Basic RAP Setup with ArubaOS 8

This is the first post regarding the Aruba Remote Access Points. There are several scenarios for this kind of AP and this first post is for a basic RAP setup. This basic RAP setup is about connecting the RAP to Aruba Controllers and the configuration on the Controller.

Basic RAP Setup: What is a Remote AP

A Remote AP is a normal AP, from a hardware point of view, which means, any Aruba AP can be a RAP. It is just a different mode of operation. The main difference to a Campus AP (CAP) is the IPSec tunnel, which is used to tunnel all traffic, including the wireless traffic, to the controller. This enables the RAP to be used outside of a secure network, like home offices or small branches.

The RAP uses the provisioned domain name or IP to build the IPSec tunnel to the controller and only needs access to the internet. After a successful connection to the controller, the RAP can extend the WLAN to the home office, small branch or whatever location the RAP is installed. If the AP has additional LAN ports, they can be tunneled to the controller as well and extend the wired network as well.

Before I have moved to central and IAP for my own setup, I was using a RAP to connect from customers and hotels to my home lab. I only needed to boot the RAP and wait for my own SSID to become available. Very easy and convenient.

Basic RAP Setup with a Standalone Controller

Even if the setup is almost the same, there are some differences when deploying RAP’s with a Cluster, compared to deployment with standalone controllers. I will start with the standalone deployment. This deployment works with all deployment types, except for a Cluster.

On the controller, there is not much to configure. I use two standalone controllers, running ArubaOS 8.4.0.1 in a Master/Standby deployment.

The first step is to create a IP pool for the inner IP. The inner IP is the IP in the IPSec tunnel. There is no need to route this IP pool in the network. It is just to handle communication between the Controller and the RAP through the IPSec tunnel.

To create this IP pool go to “Configuration–>Services–>VPN” and select “General VPN”. just click the “+” sign in the “Address Pool” table to create a new address pool:

Basic RAP Setup - Add IP Address Pool
Basic RAP Setup – Add IP Address Pool

Simply add the IP address pool. Just use a name, which is meaningful and enter the IP range. If you think, some of your RAP’s will be behind a NAT device, like in most home deployments, enable the “NAT-T” option for NAT Traversal.

My test AP is already connected to the controller as a Campus AP. I need to provision this AP to become a Remote AP:

Basic RAP Setup - Provision AP
Basic RAP Setup – Provision AP

The important part is the “Deployment”, where you need to select “Remote”. If you are using virtual controllers, use the “self-signed” certificate as the “Trust anchor”. For a hardware-based controller, you do not need a trust anchor, as they will use the internal certificates on the TPM chip to authenticate each other.

The “Controller IP/DNS name” is the VRRP IP of the two controllers.

If you are reading carefully, you should have seen, that I used the wrong AP group in the picture above. So I needed to provision the RAP a second time. So always keep your eyes open before pressing submit 😊

To allow the connection from the RAP to the controller, you need to add the RAP to the Remote AP whitelist as well:

Basic RAP Setup - Add RAP to Remote AP Whitelist
Basic RAP Setup – Add RAP to Remote AP Whitelist

It is the same procedure as with the “Campus AP Whitelist”. You can also use an external server like ClearPass or even with Aruba Activate.

After the RAP is connected to the Controller it will be shown as online:

Basic RAP Setup - Online RAP
Basic RAP Setup – Online RAP

The IP is the inner IP from the IP pool created above and the “Operating mode” is “Remote”.

If your Controller did not have an official IP and is behind a NAT device, you just need to make sure, that you forward the following ports:

  • UDP 69 (TFTP for image transfer)
  • UDP 500 (IPSec)
  • UDP 4500 (IPSec Nat-T)

Basic RAP Setup with a Controller Cluster

There is a limitation, as of today. You can only have 4 controllers in a Cluster when connecting RAP’s.

With the Controller Cluster, most of the steps from above are the same. There is only one exception, the IP pool. Instead of creating an IP pool directly on the cluster in the VPN settings, you configure the IP pool on the Mobility Master.

You find this option on the MM hierarchy under “Configuration–>Services–>Cluster” and just hit the “+” sign to create a new pool:

Basic RAP Setup - Add Cluster IP Address Pool
Basic RAP Setup – Add Cluster IP Address Pool

Save the changes and you are done. If you configured the rest of the options from above as well, the RAP should come up and will have a connection to all cluster members:

(mobility-master-haan) *[mynode] #show ap database

AP Database
-----------
Name               Group       AP Type  IP Address      Status    Flags  Switch IP      Standby IP
----               -----       -------  ----------      ------    -----  ---------      ----------
RAP205             RAP-Group   205      10.0.0.12       Up 6m:7s  Rc2    10.201.201.11  10.201.201.12

Flags: 1 = 802.1x authenticated AP use EAP-PEAP; 1+ = 802.1x use EST; 1- = 802.1x use factory cert; 2 = Using IKE version 2
       B = Built-in AP; C = Cellular RAP; D = Dirty or no config
       E = Regulatory Domain Mismatch; F = AP failed 802.1x authentication
       G = No such group; I = Inactive; J = USB cert at AP; L = Unlicensed
       M = Mesh node
       N = Duplicate name; P = PPPoe AP; R = Remote AP; R- = Remote AP requires Auth;
       S = Standby-mode AP; U = Unprovisioned; X = Maintenance Mode
       Y = Mesh Recovery
       c = CERT-based RAP; e = Custom EST cert; f = No Spectrum FFT support
       i = Indoor; o = Outdoor; s = LACP striping; u = Custom-Cert RAP; z = Datazone AP
       p = In deep-sleep status

If your Controllers do not have a public IP address, there are more steps required than just enable the forwarding on the NAT device.

To use a RAP with a Controller Cluster behind a NAT device, the Cluster should be aware of the external IP. You configure the external IP of a Cluster member during the setup of a Controller Cluster.

Go to the hierarchy level, where you configured the Cluster. Unfortunately, it is not possible to add the external IP’s to an existing Cluster Config. You need to remove all members and add them again. Remember you cannot have more than 4 if you would like to terminate RAP’s

While adding them, make sure to set the “Rap public IP” to the Configuration:

Basic RAP Setup - Add RAP Public IP to Cluster Config
Basic RAP Setup – Add RAP Public IP to Cluster Config

This makes sure, that the RAP will get the external IP of the Cluster Member, instead of the internal one and the RAP will use the external one to connect to the Cluster Member:

(mobility-master-haan) *[mynode] #show ap database 

AP Database
-----------
Name               Group       AP Type  IP Address      Status     Flags  Switch IP      Standby IP
----               -----       -------  ----------      ------     -----  ---------      ----------
RAP205             RAP-Group   205      10.0.0.12       Up 5m:55s  Rc2    10.201.201.11  10.201.201.12

You still see the internal IP’s instead of the external IP’s. To get the external IP’s visible, use this command:

(Cluster-Member-1) #show ap remote debug sapd cluster-nodestate ap-name RAP205 

Cluster Node Table
------------------
IP Address     Switch IP Address  Flags  State
----------     -----------------  -----  -----
10.203.203.11  10.201.201.11      A2     Up
10.203.203.12  10.201.201.12      S2     Up

Flags: A = Active AAC; S = Standby AAC; U = UAC; 2 = Using IKE version 2

As you see in the post above, the setup is really easy.

If you find this post useful, leave me a comment and share it with your friends. If you don’t like the post, leave me a comment and tell me what you don’t like. But whatever you do, leave me a comment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.