Aruba Branch Access Point (AP) Configuration
Table of contents
Assign Access Points to Group
Step 1 On the Organization page, select Device Preprovisioning.
Step 2 In the Serial Column enter in the serial number of the AP.
Step 3 Select the AP, then click the Item Selected button.
Step 4 In the Assign a Group ** window, select the **BR-ECE-SDW-S group created previously.
Step 5 Click Move.
Step 6 Click Ok.
Step 7 Repeat this Process for each switch.
Note: If Devices have reached out to central already they will be in the unprovsioned Group where they can also be selected and moved to the correct Group.
Set Firmware Compliance
Step 1 In the left pane click Global, and select the BR-ECE-SDW-S group.
Step 2 In the left pane Select Firmware .
Step 3 Click the Access Point tab in the group, then Click the Gear icon to set the compliance.
Step 4 Click the toggle to turn on Firmware compliance.
Step 5 Set the Access Point Firmware to 10.4.0.0_86033.
Step 6 Click Save, then Click Ok
Step 7 Repeat this steps 1-6 for the BR-ECE-SDW-M
Ap Group Navigation
This procedure locates and opens the AP group
Step 1 Go to Global > Groups. In the Groups list, select BR-ECE-SDW-S.
Step 2 With the Access Point Tab selected Click the gear Icon.
Step 3 Set the Group Password
Step 4 Click OK.
Configure the WPA3-Enterprise Wireless LAN
Use this procedure to configure a WPA3-Enterprise SSID.
WPA3-Enterprise enables authentication using passwords or certificates to identify users and devices. The wireless client authenticates against a RADIUS server using an EAP-TLS exchange, and the AP acts as a relay. Both the client and the RADIUS server use certificates to verify their identities.
Note: WPA2 can be used as some devices do not support WPA3.
Step 1 From the Access Point page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click (+) Add SSID.
Step 2 In the Create a New Network page on the General tab, expand Advance Settings.
Step 3 Configure SSID Name: OWL-CORP
Step 4 Click the + (plus sign) to expand Broadcast/Multicast.
- Change the Broadcast filtering to All.
- Enable DMO, and set the DMO Client Threshold to 40.
Note: A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance.
Step 5 Click the + (plus sign) to expand Transmit Rates (Legacy Only).
- Set 2.4 GHz to Min: 5 and Max: 54.
- Set 5 GHz to Min: 18 and Max: 54.
Step 6 Click Next
Configure SSID VLAN
On the VLANs tab, assign the following settings:
Step 1 Set the Traffic Forwarding Mode to Bridge.
Step 2 Set the Client VLAN Assignment: Static (default).
Step 3 Enter the Employee VLAN ID: 101
Step 5 Click Next.
Configure SSID Security Settings
WPA3 provides significant security improvements over WPA2 and should be used when possible. Consult relevant endpoint documentation to confirm support.
On the Security tab, assign the following settings:
Step 1 Security Level: Slide to Enterprise
Step 2 Key Management: WPA3 Enterprise CMM 128
Step 3 On the Security tab, click the + (plus sign) next to Primary Server.
Step 4 In the New Server window, assign the following settings, then click OK.
- Set Server Type to RADIUS.
- Name the server cppm-01
- Enter the RADIUS IP Address: 10.2.120.94
- Enter the Shared Key: shared key
Step 5 Scroll down and enable Dynamic Authorization.
- Enter The CPPM username: admin
- Enter the password: password
- Retype the password: password
Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.
Step 6 Repeat the three previous steps for the second CPPM server using the appropriate values.
Step 7 Enable Load Balancing by selecting the toggle.
Note: Best practice is to deploy 2 RADIUS servers and enable load balancing.
Step 8 On the Security tab, expand Advanced Settings and scroll down.
Step 9 Click the + (plus sign) to expand Fast Roaming.
Step 10 Ensure that Opportunistic Key Caching is enabled.
Step 11 Enable 802.11K.
Configure Network Access Rules
Tunnel mode SSID restrictions are configured on the Gateway.
Step 1 On the Access tab, ensure that the Access Rules is set to Unrestricted.
Step 2 On the Summary tab, review the settings and click Finish.
Configure the Visitor Wireless LAN
Use this procedure to configure a visitor SSID.
Step 1 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click (+) Add SSID.
Step 2 Configure SSID Name: OWL-GUEST
Step 3 On the Create a New Network page of the General tab, expand Advance Settings.
Step 4 Click the + (plus sign) sign to expand Broadcast/Multicast.
- Change the Broadcast filtering to All.
- Enable DMO, and set the DMO Client Threshold to 40.
Note: A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance results.
Step 5 Click the (+) sign to expand Transmit Rates (Legacy Only).
- Set 2.4 GHz to Min: 5, Max: 54.
- Set 5 GHz to Min: 18, Max: 54.
Step 6 On the General tab, scroll down, and click the + (plus sign) to expand Time Range Profiles.
Step 7 In the middle of the section, click (+) New Time Range Profile.
Step 8 In the New Profile window, assign the following settings, then click Save.
- Configure the Name: Visitor Weekdays.
- Ensure the Type is Periodic.
- Set Repeat to Daily.
- Set the Day Range: Monday - Friday (Weekdays) (This can be changed to fit other environments).
- Set the Start Time Hours: 7, Minutes: 0.
- Set the End Time Hours: 18, Minutes: 0.
Step 9 In the Time Range Profiles section in the Status dropdown, find the newly created profile, and select Enabled. At the bottom of the page, click Next.
Configure VLANs
Step 1 On the VLANs tab, assign the following settings, then click Next.
- Set the Traffic Forwarding Mode to Bridge.
- VLAN ID: Guest(104).
Note: When tunneling to the branch gateway, ensure that the VLAN line protocol is up by verifying the VLAN is trunked or forced operational state up is configured on the branch gateway
Configure Security
Step 1 On the Security tab, assign the following settings.
- Set the Security Level to Visitors.
- Captive Portal Type: External.
Step 2 In the Splash Page section, click the + (plus sign) next to Captive Portal Profile.
Step 3 In the External Captive Portal-New window, assign the following settings, then click OK.
- Enter the Name: OWL-Portal.
- Set the Authentication Type: RADIUS Authentication.
- Enter the Clearpass IP or Hostname: cppm.example.local.
- Enter the captive portal URL: /guest/example_guest.php.
- Verify the Port is 443.
- Set the Redirect URL: http://www.arubanetworks.com.
Step 4 On the Security tab of the Splash Page section, click the dropdown next to Primary Server. Select the RADIUS server created in the WPA3 Enterprise section. Ensure THAT the Secondary server is selected as well. Enable Load Balancing.
Step 5 If the RADIUS server was not created in the WPA3 Section, follow the steps BELOW to configure the RADIUS Server.
Step 6 On the Security tab, click the + (plus sign) next to Primary Server.
Step 7 In the New Server window, assign the following settings, then click OK.
- Set Server Type to RADIUS.
- Name the server cppm-01.
- Enter the RADIUS IP address: 10.2.120.94.
- Enter the Shared Key: shared key.
Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.
Step 8 Repeat the two previous steps for the second CPPM server using the appropriate values.
Step 9 Enable Load Balancing by selecting the toggle,
Step 10 Click the Encryption toggle.
Step 11 Select WPA-2 Personal from the drop down
Step 12 Enter a Passphrase, then click Next.
![2023-03-17_19-32-50](../Media/2023-03-17_19-32-50.png)
Note: The Captive Portal Profile requires information from the CPPM server on the network. For detailed steps, see Appendix 1: How to Find ClearPass Details for the Visitor WLAN.
Configure Access For Guest SSID
In most cases, the visitor needs access only to DHCP and DNS services, and HTTP/HTTPS access to all destinations on the Internet. To prevent access to internal resources, add an exception network and mask covering the internal IP addresses to the HTTP and HTTPS allow rules.
Step 1 On the Access tab, move the slider to Unrestricted.
Step 2 Click next
Note: The Guest policy will be enforced by the Edgeconnect gateway, so there does not need to be any policy set on the AP
Step 3 On the Summary tab, review the settings, and click Finish.
Setting the Country Code
Once the Access point comes online and is added to the group the country code might need to be set. Use the following steps to set the country code.
Step 1 In the bottom left select Set Country Code Now.
Step 2 In the popup menu click the Country Code Dropdown, select the appropriate country.
Step 3 Click Save next to the AP.
Step 4 Click Save.
Rename the Access Points
Step 1 Go to the BR-ECE-SDW-S group.
Step 2 Select Configuration.
Step 3 Select the Access Point tab
Step 4 Click the pencil icon, next to the AP.
Step 5 Enter the new AP name. In this example, it is BOIBR-AP01. Click Save Settings.
Assign WLAN Access Points to Site
The following procedure assigns access points to a site. Creating sites was shown in the “preparing to Deploy” section of the guide.
Step 1 Go to Organization and select Site
Step 2 Unassigned devices and then use the Name filter to find the Access Points.
Step 3 Select the Access points, then drag them to the appropriate site.
Step 4 When the confirmation popup appears, Click Yes.