization.
Step 2 Select the Groups tile.
Step 3 Click the + (plus sign) to create a New Group.
Open the AP Group
This procedure locates and opens the AP group
Step 1 In the Global dropdown, search or select the group you created in the previous section.
Step 2 In the left navigation pane, in the Manage section, select Devices.
Step 3 Select the AP tab, then click the gear icon in the upper right corner.
Step 4 Click Cancel, then click Exit.
Configure the WPA3-Enterprise Wireless LAN
Use this procedure to configure a WPA3-Enterprise SSID.
WPA3-Enterprise enables authentication using passwords or certificates to identify users and devices. The wireless client authenticates against a RADIUS server using an EAP-TLS exchange, and the AP acts as a relay. Both the client and the RADIUS server use certificates to verify their identities.
Step 1 From the Access Point page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click (+) Add SSID.
Step 2 In the Create a New Network page on the General tab, expand Advance Settings.
Step 3 Configure SSID Name: EXAMPLE-CORP
Step 4 Click the + (plus sign) to expand Broadcast/Multicast.
- Change the Broadcast filtering to All.
- Enable DMO, and set the DMO Client Threshold to 40.
Note: A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance.
Step 5 Click the + (plus sign) to expand Transmit Rates (Legacy Only).
- Set 2.4 GHz to Min: 5 and Max: 54.
- Set 5 GHz to Min: 18 and Max: 54.
Step 6 Click Next
Configure SSID VLAN
On the VLANs tab, assign the following settings:
Step 1 Set the Traffic Forwarding Mode to Tunnel.
Step 2 Set the Primary Gateway Cluster: UI-BGW-01-AUTO site cluster. Leave the Secondary Gateway Cluster: None (default).
Step 3 Set the Client VLAN Assignment: Static (default).
Step 4 Select the Employee VLAN (101).
Step 5 Click Next.
Note: When tunneling to the branch gateway, ensure the VLAN line protocol is up, by verifying that the VLAN is trunked or forced operational state up is configured on the branch gateway
Configure SSID Security Settings
WPA3 provides significant security improvements over WPA2 and should be used when possible. Consult relevant endpoint documentation to confirm support.
On the Security tab, assign the following settings:
Step 1 Security Level: Slide to Enterprise
Step 2 Key Management: WPA3 Enterprise CMM 128
Step 3 On the Security tab, click the + (plus sign) next to Primary Server.
Step 4 In the New Server window, assign the following settings, then click OK.
- Set Server Type to RADIUS.
- Name the server cppm-01
- Enter the RADIUS IP Address: 10.2.120.94
- Enter the Shared Key: shared key
Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.
Step 6 Repeat the two previous steps for the second CPPM server using the appropriate values.
Step 7 Enable Load Balancing by selecting the toggle.
Note: Best practice is to deploy 2 RADIUS servers and enable load balancing.
Step 8 On the Security tab, expand Advanced Settings and scroll down.
Step 9 Click the + (plus sign) to expand Fast Roaming.
Step 10 Ensure that Opportunistic Key Caching is enabled.
Step 11 Enable 802.11K.
Configure Network Access Rules
Tunnel mode SSID restrictions are configured on the Gateway.
Step 1 On the Access tab, ensure that the Access Rules is set to Unrestricted.
Step 2 On the Summary tab, review the settings and click Finish.
Configure the Visitor Wireless LAN
Use this procedure to configure a visitor SSID.
Step 1 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click (+) Add SSID.
Step 2 Configure SSID Name: EXAMPLE-GUEST
Step 3 On the Create a New Network page of the General tab, expand Advance Settings.
Step 4 Click the + (plus sign) sign to expand Broadcast/Multicast.
- Change the Broadcast filtering to All.
- Enable DMO, and set the DMO Client Threshold to 40.
Note: A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance results.
Step 5 Click the (+) sign to expand Transmit Rates (Legacy Only).
- Set 2.4 GHz to Min: 5, Max: 54.
- Set 5 GHz to Min: 18, Max: 54.
Step 6 On the General tab, scroll down, and click the + (plus sign) to expand Time Range Profiles.
Step 7 In the middle of the section, click (+) New Time Range Profile.
Step 8 In the New Profile window, assign the following settings, then click Save.
- Configure the Name: Visitor Weekdays.
- Ensure the Type is Periodic.
- Set Repeat to Daily.
- Set the Day Range: Monday - Friday (Weekdays) (This can be changed to fit other environments).
- Set the Start Time Hours: 7, Minutes: 0.
- Set the End Time Hours: 18, Minutes: 0.
Step 9 In the Time Range Profiles section in the Status dropdown, find the newly created profile, and select Enabled. At the bottom of the page, click Next.
Configure VLANs
Step 1 On the VLANs tab, assign the following settings, then click Next.
- Set the Traffic Forwarding Mode to Tunnel.
-
Table of contents
- TOC
</details>
- VLAN ID: Guest(104).
Note: When tunneling to the branch gateway, ensure that the VLAN line protocol is up by verifying the VLAN is trunked or forced operational state up is configured on the branch gateway
Configure Security
Step 1 On the Security tab, assign the following settings.
- Set the Security Level to Visitors.
- Captive Portal Type: External.
Step 2 In the Splash Page section, click the + (plus sign) next to Captive Portal Profile.
Step 3 In the External Captive Portal-New window, assign the following settings, then click OK.
- Enter the Name: CPPM-Portal.
- Set the Authentication Type: RADIUS Authentication.
- Enter the Clearpass IP or Hostname: cppm.example.local.
- Enter the captive portal URL: /guest/example_guest.php.
- Verify the Port is 443.
- Set the Redirect URL: http://www.arubanetworks.com.
Step 4 On the Security tab of the Splash Page section, click the dropdown next to Primary Server. Select the RADIUS server created in the WPA3 Enterprise section. Ensure THAT the Secondary server is selected as well. Enable Load Balancing.
Step 5 If the RADIUS server was not created in the WPA3 Section, follow the steps BELOW to configure the RADIUS Server.
Step 6 On the Security tab, click the + (plus sign) next to Primary Server.
Step 7 In the New Server window, assign the following settings, then click OK.
- Set Server Type to RADIUS.
- Name the server cppm-01.
- Enter the RADIUS IP address: 10.2.120.94.
- Enter the Shared Key: shared key.
Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.
Step 8 Repeat the two previous steps for the second CPPM server using the appropriate values.
Step 9 Enable Load Balancing by selecting the toggle, then click Next.
Note: The Captive Portal Profile requires information from the CPPM server on the network. For detailed steps, see Appendix 1: How to Find ClearPass Details for the Visitor WLAN.
Configure Access For Guest SSID
In most cases, the visitor needs access only to DHCP and DNS services, and HTTP/HTTPS access to all destinations on the Internet. To prevent access to internal resources, add an exception network and mask covering the internal IP addresses to the HTTP and HTTPS allow rules.
Step 1 On the Access tab, move the slider to Network Based.
Step 2 Select the Allow any to all destinations rule, then click the pencil icon.
Step 3 In the Access Rules window, change the action from Allow to Deny, then click OK.
Step 4 On the Access tab, select (+) Add Rule.
Step 5 In the Access Rules window, assign the settings in the table below, then click OK.
Step 6 Repeat step 4 and 5 for each row in the table.
Caution: This step changes the default allow any to all destinations rule to a deny any to all destinations rule for visitor traffic. This line must always be the last entry in the Access Rules to prevent unauthorized access to internal network resources.
Example: Access rules for visitors
Rule Type | Service type | Service name | Action | Destination |
---|---|---|---|---|
Access control | Network | DHCP | Allow | 10.2.120.98 (internal DHCP server) |
Access control | Network | DHCP | Allow | 10.2.120.99 (internal DHCP server) |
Access control | Network | DNS | Allow | 8.8.4.4 (well-known DNS server) |
Access control | Network | DNS | Allow | 8.8.8.8 (well-known DNS server) |
Access control | Network | HTTP | Allow | To all destinations, except internal |
Access control | Network | HTTPS | Allow | To all destinations, except internal |
Access control | Network | Any | Deny | To all destinations |
Step 7 Review the ACL, and select Next.
Step 8 On the Summary tab, review the settings, and click Finish.
Configure the WLAN Access Points
After a branch is operational, the access points automatically create a virtual controller (VC) cluster and join the default group.
Assign the WLAN AP Group
Step 1 In the dropdown, verify that All Devices is selected.
Step 2 In the left navigation pane, in the Manage section, select Devices.
Step 3 On the Access Points tab, in the Access Points section, identify the MAC addresses of the AP and assign the AP to the UI-AP-BR01 group.
Step 4 In the left navigation pane, in the Maintain section, select Organization.
Step 5 Drag the virtual controller into the configured AP group. All access points in the site are automatically moved to the AP group.
Assign WLAN Access Points to Site
The following procedure assigns access points to a site. Creating sites was shown in the “preparing to Deploy” section of the guide.
Step 1 Go to Organization and select Site
Step 2 Select Unassigned devices and assign the APs to the correct site. Click Yes
Rename the Access Points
Step 1 Go to the UI-AP-BR01 group.
Step 2 Select Configuration.
Step 3 Select the AP, then click the pencil icon.
Step 4 Enter the new AP name. In this example, it is RS01-AP01. Click Save Settings.