1. No category

WLAN Base Configuration - Support Aruba Networks

Best Practices
V1.10 2005.12.20
WLAN Base Configuration
Configuring secure employee WLAN access
Abstract
This document describes a typical configuration for a base production Aruba
Networks infrastructure. The document demonstrates a typical configuration with
complete step-by-step instructions for configuring:
 Master mobility controller setup
 Secure employee WLAN
 Transparent Layer 3 client mobility
 Adaptive Radio Management
 System management
Recommended Reading
The following pre-requisite documentation is highly recommended before reading
this document:
 Best Practices: WLAN Performance
ArubaOS 2.4
2005 Aruba Networks
Best Practices: WLAN Base Configuration
Table of Contents
WLAN BASE CONFIGURATION ...................................................................... 1
Design Summary ....................................................................................... 3
Design Guidelines ..................................................................................... 5
Installation Procedure .............................................................................. 9
Initial Master Controller Setup ................................................................ 11
Aruba-master setup........................................................................................................................................... 11
Core VLAN Configuration .........................................................................
Mobility Controller IP Addressing ............................................................
Configure System Management ...............................................................
Preparing for AP Deployment ..................................................................
12
16
19
23
Deployment with RF Plan ................................................................................................................................ 23
Secure the WLAN ............................................................................................................................................ 23
Aruba AP Setup .......................................................................................
Provisioning Aruba APs ...........................................................................
Employee WLAN Configuration ................................................................
Radio Management..................................................................................
Next Steps...............................................................................................
Advanced Design Considerations ............................................................
24
26
28
39
42
43
Layer 3 mobility ............................................................................................................................................... 43
Common Troubleshooting Tasks ............................................................. 44
Debugging Aruba APs ...................................................................................................................................... 44
Connecting to the serial console of an AP ........................................................................................................ 44
Connect via Aruba mobility controller ............................................................................................................. 45
Installation Quick Start ........................................................................... 47
The fast procedure ............................................................................................................................................ 47
The really fast procedure .................................................................................................................................. 48
Appendix A: Configuration Values ........................................................... 49
Base configuration values................................................................................................................................. 49
2
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Design Summary
Overview
This section describes a typical base configuration for an Aruba
production network.
Features and
functionality
The base configuration includes the following features and functionality:
 Standards-based, industrial strength security for wireless employee
users (WPA)
 Automatic and dynamic RF management and self-healing
Topology
The following network diagram shows the basic topology for this network
design:
Figure 1 - Base Configuration Reference Topology
3
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Design Summary continued
Required licenses
Valid licenses for the following software modules are required to
configure the reference network design:
 ArubaOS (standard with all mobility controllers)

Note: this design requires ArubaOS version 2.4.1 or
higher
 Policy Enforcement Firewall module -(allows us to define user
roles, firewall ACL policies, IP NAT pools, Captive Portal
configuration, role derivation rules. This module is an additional cost
and requires licensing beyond the base software.
Required hardware
At least one Aruba mobility controller is required to manage and control
the mobility domain and the Aruba APs.
Scaling notes
The reference design allows for a separate master controller and AP
manager controller. However, these functions may be combined within
the same controller.
For more information on determining the right number and disposition of
your mobility controllers, please see the Best Practices: WLAN Scaling
and Performance document for a detailed discussion.
Further reading
Please see the Aruba User Guide documentation for more information
on installation, features and advanced or alternate configuration.
For the impatient
Want to just go ahead and get this configuration on a controller? Then
read the next section for a detailed description of what will be configured
as well as quick start instructions.1
1
4
Estimated time to complete this configuration by following this document:
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Design Guidelines
Overview
This section describes how to design the reference base configuration
topology.
Network
configuration
The Aruba Mobility Controller in this reference design is configured with
the following:
 Core VLAN (VLAN 5)

Core VLAN IP address

Loopback IP address
 Employee VLAN (VLAN 10)
The Aruba controller has two uplinks to a core router for redundancy.
Spanning tree is run to disable one link. The core router is responsible
for routing all traffic to and from the mobility controllers.
Figure 2 - Base Configuration IP Topology
The master controller is responsible for configuration and management
of the mobility domain.
5
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Design Guidelines continued
The master controller manages the Aruba APs – the AP will get its
configuration from whichever controller it terminates to. Each Aruba AP
is connected to the wired network (VLAN 8 in this example) and acquires
an IP address via DHCP from an external server located in the data
center. The APs auto-discover the master controller by querying DNS for
Aruba-master. Once they have found the master, the APs download their
configuration and create a tunnel to their local management system
(LMS) – in this case, the Aruba master controller.
System
management
The Aruba mobility controller is configured in the appropriate time zone
and points to a Network Time Protocol (NTP) server. With time
synchronized, the controlle is configured to send log information to a
syslog server for historical tracking and debugging. An SNMP trap
receiver may also be configured.
WLANs and SSIDs
The wireless LAN (WLAN) is comprised of one SSID for employees
called corpnet .
Employee
authentication
The corpnet SSID uses the Wireless Protected Access (WPA) standard
to securely authenticate employees before network access is granted.
WPA ensures no IP address or network access is available until the
employee’s credentials have been validated by a RADIUS server against
the corporate Active Directory. Once this is validated, the user is placed
into VLAN 10 and receives an IP address from the corporate DHCP
server. Authentication between the client supplicant and the RADIUS
server uses the Protected Extensible Authentication Protocol (P-EAP).
All data is encrypted by WPA using the Temporal Key Integrity Protocol
(TKIP).
AAA servers
Employees are required to authenticate before they are given network
access. Thus, AAA (Authentication Authorization and Accounting)
servers are also required. This design reference example uses the
following configuration:
6
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Design Guidelines continued
Employee AAA
server
Employees are authenticated via an employee authentication server – in
this example it is an Active Directory server called AD-Server01. Since
the WPA standard requires that the client supplicant software
authenticate using the RADIUS standard (which Active Directory does
not support directly), a RADIUS authentication server such as the
Internet Authentication Server (IAS) is also required.
In this example, the RADIUS server, Radius01, is configured to support
client authentication via the Protected EAP (PEAP) protocol over
RADIUS. This requires the RADIUS server to have an appropriate digital
server certificate installed to authenticate the server to the client.
The Aruba-master mobility controller is also configured as a Network
Access System (NAS) device on the RADIUS server, with its own shared
secret that enables the controller to communicate with the RADIUS
server and pass on client authentication requests.
Policy enforcement
& access control
All client devices are subject to policy rules and restrictions that limit
what they may do. This policy enforcement is enacted automatically by
the policy-enforcement engine of the Aruba mobility controller.
Employee access
policies
In this design example, successfully authenticated employees are
granted full and unrestricted access to all internal network resources.
Transparent Layer 3
mobility
Although the design reference shows employees on a single VLAN
throughout the entire enterprise, there is no reason why multiple VLANs
cannot be supported. Thus, a client device that associates on one AP
may be assigned VLAN 10 and then move to an AP in another building
that normally places clients into VLAN 11. In this case, the user will keep
their original IP address and transparently roam without needing to drop
their IP address and acquire a new one.
7
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Design Guidelines continued
ARM/RF
management
All Aruba APs are configured to run the Adaptive Radio Management
(ARM) algorithm. This allows the AP to automatically scan the RF
environment and do the following:
 Proactively manage AP power and channel settings for optimal
performance
 Scan for channel interference
 Build RF heat maps
In addition, the APs are also configured to automatically self-heal in the
event of an AP failure and to detect coverage holes.
AP deployment
The number of APs and their deployment locations were determined
using the Aruba RF Plan tool. The floor plans for all buildings that require
coverage were first imported along with information on the building
dimensions and the amount of coverage required.
Air Monitors (AMs) may also be configured at this time. Any Aruba AP
automatically provides monitoring when it is not busy servicing clients.
Although not required, AMs are highly recommended in environments
where monitoring or monitoring-based applications such as location
tracking and high-resolution heat maps are critical.
For the impatient
8
The rest of this document provides a detailed description of how to
configure the reference design. If you want to simply load this
configuration on a controller, please see the section Installation Quick
Start.
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Installation Procedure
Overview
This section describes the overall steps involved in configuring a network
according to the reference network design described in the previous
section.
Procedure steps
Here are the steps required and the order to perform them:
Master mobility controller configuration
1
Initial setup of Aruba-master
2
Core VLAN configuration and IP addressing
3
Core VLAN port assignment
4
Assign gateway of last resort (default gateway)
5
Loopback IP address
6
Configure system management

NTP

Time zone

Summer time/daylight savings

System logging
Deploy APs
7
Deployment with RF Plan
8
Secure the WLAN
9
Aruba AP setup
10 Connect Aruba APs
11 Provisioning Aruba APs
Employee WLAN configuration
12 Configure employee VLAN
13 Setup employee AAA server
14 Configure employee SSID
15 Configure employee access policies
16 Configure employee user role
17 Configure employee authentication
18 Configure the first employee 802.1x/WPA client
9
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Installation Procedure continued
Configuring radio management
19 Enabling ARM
20 Configuring RF management and optimization

Self-healing

Coverage hole detection

Interference detection
Backing up the system
21 Backup the controller
10
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Initial Master Controller Setup
Overview
This section describes how to configure the initial setup of the reference
design on an Aruba mobility controller.
Software
requirements
The following examples are based on ArubaOS 2.4.
Controller setup
All Aruba controllers are shipped in a factory-default configuration. Initial
configuration is command-line only and is performed via the serial port.
Aruba-master setup
The following script shows how to do the initial configuration of the
Aruba-master controller via the serial port2:
Enter System name [Aruba5000]: Aruba-master
Enter VLAN 1 interface IP address [172.16.0.254]: 172.16.0.254
Enter VLAN 1 interface subnet mask [255.255.255.0]: 255.255.255.0
Enter IP Default gateway [none]:
Enter Switch Role, (master|local) [master]: master
Enter Country code (ISO-3166), <ctrl-I> for supported list: US
You have chosen Country code US for United States (yes|no)?: yes
Enter Password for admin login (up to 32 chars): *****
Re-type Password for admin login: *****
Enter Password for enable mode (up to 15 chars): ******
Re-type Password for enable mode: ******
Do you wish to shutdown all the ports (yes|no)? [no]: no
Current choices are:
System name: Aruba-master
VLAN 1 interface IP address: 172.16.0.254
VLAN 1 interface subnet mask: 255.255.255.0
IP Default gateway: 172.16.0.1
Switch Role: master
Country code: US
Ports shutdown: no
If you accept the changes the switch will restart!
Type <ctrl-P> to go back and change answer for any question
Do you wish to accept the changes (yes|no) yes
Creating configuration... Done.
System will now restart!
2
This design guide concentrates on the graphical user interface rather than the command line.
As much configuration as possible will be done via the GUI. Therefore a temporary IP network
(172.16.0.x) will be used for the initial configuration. This VLAN will not be used in the reference
design – it is used as a convenience during the initial setup only.
11
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Core VLAN Configuration
Overview
This section describes how to configure the core VLAN on the master
mobility controller.
Core VLAN
configuration and
addressing
As soon as the controller reboots, we will configure our first VLAN – the
core VLAN. In our reference design, this is VLAN 5 and the network is
10.3.22.0/24. We will also configure the default gateway.
! Important: To avoid disruption it is highly recommended that this be
done via the serial connection. All other configurations afterwards will
be done via the Graphical User Interface (GUI).
The following script shows how to configure VLAN 5 from the CLI of the
Aruba-master controller:
Aruba-master)
User: admin
Password: *****
(Aruba-master) >enable
Password:******
(Aruba-master) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba-master) (config) #vlan 5
Log in to controller
Create VLAN 5 &
assign an IP
address
(Aruba-master) (config) #interface vlan 5
(Aruba-master) (config-subif)#ip address 10.3.22.20 255.255.255.0
(Aruba-master) (config-subif)#exit
(Aruba-master) (config-if)#write memory
Saving Configuration...
Save configuration
Saved Configuration
12
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Core VLAN Configuration continued
Core VLAN port
assignment
The following script shows how to check VLAN port assignments and
modify them from the CLI of the Aruba-master controller:
(Aruba-master) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba-master) (config-range) # show vlan
VLAN CONFIGURATION
-----------------VLAN Name
Ports
---- -------1
Default
Fa2/0-23 Gig2/24 Gig2/25
5
VLAN0005
(Aruba-master) (config) #interface range fastethernet 2/0-23
(Aruba-master) (config-range) # switchport access vlan 5
(Aruba-master) (config-range) # exit
(Aruba-master) (config) #interface range gigabitethernet 2/24-25
(Aruba-master) (config-range)#switchport access vlan 5
(Aruba-master) (config-range) # show vlan
VLAN CONFIGURATION
-----------------VLAN Name
Ports
---- -------1
Default
5
VLAN0005
Fa2/0-23 Gig2/24 Gig2/25
(Aruba-master) (config-if)#write m
Saving Configuration...
Saved Configuration
Check port
assignments
Assign all Fast
Ethernet and
Gigabit Ethernet
ports to VLAN 5
Double-check
assignments &
save configuration
 Note: The above commands were done on an Aruba chassis controller with a 24FE / 2GE
line card in chassis slot 2. Configurations using the Aruba 2 GE line card in slot 2 would only
need to reference gigabitethernet 2/0 and 2/1. Configurations on the Aruba 2400 controller
would need to reference ports fastethernet 1/0-23 and gigabitethernet 1/24-25.
Configurations on the Aruba 800 controller would need to reference ports fastethernet 1/0-7
and gigabitethernet 1/8.
13
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Core VLAN Configuration continued
VLAN tagging
The following script shows how to configure VLAN tagging on the
controller uplink into the corporate router.3
(Aruba-master) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba-master) (config) #interface fastethernet 2/0
(Aruba-master) (config-if)#switchport mode trunk
(Aruba-master) (config-if)#switchport trunk allowed vlan all
(Aruba-master) (config-if)#switchport trunk native vlan 5
(Aruba-master) (config-if)#write m
Saving Configuration...
Saved Configuration
In this example, we are using port 2/0 as our uplink port into the network.
You may substitute any other port for this command.
Also, this reference topology assumes the wireless VLANs also exist
somewhere else in the network besides the Aruba mobility controller –
thus VLAN tagging is required. If this is not the case, you may safely
ignore this step and simply use the controller as the default gateway for
wireless clients.
Assign default
gateway
The following script shows how to configure the gateway of last resort
from the CLI of the Aruba-master controller:
(Aruba-master) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba-master) (config) #ip default-gateway 10.3.22.254
(Aruba-master) (config-if)#write m
Saving Configuration...
Saved Configuration
Assign default gateway
3
802.1q VLAN tagging is used here because our gateway router already has these VLANs
configure since it is the default gateway for them. Thus, the uplink between the controller and the
router must use tagging to ensure correct transmissions. If your router does not have these
VLANs configured on it, you may safely skip this entire step and the Aruba mobility controller may
be used as the default gateway for clients on the wireless VLANs.
14
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Core VLAN Configuration continued
VLAN and IP
configuration
At this point, the mobility controller should be connected to the network
and we will continue the configuration via the GUI interface, which
requires network connectivity.
According to our reference design, this means the uplink ports (typically
the Gigabit ports) should be connected to the core router. The Gigabit
port number will depend on the model number of your Aruba mobility
controller.
 Warning: The 5000/6000 models contain a special Ethernet port
that is built in to the supervisor card called an out-of-band
management port. This port is NOT considered a line card port. The
above configuration will not configure it. If you wish to connect a PC
to this port for connectivity to the controller, you must configure an IP
address for this port. For more information, please see the Aruba
User’s Guide documentation.
Test & Validate
Verify connectivity between the controller and the test PC by ensuring
you can ping the new controller address, 10.3.22.20. If an external
DHCP server is not available, you may configure a static IP address on
the PC, e.g. 10.3.22.10.
15
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Mobility Controller IP Addressing
Overview
This section describes how to configure IP addressing on the Aruba
master mobility controller for the core VLAN and the controller itself.
Aruba-master GUI
logon
We will now log in via the web-base GUI and continue the configuration.
Basic IP connectivity to the mobility controller is required for GUI access.
To start configuration, connect the Ethernet port of a PC to one of the
following:
 If available, an Ethernet port on the mobility controller, please see the
warning note above more information
 An external switch or hub that is connected to controller and has
connectivity to it
Open a web browser and enter the following URL:
http://10.3.22.20/
or use the following URL for HTTPS access to the GUI:
https://10.3.22.20:4343/
Log in as the admin account using the password you created during
setup.
Test Layer 3
connectivity
16
It is extremely important to ensure the Aruba mobility controller can be
reached from other networks and vice versa. To do this, we will test
Layer 3 connectivity. Note that, when testing connectivity, any device on
a different network must have a route back to the core router which
understands how to reach the 10.3.22.0 network.
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Mobility Controller IP Addressing continued
Test & Validate
At this point the controller should be reachable from a network on the
other side of the default gateway. To test, make sure the controller is
connected to the default gateway. Then go to Diagnostics → Ping and
enter the IP address of the default gateway. Make sure this is
successful. Then enter the IP address of a device on the other side of
the default gateway (i.e. a different IP subnet or VLAN) and make sure
that is also successful.
Loopback address
Next, we will configure the loopback address and place it in the
management VLAN address space. The loopback address is the
reference management address for the controller and is used for certain
operations.
Here is the procedure to configure the loopback address:
1
2
3
4
On the top-level menu bar, click Configuration
Click the Advanced tab
Click the General tab
In the Loopback Interface box, enter the following information:
10.3.22.220
IP Address
5
6
Click the Apply button on the bottom right of the screen.
On the top-level menu bar, click Save Configuration
This will modify the IP address of the controller and it will need to reboot:
7
8
9
Click on the top-level menu bar, click Maintenance
On the left-hand option bar, click Reboot Switch
Click Continue to reboot the controller
Test & Validate
When the controller finishes rebooting, verify that it correctly responds to
a ping of both IP addresses – 10.3.22.20 and 10.3.22.220.
17
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Mobility Controller IP Addressing continued
Checkpoint!
18
We now have an operational master Aruba controller that is configured
with:
 Operational loopback address and default gateway
 Core VLAN
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Configure System Management
Overview
This section describes how to configure system management on the
Aruba mobility controller.
System
management
Now that IP connectivity has been established, it’s a good time to
configure the operational side of the controller. This makes it easy to
manage and monitor operations on the controller and throughout the
mobility infrastructure. The design reference topology includes the
following:
 Network Time Protocol (NTP) and time zone – this is very useful
for making sure the time and date on the controller is reasonably
accurate
 Daylight savings/Summer time – recommended for regions that
observe summer time adjustments
 System logging – the system logs generated by the Aruba controller
provide detailed information about the interworkings of the Aruba
mobility infrastructure
Network Time
Protocol (NTP)
19
It is important to have the correct time and date for the controller. The
Aruba controller can synchronize its internal clock with a Network Time
Protocol (NTP) server. Here is the procedure to configure the controller
to synchronize with an NTP server:
1
2
3
4
5
On the top-level menu bar, click Configuration
Click the Advanced tab
Click the General tab
In the NTP Servers section of the screen, click the Add button
Enter the IP address of an NTP server, in this design reference
we are using a public NTP server :
131.216.22.9
NTP Server
6
7
8
Click the Add button to add this server
Click the Apply button
On the top-level menu bar, click Save Configuration
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Configure System Management continued
Time zone
Here is the procedure to configure the time zone:
1
2
3
4
5
6
Daylight savings
If the controller is deployed in an region that observes daylight savings
time, you should also set this value. Here is the procedure to configure
daylight savings:
1
2
3
4
5
6
System logging
On the top-level menu bar, click Configuration
Click the Advanced tab
Click the General tab
In the Summer Time section of the screen, click the Enabled
radio button to enable daylight savings or the Disabled radio
button to turn it off.
Click the Apply button
On the top-level menu bar, click Save Configuration
Aruba always recommends enabling system logging on any mobility
controller. Here is the procedure to configure system logging:
1
2
3
4
5
6
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand options bar, click Management
Click the Logging tab
Under Logging Servers, click the Add button
Enter the IP address of the syslog server, in this design
reference we are using an internal syslog server :
10.3.22.250
Syslog Server
7
8
Click the Add button to add this server
Under Logging Levels, click the checkbox at the top of the list of
modules to select to all modules
9
Under Logging Level select Notifications from the drop-down
box
Click the Done button to set the logging level
Click the Apply button
10
11
20
On the top-level menu bar, click Configuration
Click the Advanced tab
Click the General tab
In the Time Zone section of the screen, enter the correct offset
from UTC for your time zone.
Click the Apply button
On the top-level menu bar, click Save Configuration
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
12
21
On the top-level menu bar, click Save Configuration
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Configure System Management continued
Test & Validate
At this point, the Aruba controller should have the correct time and be
sending log information to the system log server. To verify this, check the
syslog server and confirm that log messages are being received from the
controller with the correct time and date.
The log messages should look something like this:
Apr 20 15:24:32 10.85.254.252 Apr 20 15:24:18 2005 [10.3.22.20]
aaa[296]: <NOTI> Authentication Succeeded for User admin : Logged in
from 10.85.12.229 port 1209 Connecting to 10.3.22.20 port 80 connection
type HTTP
Checkpoint!
We now have an operational master Aruba controller that is configured
with:




22
Operational loopback address and default gateway
Core VLAN
Correct time & date
System logging
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Preparing for AP Deployment
Overview
This section describes how to prepare for AP deployment.
Deployment with RF
Plan
Running the Aruba RF Plan tool before deploying Aruba access points is
highly recommended. This tool can help determine the amount of APs
and Ams (if any) required based on your coverage requirements.
RF Plan is also used to import building floor plans into the system. The
building floor plans are used to locate Aps as they are deployed. Key
features that require floor plans and AP placement include:
 RF heat maps/RF fingerprints
 Location tracking service/triangulation
For more information on using the RF Plan tool, please refer to the
Aruba RF Plan for Windows document.
Since the reference network design is independent of actual building
topology or floor plans, no specific steps will be discussed in this section.
Secure the WLAN
Before we connect APs, it is important to ensure good security practice.
By default, Aruba mobility controllers are pre-configured with a test SSID
called aruba-ap. This is an open WLAN which, although it is not enabled
for network access, would allow wireless users to associate to it. We will
prevent this by disabling the radios on the Aruba APs so wireless users
cannot connect until our WLANs are fully configured, secured and ready.
Here is the procedure to disable the Aruba AP radios:
1
2
3
4
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under WLAN click Radio
Click the 802.11b/g tab
5
Find the entry Initial Radio State and select the Down radio
button
Click the Apply button.
Click the 802.11a tab
Find the entry Initial Radio State and select the Down radio
button
Click the Apply button
On the top-level menu bar, click Save Configuration
6
7
8
9
10
23
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Aruba AP Setup
Overview
This section describes how to configure the Aruba APs.
Aruba AP setup
According to our reference design, the Aruba APs will use DHCP to get
an IP address on whatever IP network they are connected to. They will
also query DNS for the Aruba-master IP address to connect to the
master controller.
AP requirements
Before you connect the Aruba AP to the network (either directly to the
master controller or indirectly via another device), make sure the
following is working:
Pre-condition
The Ethernet port the AP will
be connected to has DHCP
available4
Test & Validate
Verify this by connecting a PC that is configured for DHCP to
the port. To test DHCP, do the following:
 Click Start → Run
 Enter cmd
 Type ipconfig
Verify the Ethernet LAN has an IP address and can ping the
master controller loopback address.
Verify this by connecting a PC that is configured for DHCP to
There is a DNS entry for
the port. To test DNS, do the following:
Aruba-master and that it
5
returns the loopback address  Click Start → Run
 Enter cmd
 Type nslookup aruba-master
 Type ping aruba-master
Verify nslookup returns an entry for Aruba-master and that the
IP address is the loopback address (10.3.22.220). Verify the
ping command is successful and the master controller is
reachable.
The Aruba AP is in factorydefault mode and has not been
previously programmed
For more information, please refer to the Common
Troubleshooting Tasks section in this document.
4
This reference design assumes there is an external DHCP server configured as this is the
recommended best practice for most configurations. An internal DHCP server is available on the
Aruba controller for limited size deployments. For more information on how to configure this,
please see the Aruba User Guide documentation.
5 This reference design assumes a DNS server is available as this is the recommended best
practice for AP bootup.
24
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Aruba AP Setup continued
Connecting Aruba
APs
To install an Aruba AP, connect the AP to an Ethernet port that satisfies
the previously mentioned pre-conditions. If the port also has standard
802.3af Power Over Ethernet (POE) available (either from a POE switch
or a power injector), the AP will automatically use it to power up.
If POE is not available, an AC adapter from Aruba is required.
Aruba AP boot
sequence
During the AP boot sequence, the lights on the AP will display the
system status as follows:
Light
Status
Boot Action
PWR
Solid
Indicates the AP has power
ENET
Solid/Flashing Indicates there is Ethernet link/activity
WLAN
Solid
Indicates the AP is up, configured as an
access point and the radios are active
Flashing
Indicates the AP is up, configured as an
air monitor and the radios are actively
scanning
Dim
The AP is downloading a new version
of firmware and will reboot
automatically when done
Test & Validate
Once the APs are up and the radios are active, you can verify that the
correct SSIDs are being advertised. You can do this by logging on to the
controller GUI. The first screen, Network Summary, should show one
access point active.
! Important: This is a test of the SSIDs only. At this point the
configuration is not complete and you will not be able to connect to
the SSIDs and gain network access yet.
25
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Provisioning Aruba APs
Overview
This section describes how to provision the Aruba APs.
Provisioning Aruba
APs
Now that the AP is up, it may be provisioned. Provisioning is the act of
configuring an Aruba AP. At a minimum, an Aruba AP requires a location
ID configured. The location ID is in the form of 3 digits – e.g. 1.1.1. The
first digit specifies the building (by building ID), the second digit
designates the floor number the AP is physically located, such as the
second floor. The last digit is the identifier for the AP itself. Thus, 1.2.3 is
AP #3, which is located on the second floor of building number one.
Unprovisioned APs are specially indicated (in red) in the Network
Summary screen of the GUI.
Here is the procedure to provision a new Aruba access point:
1
2
3
4
5
6
On the top-level menu bar, click Maintenance
Click the Advanced tab
On the left-hand option menu, under WLAN click Program AP
Select the AP by clicking on the radio button next to it
Click the Provision tab
In the AP provisioning screen, enter the following information:
1.1.1
Location
7
8
Click the Apply and Reboot button at the bottom of the screen
Verify the AP has been provisioned by ensuring the state (St)
field at the bottom of the screen has been changed from IP (in
progress) to P (provisioned)
Re-select the AP you just configured (if not selected)
Click the Provision button and confirm the AP is now in the “P”
state , indicating provisioned.
9
10
Test & Validate
Verify the AP comes back up correctly and is no longer shown as an
unprovisioned AP. You can do this from the Monitoring screen of the
GUI. A provisioned AP will show up under Access Points in the WLAN
Network Status section.
26
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Provisioning Aruba APs continued
Checkpoint!
27
We now have an operational master Aruba controller that is configured
with:
 Operational loopback address
 System logging
and default gateway
 Employee SSID
 Working AP configuration
 Core VLAN
 Correct time & date
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Employee WLAN Configuration
Overview
This section describes how to configure the employee WLAN.
Employee WLAN
configuration
We are now ready to configure the employee WLAN! This will include the
following actions:
 Configuring the employee VLAN
 Configure employee authentication
 Configure the employee SSID
 Configure employee access policies
 Configure the employee user role
 Configure and activate employee authentication
 Configure the first employee client
Employee VLAN
First, we will configure the VLAN that successfully authenticated
employee users are placed into. In our reference design, this is VLAN
10. Because wireless users are tunneled from the AP directly to the
Aruba mobility controller, this VLAN does not need to exist where the AP
is connected. It only needs to exist on the controller.
Here is the procedure to configure the employee VLAN:
1
2
3
Open a web browser and log on to the management GUI
On the top-level menu bar, click Configuration
Click the Advanced tab
4
5
6
7
Click the General tab
Click the VLAN tab
Click the Add button
In the Add New VLAN screen, enter the following information:
10
VLAN ID
8
9
IP Address
172.19.10.20
Net Mask
255.255.255.0
DHCP Helper Addresses
10.3.22.2506
Click the Apply button
On the top-level menu bar, click Save Configuration
We have now successfully configured out VLANs. 7
6
A DHCP helper address is required if the DHCP server is located on a different network, which
is the case here
7 Since we are not using VLAN 1 in this guide, it is safe to delete the configuration for VLAN 1 at
this point
28
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
29
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Employee WLAN Configuration continued
Employee
authentication
RADIUS
configuration
In our reference design, employees authenticate using their corporate
Active Directory accounts. Because the 802.1x standard that is part of
WPA requires RADIUS, the Aruba controller will be configured to
validate these accounts (and send 802.1x supplicant messages to) the
intermediary server Radius01. The RADIUS server will then authenticate
the employee accounts by communicating directly with AD-Server01.
Important!
Although RADIUS is a separate standard from wireless WPA-TKIP
authentication, it is required. There are many RADIUS servers widely
available today.
Before proceeding with the rest of this document, an administrator must
configure a RADIUS server to support WPA-TKIP and PEAP
authentication.
For more information on how to configure the most popular RADIUS
servers, please see the Configuring RADIUS for WPA Authentication
and the Aruba User Guide documentation.
RADIUS
communication
RADIUS servers are typically configured to respond only to individual
devices based on information such as the source IP address used. Our
design assumes Radius01 will only respond to Aruba-master if it
communicates on its loopback address. So the first thing we need to do
is configure the controller to only use the loopback for RADIUS
communications. Here is the procedure to configure the controller to only
use the loopback address for RADIUS communication:
1
2
3
4
5
6
7
8
30
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under Security click AAA Servers
Click the RADIUS tab
Under the Source Interface section, select loopback from the
dropdown menu
Click the ← button to enter this value
Click the Apply button
On the top-level menu bar, click Save Configuration
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Employee WLAN Configuration continued
Define the employee
AAA server
Here is the procedure to configure the employee AAA RADIUS server
entry on the Aruba mobility controller:
1
2
3
4
5
6
7
8
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under Security click AAA Servers
Click the RADIUS tab
Under the RADIUS Servers section, click the Add button
In the Add RADIUS Server screen, enter the following
information:
Radius01
Server Name
IP Address
10.3.22.250
Shared Secret
radius123
Authentication Port
1812
Accounting Port
1813
Num Retries
3
Timeout
5
NAS Source IP Address
10.3.22.220
Click the Apply button
On the top-level menu bar, click Save Configuration
Test & Validate
If the RADIUS server is up and available, you may now test
communications between the Aruba controller and the RADIUS server.
This verifies connectivity as well as the shared secret, authentication
port, etc.
31
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Employee WLAN Configuration continued
Here is the procedure to test AAA communications:
1
2
SSH to the controller and login
Enter the following commands:
(Aruba-master) #show aaa RADIUS-server
RADIUS Server Table
Pri Host
IP addr
Port Acct Retries Timeout Secret
Status
Inservice NAS-id match-essid match-FQDN trim-FQDN Nas-IP
--- ------------- ---- ------- ------- ------ ------------- ------ ----------- ---------- --------- -----2
Radius01 10.3.22.253 1812 1813 3
5
*****
Enabled Yes
10.3.22.220
(Aruba-master) #ping 10.3.22.253
Press 'q' to abort.
Sending 5, 100-byte ICMP Echos to 10.3.22.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
0.17/202.819/1012.14 ms
(Aruba-master) #aaa test-server Radius01 testnative test
Authentication successful
 Note: In this example we are using the user account testnative to
test RADIUS connectivity. This account should already exist on your
RADIUS server and will most likely be different.
Checkpoint!
32
We now have an operational master Aruba controller that is configured
with:
 Operational loopback address
 System logging
and default gateway
 Working RADIUS server for
 Core & employee VLANs
employee authentication
 Correct time & date
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Employee WLAN Configuration continued
Employee SSID
All Aruba mobility controllers are configured with a default SSID called
aruba-ap. In our design reference we will change this to the employee
SSID instead. Here is the procedure to configure the default SSID as the
employee SSID:
1
2
3
4
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under WLAN click Network
Click the SSID tab
5
6
Find the aruba-ap SSID entry and click the Edit button
In the Edit SSID screen, enter the following information:
corpnet
SSID
7
8
Radio Type
802.11 a/b/g
SSID Default VLAN
10
Encryption Type
TKIP8
TKIP
WPA TKIP
Click the Apply button
On the top-level menu bar, click Save Configuration
Note
When entering the default VLAN, make sure you click the ← button to
enter the value before you click the Apply button.
! Important: A warning will appear informing you that 802.1x has not
been configured yet. This is correct; however do not configure
802.1x at this time. We will configure it later.
8
WPA-TKIP is suggested in this document for backwards compatibility with most 802.11 devices.
However, if the wireless devices support it, WPA2-AES is recommended. Please note – if a
mixture of WPA-TKIP and WPA2-AES devices are expected to use the same SSID, you must
specify Mixed-Mode as the encryption type. This will allow the system to support both
simultaneously.
33
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Employee WLAN Configuration continued
Policy enforcement
and access control
Before we can allow users to connect to an SSID and use it, we need to
establish the correct policies for each type of user and enforce them
across the mobility infrastructure.
We will do this by creating a user role for employees. The employee user
role will contain the policies and access rights that apply to the group.
Employee firewall
policy
According to our reference design, employees are allowed unrestricted
access to network resources at any time. We will create the firewall
policies first and then attach them to the employee user role.
The following diagram illustrates how an employee would connect to the
wireless network, authenticate, and gain access:
Figure 3 - Employee Association & Authentication
Now we need to build firewall rules that will enforce this policy for any
device or user that connects to the corpnet SSID.
34
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Employee WLAN Configuration continued
Employee firewall
policy
Here is the procedure to create the employee firewall policy:
1
2
3
4
5
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under Security click Policies
Click the Add button to add a new policy
In the Add New Policy screen, enter the following information:
Employee-Access
Policy Name
Under the Rules section, click the Add button
6
In the policy statement, enter the following information:
Any
Source
7
8
9
Employee user role
Destination
Any
Service
Any
Action
Permit
Click the Add button to add the rule to this policy
Click the Apply button
On the top-level menu bar, click Save Configuration
Now that we have the firewall policy configured, let’s create a user role.
Here is the procedure to create the employee user role:
35
1
2
3
4
5
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under Security click Roles
Click the Add button to add a new role
In the Add Role screen, enter the following information:
Employee
Role Name
6
Under the Firewall Policies section, click the Add button to add a
firewall policy to this role
7
8
9
10
11
Select the radio button next to Choose from Configured Policies
Select Employee-Access from the drop-down box
Click the Done button to add this firewall policy to the role
Click the Apply button
On the top-level menu bar, click Save Configuration
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Employee WLAN Configuration continued
Checkpoint!
We now have an operational master Aruba controller that is configured
with:
 Operational loopback address
 Working RADIUS server for
and default gateway
employee authentication

Employee SSID
 Core & employee VLANs
 Firewall polices for employees
 Correct time & date
 User role for employees
 System logging
Configuring
authentication
methods
Now that the user roles and access rights are defined, we can configure
the authentication methods. This will allow an employee to associate to
an SSID, authenticate and gain network access.
Employee
authentication
To enable employee authentication, we must enable 802.1x, which is
used by WPA and TKIP.
Here is the procedure to enable 802.1x:
1
2
3
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under Security click
Authentication Methods
4
5
Click on the 802.1x tab
In the 802.1x tab, enter the following information:
Employee
Default Role
Enable Authentication
6
7
8
9
10
36
Yes
Under the Authentication Servers section, click the Add button
to add a new RADIUS server
Select the Radius01 server from the drop-down list
Click the Add button to select this server
Click the Apply button
On the top-level menu bar, click Save Configuration
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Employee WLAN Configuration continued
Configuring the first
employee
802.1x/WPA client
We are now ready to configure and test the first employee client device!
There are many 802.1x supplicants available today – each has its own
configuration utility. However, each supplicant will ultimately use the
same information, whether it is Microsoft Windows Zero-Configuration
utility or Funk’s Odyssey client. For more information on how to configure
your client supplicant, please refer to the driver documentation of your
client.
Each client will need all or most of the following information configured
before it can successfully authenticate and access the employee
network:
Parameter
Value
Network Name (SSID)
corpnet
Association Mode
WPA
Encryption Method
TKIP
Authentication
EAP-PEAP
PEAP Settings
EAP-MS-CHAP-V2
Validate server certificate
Yes
Trusted Server(s)
Enter the name of the server that issued
the certificate for the Radius01 server
here
Anonymous Name
Enter the employee user name here
Test & Validate
To test the employee SSID, first use the aaa test-server command used
earlier to make sure the employee account and password are accepted
by the Radius01 server. If that is successful, you may try an 802.1x/WPA
device that has been configured to use those credentials.
For more information on troubleshooting 802.1x devices, please refer to
the troubleshooting section of this document.
37
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Employee WLAN Configuration continued
Enable the
employee WLAN
There is one last step before we configure a client and connect to the
employee SSID. As you may recall, for security reasons, we disabled the
radios for all APs earlier. It is now time to enable these radios again.
Turning on the radios will cause the APs to start broadcasting and
accept client connections.
Here is the procedure to enable the Aruba AP radios:
1
2
3
4
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under WLAN click Radio
Click the 802.11b/g tab
5
Find the entry Initial Radio State and select the Up radio
button
Click the Apply button.
Click the 802.11a tab
Find the entry Initial Radio State and select the Up radio button
Click the Apply button
On the top-level menu bar, click Save Configuration
6
7
8
9
10
Checkpoint!
38
We now have an operational master Aruba controller that is configured
with:
 Operational loopback address
 Employee SSID
and default gateway
 Firewall polices for employees
 User role for employees
 Core & employee VLANs
 802.1x and WPA
 Correct time & date
authentication
 System logging
 Working employee client
device
 Working RADIUS server for
employee authentication
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Radio Management
Overview
This section describes how to configure radio management.
Radio management
Aruba access points and mobility controllers have sophisticated radio
management techniques that optimize their functionality in virtually any
RF environment. This mechanism is called Adaptive Radio Management
(ARM).
Enabling ARM for
802.11b/g
Here is the procedure for configuring ARM for 802.11b/g radios:
1
2
3
4
5
6
7
Enabling ARM for
802.11a
ARM Scanning
Yes
ARM Client Aware
Yes
ARM VoIP Aware Scan
Yes
Click the Apply button
On the top-level menu bar, click Save Configuration
Here is the procedure for configuring ARM for 802.11a radios:
1
2
3
4
5
6
7
39
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under WLAN click Radio
Click on the 802.11b/g tab
In the 802.11b/g tab, enter the following information:
Single band
ARM Assignment
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under WLAN click Radio
Click on the 802.11a tab
In the 802.11a tab, enter the following information:
Single band
ARM Assignment
ARM Scanning
Yes
ARM Client Aware
Yes
ARM VoIP Aware Scan
Yes
Click the Apply button
On the top-level menu bar, click Save Configuration
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Radio Management continued
WLAN management
The Aruba mobility controller also manages the Aruba APs as an entire
infrastructure. This allows the system to self-heal in the event of AP
failure and to detect coverage holes and interference.
Self-healing
Self-healing is enabled automatically and does not require configuration.
Coverage hole
detection
Here is the procedure for configuring coverage hole detection:
1
2
3
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under RF Management click
Monitoring
Interference
detection
4
5
Click on the Coverage Hole Detection tab
In the Coverage Hole Detection tab, enter the following
information:
Enable Coverage Hole Detection Yes
6
7
Click the Apply button
On the top-level menu bar, click Save Configuration
Here is the procedure for configuring interference detection:
1
2
3
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under RF Management click
Monitoring
40
4
5
Click on the Interference Detection tab
In the Interference Detection tab, enter the following
information:
Yes
Enable Interference Detection
6
7
Click the Apply button
On the top-level menu bar, click Save Configuration
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Radio Management continued
Event thresholds
Event thresholds are used to determine abnormal amounts of 802.11
management frames. These values can be useful. In the case of new
wireless networks, however, it is recommended they be disabled until the
network has been fully installed and stabilized. This will prevent spurious
event warnings.
Here is the procedure for disabling event thresholds:
1
2
3
On the top-level menu bar, click Configuration
Click the Advanced tab
On the left-hand option menu, under RF Management click
Monitoring
4
5
6
7
Checkpoint!
41
Click on the Event Thresholds tab
In the Event Thresholds tab, set each value to zero (0)
Click the Apply button
On the top-level menu bar, click Save Configuration
We now have an operational master Aruba controller that is configured
with:
 Operational loopback address
 User roles for employees
and default gateway
 802.1x and WPA
authentication
 Employee WLAN
 Working 802.1x/WPA client
 Correct time & date
 Adaptive Radio Management
 System logging
(ARM)
 Coverage Hole Detection
 Working RADIUS server for
 Interference Detection
employee authentication
 Employee SSID
 Firewall polices for employees
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Next Steps
Overview
This section provides recommendations for next steps in the installation
of an Aruba mobility infrastructure.
Backup the
controller
Once you have a working configuration, it is an excellent idea to save
and backup the controller configuration and databases.
Here is the procedure for backing up an Aruba mobility controller:
1
2
3
4
On the top-level menu bar, click Maintenance
In the File section, click Backup Flash
Click the Create Backup button to create the backup file
Once the backup file is created, click Copy Backup to create a
copy off of the controller, e.g. to a TFTP or FTP server
! Important: Before you can copy a backup file from the controller, you
must have a working TFTP or FTP server.
Other tasks
There are many other configuration tasks that might also be configured
as part of the mobility infrastructure. These include:
 Configuring a secure guest access WLAN
 Install a local controller
 Remote access
For more information on these tasks, please see the appropriate best
practices guide.
42
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Advanced Design Considerations
Overview
Layer 3 mobility
This section discusses more advanced design topics. These design
considerations may or may not be relevant to a given network design. If
unsure, please discuss with your Aruba technical representative.
Although the reference design in this guide only has one VLAN for each
SSID or type of user, this is not always the case. Very large deployments
may have a different VLAN for multiple buildings or even every floor of
each building. So although the SSID stays the same when a user roams,
the IP network changes.
If a wireless device roams and acquires a new IP address it can have
adverse affects on applications. The Aruba solution supports transparent
Layer 3 mobility. This allows a wireless device to keep its original IP
address regardless of where it roams. This functionality requires no
additional software or configuration of the client device.
Here is the procedure for enabling Layer 3 mobility:
1
2
3
4
5
6
On the top-level menu bar, click Configuration
Click the Advanced tab
Click on the General tab
In the Mobility Configuration section, select the checkbox next
to Enable Mobility
Click the Apply button
On the top-level menu bar, click Save Configuration
! Important: For optimal performance, it is strongly recommended that
this feature only be enabled when multi-VLAN roaming is required
and configured.
.
43
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Common Troubleshooting Tasks
Overview
Debugging Aruba
APs
This document discusses various troubleshooting tasks, hints and
techniques for use with Aruba APs and mobility controllers.
Aruba APs may have configuration issues that either prevents them from
connecting to the Aruba mobility controller or, once they connect, from
functioning correctly. There are two places to gather debugging
information:
 Boot messages on the Aruba AP
 Log messages on the Aruba mobility controller
If an Aruba AP does not connect correctly it is often because of an
incorrect or invalid configuration on the AP itself. Since the AP cannot
connect to the mobility controller, we must access the serial port of the
AP itself to monitor the boot messages.
There are two ways to connect to the serial console of an AP:
Connecting to the
serial console of an
AP
Connect via SPOE
break-out cable
1
Attach a serial/power of Ethernet (SPOE) break-out cable to the
AP9
2
Connect the AP to an Aruba mobility controller with an available
Ethernet port and use the built-in SPOE access functionality10
Here is the procedure for connecting to the serial port of an AP via the
SPOE break-out cable:
1
Connect the cable to a PC and the AP
2
On the PC, start a serial connection program such as
Hyperterminal. The serial settings are as follows:
Parameter
Settings
Baud Rate
9600
Data
8 bit
Parity
None
Stop
1 bit
Flow control
Off
9
The SPOE break-out cable is available from Aruba Networks and may be ordered using part
number SPOE-3. If you are providing power over Ethernet (POE) to the AP using mid-span power
injectors, you will need a different cable, part number SPOE-4.
10 This method uses the SPOE break-out capability built into SPOE-capable line cards in the
Aruba mobility controller. Note – this functionality is not supported on the out of band
management port of the Aruba 5000 and 6000 controllers.
44
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Common Troubleshooting Tasks continued
Connect via Aruba
mobility controller
Here is the procedure for connecting to the serial port of an AP via the
Aruba mobility controller:
1
2
Connect the cable to a Aruba mobility controller via the CLI –
you can do this by using telnet, SSH or a serial connection to
connect
Enable serial over Ethernet (SOE) functionality on the controller
with the following commands:
login as: admin
[email protected]'s password:
(Aruba-master) >enable
Password:******
(Aruba-master) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba-master) (config) #telnet soe
Once SOE is enabled, you can connect to the AP serial port with the
following procedure:
1
Telnet to the Aruba mobility controller using port 2300
2
Log in using the admin account
3
Connect to the Ethernet port that the AP is attached to
User: admin
Password: *****
Available commands:
connect <slot/port>
exit (no args)
soe> connect 2/0
Connecting to 2/0 at 9600 baud 8N1
Type "~." to disconnect
45
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Common Troubleshooting Tasks continued
AP serial messages
Once connectivity is established, power up the AP. If it has already
booted, turn of the power and turn it on again to monitor the entire boot
sequence.
The following is an example of a an AP boot sequence:
Aruba Wireless Networks 6x_70
ArubaOS Version 2.4.1.17 (build 11469 / label #11469)
Built by p4build@speedy on 2005-10-07 at 19:47:40 PDT (gcc version
3.4.1)
Calibrating delay loop... 179.20 BogoMIPS
Memory: 25568k/32768k available (1506k kernel code, 7200k reserved,
2444k data,
188k init, 0k highmem)
physmap flash device: 400000 at 1fc00000
AMD Flash AM29LV320D (Top) (User Locked)
phys_mapped_flash: Found 1 x16 devices at 0x0 in 8-bit bank
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
bond0: Atheros AR2313: 00:0b:86:c2:7a:00, irq 4
Getting an IP address...
bond0: Configuring MAC for full duplex
192.168.1.22 255.255.255.0 192.168.1.1
Running ADP...Done. Master is 24.128.183.241
46
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Installation Quick Start
Overview
For those who wish to quickly load the configuration for this reference
topology onto their controller, this section describes two very fast
procedures.
Information you will
need
To do either of these procedures, you will need the information described
in Appendix A: Configuration Values.
The fast procedure
One way to quickly get through this document is to edit it such that the
instructions show the correct configuration information for your particular
installation: VLANs, IP addresses, SSIDs, etc. Once these changes have
been made, you can simply enter all instructions as shown.
Here’s how to edit this document to reflect a particular installation:
1
Obtain the Word version of this document and save it under a new
name, e.g. My_WLAN_Base_Configuration.doc
2
From the Edit menu, select Find…
3
In the Find and Replace dialogue box, click the Replace tab
4
In the Find what: box, enter each of the values in the “Documented
Value’ column of the table in Appendix A
5
In the Replace with: box, enter the new value
6
Click the More button
7
Under Search Options, select the “Match case” and “Find whole
words only” options
8
Click the Replace All button
9
Check and accept all replacements
10 Save the document again to ensure the changes are not lost
Congratulations! You now have a version of this document that is
specially edited to reflect your installation.
47
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Installation Quick Start continued
The really fast
procedure
An even faster way to get going is to obtain a copy of the matching
configuration file that is available with this document and edit it directly.
! Important: Make sure the configuration file matches the controller
you plan to install it on: for example, the configuration file for a 6000
should only be installed on a 6000, etc.
Here is the procedure for editing the matching configuration file:
1
Open the configuration file in your favorite editor, such as Microsoft
WordPad
2
Search for each of the values in the “Documented Value” column of
the table in Appendix A and replace it with the new value
3
Save the configuration file
4
In this document, follow the directions for the initial master controller
setup11
5
Configure a PC with an IP address and connect it such that it can
communicate with the controller
6
Upload the new configuration file from the PC to the controller12
7
Gain access to the controller (via SSH, telnet or HTTP/S)
8
Reload (reboot) the controller
Congratulations! When the controller has reloaded, it will run the new
configuration file. You may now test your new configuration.
11
Uploading a configuration file is done via TFTP, which requires IP connectivity. There is no
specific actual IP addressing required here – anything will do. These changes will be overwritten
by the new configuration file
12 This action requires a TFTP server be installed on the PC
48
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Appendix A: Configuration Values
Overview
Base configuration
values
49
This document discusses a reference topology that requires many
different values – IP addresses, VLANs, etc. This section describes each
of the key values used as part of the configuration in this document.
The following table shows the parameters and their values as used in
this document.
Configuration
Parameter
Description
Documented
Value
Controller system
name
The name of the Aruba controller
Aruba-master
Core VLAN
The VLAN (or VLANs) that contain the controller
uplink
5
Core VLAN subnet
The IP subnet for the core VLAN
10.3.22.0
Core VLAN
netmask
The netmask for the core VLAN
255.255.255.0
Core VLAN IP
address
The IP address for the controller on the core
VLAN
10.3.22.20
Loopback address
The IP address for the controller loopback
interface
10.3.22.220
Employee VLAN
The VLAN for authenticated employees
10
Employee VLAN
subnet
The IP subnet for the employee VLAN
172.19.10.0
Employee VLAN
netmask
The netmask for the employee VLAN
255.255.255.0
Employee VLAN IP The IP address for the controller on the employee
address
VLAN
172.19.10.20
Default gateway
The default gateway for the Aruba controller
10.3.22.254
Syslog server IP
address
The IP address of the system log server
10.3.22.250
Test PC
A test PC used for validating the configuration
10.3.22.10
Employee SSID
The SSID for the employee WLAN
corpnet
NTP server
The IP address of an NTP server
131.216.22.9
AP Location ID
The first ID used for AP provisioning
1.1.1
© 2005 Aruba Networks
Best Practices: WLAN Base Configuration
Appendix A: Configuration Values continued
Base WLAN
configuration values
continued
Configuration
Parameter
Description
Documente
d Value
RADIUS server
The name of the RADIUS server use for employee
authentication
Radius01
RADIUS IP
address
The IP address of the RADIUS server
10.3.22.25013
RADIUS shared
secret
The shared secret that is configured on both the
RADIUS server and the Aruba controller
radius123
RADIUS
authentication port
The authentication port used by the RADIUS
server
1812
RADIUS
accounting port
The port used by the RADIUS server accounting
1813
13
Please note, in this example, the DHCP server, the syslog server and the RADIUS server are
on the same system – please keep this in mind if attempting a global replacement of the value in
this document.
50
© 2005 Aruba Networks

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz