Search This Blog

Friday, April 6, 2018

Aruba Remote AP (RAP) Configuration step-by-step


Aruba OS version: 6.5.4.5 build 63925

This guide will take you through step-by-step to configure Aruba Remote AP (RAP)

I will use the following topology:



Device/Host
IP Address
Description
Aruba MC
192.168.99.1
Internal address used as master IP address
Campus AP
192.168.99.2
Internal IP
FW #1
192.168.99.254
Internal IP

10.0.0.1
External IP
FW #2
172.16.0.254
Internal IP

10.0.0.2
External IP
Remote AP
172.16.0.5
Internal IP

The Aruba MC and the remote AP are behind firewalls which using NAT when accessing the internet.
     1.    Log in into the MC
     2.    Go to Configuration -> Advanced Services -> VPN Services -> IPSEC
     3.    Under Address Pools click Add
     4.    Configure address pool for remote AP's:


     5.    Click Done
     6.    Under NAT-T Check Enable NAT-T:


     7.    Scroll down and click Apply
     8.    Next go to Configuration -> Wireless -> AP Configuration and create new group for remote AP's
     9.    In the group (KS-RAP in this example) go to AP -> AP system profile and create new profile for this group:



     10.  In this profile make sure that the LMS IP address is the MC external IP:
 


     11.  Now go to Configuration -> Wireless -> AP Installation -> Whitelist, click on Remote AP and then click on Entries:


     12.  Insert the MAC address of the remote AP to the MC localdb and choose the newly created AP group (KS-RAP) and click Add:


      13.  Click the Save Configuration on the MC to save all changes.

Next let's configure the remote AP, connect to the RAP using console cable
     1.    Click Enter to stop the autoboot process
     2.    Type setenv remote_ap 1
     3.    Type setenv master 10.0.0.1
     4.    Type setenv serverip 10.0.0.1
     5.    Type saveenv
     6.    Type boot


NAT Traversal

Because the firewalls are doing NAT we will have to use NAT traversal (UDP port 4500) to allow traffic between the MC and the RAP.
On firewall #1 we will need to configure static NAT with port forwarding and to allow UDP port 4500 to the MC (outside to inside), while on FW #2 we will need to configure policy to allow the remote AP access to UDP port 4500 outside.

Each firewall/router configuration is different and it's not part of the scope of this post.

Remote AP Authentication

In the following example I'm using certificate-based authentication where the RAP using factory-based certificate and the MC authenticate the RAP MAC address using the localdb. In this way we can configure pre-provision AP which never was connected to the MC before.
We can also use IPSec PSK but this requires the RAP to be connected to the MC as campus AP prior to conversion to RAP