Link Search Menu Expand Document
calendar_month 07-Mar-24

Aruba Branch Access Point (AP) Configuration

Table of contents

Assign Access Points to Group

Step 1 On the Organization page, select Device Preprovisioning.

Step 2 In the Serial Column enter in the serial number of the AP.

Step 3 Select the AP, then click the Item Selected button.

Step 4 In the Assign a Group ** window, select the **BR-ECE-SDW-S group created previously.

Step 5 Click Move.

Step 6 Click Ok.

Step 7 Repeat this Process for each switch.

Note: If Devices have reached out to central already they will be in the unprovsioned Group where they can also be selected and moved to the correct Group.

2023-03-24_15-03-13

Set Firmware Compliance

Step 1 In the left pane click Global, and select the BR-ECE-SDW-S group.

Step 2 In the left pane Select Firmware .

Step 3 Click the Access Point tab in the group, then Click the Gear icon to set the compliance.

Step 4 Click the toggle to turn on Firmware compliance.

Step 5 Set the Access Point Firmware to 10.4.0.0_86033.

Step 6 Click Save, then Click Ok

Step 7 Repeat this steps 1-6 for the BR-ECE-SDW-M

2023-03-24_15-51-59

Ap Group Navigation

This procedure locates and opens the AP group

Step 1 Go to Global > Groups. In the Groups list, select BR-ECE-SDW-S.

Step 2 With the Access Point Tab selected Click the gear Icon.

Step 3 Set the Group Password

Step 4 Click OK.

2023-03-17_09-20-54

Configure the WPA3-Enterprise Wireless LAN

Use this procedure to configure a WPA3-Enterprise SSID.

WPA3-Enterprise enables authentication using passwords or certificates to identify users and devices. The wireless client authenticates against a RADIUS server using an EAP-TLS exchange, and the AP acts as a relay. Both the client and the RADIUS server use certificates to verify their identities.

Note: WPA2 can be used as some devices do not support WPA3.

Step 1 From the Access Point page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click (+) Add SSID.

image-20230317092435659

Step 2 In the Create a New Network page on the General tab, expand Advance Settings.

Step 3 Configure SSID Name: OWL-CORP

Step 4 Click the + (plus sign) to expand Broadcast/Multicast.

  • Change the Broadcast filtering to All.
  • Enable DMO, and set the DMO Client Threshold to 40.

Note: A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance.

Step 5 Click the + (plus sign) to expand Transmit Rates (Legacy Only).

  • Set 2.4 GHz to Min: 5 and Max: 54.
  • Set 5 GHz to Min: 18 and Max: 54.

Step 6 Click Next

2023-03-17_09-27-25

Configure SSID VLAN

On the VLANs tab, assign the following settings:

Step 1 Set the Traffic Forwarding Mode to Bridge.

Step 2 Set the Client VLAN Assignment: Static (default).

Step 3 Enter the Employee VLAN ID: 101

Step 5 Click Next.

2023-03-17_09-32-03

Configure SSID Security Settings

WPA3 provides significant security improvements over WPA2 and should be used when possible. Consult relevant endpoint documentation to confirm support.

On the Security tab, assign the following settings:

Step 1 Security Level: Slide to Enterprise

Step 2 Key Management: WPA3 Enterprise CMM 128

image-20230317093534450

Step 3 On the Security tab, click the + (plus sign) next to Primary Server. image-20230317093709915

Step 4 In the New Server window, assign the following settings, then click OK.

  • Set Server Type to RADIUS.
  • Name the server cppm-01
  • Enter the RADIUS IP Address: 10.2.120.94
  • Enter the Shared Key: shared key

2023-03-17_09-41-34

Step 5 Scroll down and enable Dynamic Authorization.

  • Enter The CPPM username: admin
  • Enter the password: password
  • Retype the password: password

2023-03-17_09-45-04

Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.

Step 6 Repeat the three previous steps for the second CPPM server using the appropriate values.

Step 7 Enable Load Balancing by selecting the toggle.

image-20230317095103215

Note: Best practice is to deploy 2 RADIUS servers and enable load balancing.

Step 8 On the Security tab, expand Advanced Settings and scroll down.

Step 9 Click the + (plus sign) to expand Fast Roaming.

Step 10 Ensure that Opportunistic Key Caching is enabled.

Step 11 Enable 802.11K.

2023-03-17_09-56-08

Configure Network Access Rules

Tunnel mode SSID restrictions are configured on the Gateway.

Step 1 On the Access tab, ensure that the Access Rules is set to Unrestricted.

image-20230317100021262

Step 2 On the Summary tab, review the settings and click Finish.

image-20230317100240887

Configure the Visitor Wireless LAN

Use this procedure to configure a visitor SSID.

Step 1 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click (+) Add SSID. 2023-03-17_19-08-13

Step 2 Configure SSID Name: OWL-GUEST

Step 3 On the Create a New Network page of the General tab, expand Advance Settings.

Step 4 Click the + (plus sign) sign to expand Broadcast/Multicast.

  • Change the Broadcast filtering to All.
  • Enable DMO, and set the DMO Client Threshold to 40.

Note: A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance results.

Step 5 Click the (+) sign to expand Transmit Rates (Legacy Only).

  • Set 2.4 GHz to Min: 5, Max: 54.
  • Set 5 GHz to Min: 18, Max: 54.

2023-03-17_19-11-41

Step 6 On the General tab, scroll down, and click the + (plus sign) to expand Time Range Profiles.

Step 7 In the middle of the section, click (+) New Time Range Profile. 2023-03-17_19-13-59-9105706

Step 8 In the New Profile window, assign the following settings, then click Save.

  • Configure the Name: Visitor Weekdays.
  • Ensure the Type is Periodic.
  • Set Repeat to Daily.
  • Set the Day Range: Monday - Friday (Weekdays) (This can be changed to fit other environments).
  • Set the Start Time Hours: 7, Minutes: 0.
  • Set the End Time Hours: 18, Minutes: 0.

2023-03-17_19-16-50-9106297

Step 9 In the Time Range Profiles section in the Status dropdown, find the newly created profile, and select Enabled. At the bottom of the page, click Next.

image-20230317192002627

Configure VLANs

Step 1 On the VLANs tab, assign the following settings, then click Next.

  • Set the Traffic Forwarding Mode to Bridge.
  • VLAN ID: Guest(104).

2023-03-17_19-21-38

Note: When tunneling to the branch gateway, ensure that the VLAN line protocol is up by verifying the VLAN is trunked or forced operational state up is configured on the branch gateway

Configure Security

Step 1 On the Security tab, assign the following settings.

  • Set the Security Level to Visitors.
  • Captive Portal Type: External.

2023-03-17_19-22-58

Step 2 In the Splash Page section, click the + (plus sign) next to Captive Portal Profile.

Step 3 In the External Captive Portal-New window, assign the following settings, then click OK.

  • Enter the Name: OWL-Portal.
  • Set the Authentication Type: RADIUS Authentication.
  • Enter the Clearpass IP or Hostname: cppm.example.local.
  • Enter the captive portal URL: /guest/example_guest.php.
  • Verify the Port is 443.
  • Set the Redirect URL: http://www.arubanetworks.com.

2023-03-17_19-27-15

Step 4 On the Security tab of the Splash Page section, click the dropdown next to Primary Server. Select the RADIUS server created in the WPA3 Enterprise section. Ensure THAT the Secondary server is selected as well. Enable Load Balancing. 2023-03-17_19-28-43

Step 5 If the RADIUS server was not created in the WPA3 Section, follow the steps BELOW to configure the RADIUS Server.

Step 6 On the Security tab, click the + (plus sign) next to Primary Server.

Step 7 In the New Server window, assign the following settings, then click OK.

  • Set Server Type to RADIUS.
  • Name the server cppm-01.
  • Enter the RADIUS IP address: 10.2.120.94.
  • Enter the Shared Key: shared key.

2023-03-17_09-41-34

Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.

Step 8 Repeat the two previous steps for the second CPPM server using the appropriate values.

Step 9 Enable Load Balancing by selecting the toggle,

Step 10 Click the Encryption toggle.

Step 11 Select WPA-2 Personal from the drop down

Step 12 Enter a Passphrase, then click Next.

![2023-03-17_19-32-50](../Media/2023-03-17_19-32-50.png)

Note: The Captive Portal Profile requires information from the CPPM server on the network. For detailed steps, see Appendix 1: How to Find ClearPass Details for the Visitor WLAN.

Configure Access For Guest SSID

In most cases, the visitor needs access only to DHCP and DNS services, and HTTP/HTTPS access to all destinations on the Internet. To prevent access to internal resources, add an exception network and mask covering the internal IP addresses to the HTTP and HTTPS allow rules.

Step 1 On the Access tab, move the slider to Unrestricted.

Step 2 Click next

2023-03-17_19-44-27

Note: The Guest policy will be enforced by the Edgeconnect gateway, so there does not need to be any policy set on the AP

Step 3 On the Summary tab, review the settings, and click Finish. 2023-03-17_19-46-37

Setting the Country Code

Once the Access point comes online and is added to the group the country code might need to be set. Use the following steps to set the country code.

Step 1 In the bottom left select Set Country Code Now.

Step 2 In the popup menu click the Country Code Dropdown, select the appropriate country.

Step 3 Click Save next to the AP.

Step 4 Click Save.

2023-03-24_15-15-01

Rename the Access Points

Step 1 Go to the BR-ECE-SDW-S group.

Step 2 Select Configuration.

Step 3 Select the Access Point tab

Step 4 Click the pencil icon, next to the AP.

Step 5 Enter the new AP name. In this example, it is BOIBR-AP01. Click Save Settings.

2023-03-25_10-37-49

Assign WLAN Access Points to Site

The following procedure assigns access points to a site. Creating sites was shown in the “preparing to Deploy” section of the guide.

Step 1 Go to Organization and select Site

Step 2 Unassigned devices and then use the Name filter to find the Access Points.

Step 3 Select the Access points, then drag them to the appropriate site.

Step 4 When the confirmation popup appears, Click Yes.

2023-03-25_11-30-23


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.