The first question is: Why use a Wireless Remote Access Point to support small remote sites and teleworkers?
The answer is: Remote Access Points give you security with versatility. The Remote AP allows one or more clients to connect remotely to your corporate infrastructure in the same manner they would connect while physically inside the building.
- This means that the user can utilize any device they are accustomed to using regardless of whether or not there is a VPN client for that device.
- User training is simple as they do not need different connectivity methods depending on where they connect.
- The Remote AP takes full advantage of the Aruba OS firewall and user roles for controls, the administrator can configure the exact level of access the user requires while still protecting the network.
- When using an access point that has multiple wired ports the Remote AP can provide secure wired access back into the corporate network for appliances such as printers and phones.
- For small remote offices, the Remote AP can provide simple and consistent access to multiple client devices both wired and wireless.
Basics of Configuration
Configuring an Aruba Networks Controller to support the Remote Access Point (RAP) involves 3 steps:
- You will first need to create an AP Group with the Virtual AP profile (this becomes the SSID broadcast by the RAP) and specific settings to instruct the RAP how to contact the remote access controller.
- Second you will Configure the IPsec VPN settings to support the secure tunnels from the RAPs
- You will whitelist the RAPs in the controller so they can be provisioned.
Finally, you will need to provision the RAP by either staging it or using Zero Touch Provisioning.
This guide assumes you have already put your controller on the network and done the basic configuration and installed the licenses. The controller will need to be accessible from the public Internet, this can be accomplished with a DMZ, or port forwarding rules on an external firewall. The RAP will use NAT-T over UDP port 4500 to navigate any firewalls.
Further this guide assumes you know the basics of configuring an AP group and VAP.
HUGE WARNING: create new profiles – do not edit the default profiles.
AP Group Settings Required to Support the RAP
Create a new AP group under “Configuration> AP Configuration> “
Open the new AP group for editing
Regardless of whether you intend to broadcast the same SSID on the RAP or broadcast a new SSID you must create a new Virtual AP Profile because the RAP requires different settings than a campus AP. If you are setting up a new SSID with a new AAA profile you will need to build that AAA profile in advance so that it can be selected. Otherwise you can select the AAA profile used by your internal SSID.
Note: the AAA profile cannot be created in the AP group screens, the SSID profile can be.
Navigate to “Wireless LAN> Virtual AP > and create a new VAP.
At this point you need to select the new VAP for editing.
In My example I am selecting an existing AAA profile and SSID profile. This means that the SSID broadcast by the RAP will have the same connectivity and authentication methods as the matching internal SSID. Don’t forget to “Apply “ your new settings.
Next navigate to the new VAP in the left “Profiles” pane. For the Forwarding Mode select “Split Tunnel” and enter your user VLAN (this is the VLAN assigned to the user and must be a numbered VLAN as Split Tunnel does not support Named VLANS)
Next we need to configure some power settings in the AP Group.
Navigate to “RF Management>802.11a radio>Adaptive Radio Management(ARM)” and create a new ARM profile. Edit the new profile and navigate to the “Advanced” tab. Make sure that 80MHz support, Rouge AP Aware, and ARM Over the Air Updates are all unchecked. Then make sure that “Allowed Bands for 40MHz channels is set to “a-only” and the power settings are Max Tx EIRP = 127 and Min TX EIRP = 9. The setting for 127 will use the Max setting that the AP can support, some models of RAP cannot support the regulatory max level but support something lower, ARM works on a RAP and will set the power someplace between 9 DBm and the supported Max.
Expand the 802.11g radio and select your new ARM profile.
Be sure to “Apply” your settings.
Next you will want to disable IDS containment, this is because the RAP lives in an uncontrolled environment. You do not want the RAP doing rouge containment on the host network.
Navigate to “IDS>IDS>IDS General>” and create a new IDS General Profile (if you do not you will disable rouge containment on every AP using the default profile)
Finally, there are a lot of settings that need to be changed in the AP system Profile. Start by navigating to “AP>AP System>” and creating a new AP system Profile.
Edit the LMS IP and Backup LMS IP settings. These IP addresses are the IP address of the remote access controller, you only need the Backup LMS IP if you have two remote access controllers, the RAP will first attempt to connect to the LMS IP and if this fails it will attempt to connect to the Backup LMS IP. Also do not select LMS Preemption as this will cause the RAP that has selected the Backup LMS IP to keep looking for the LMS IP.
Note: These IP addresses need to be the public IP address.
This step is optional
Continue down the AP System profile Basic Page and set a reasonable remote-AP uplink total Bandwidth setting. The bandwidth limit throttles the data rate that RAPs send data to your inbound connection. Imagine you have 100 RAPs each capable of an uplink rate of 25 MBPS this translates into a potential for 2500 MBPS of data inbound to your firewall, obviously data rate this is not realistic. By adding the uplink bandwidth limit it makes the RAP do rate limiting and reduces errors due to buffering. In smaller RAP deployments, this may not be necessary.
Next select the “Advanced” tab
Scroll down and set the Bootstrap threshold to “12” and the Heartbeat DSCP to “46”
By setting the Bootstrap threshold to 12 you will make the RAP less likely to bootstrap due to lost heartbeats, the default is to bootstrap after 8 missed one second GRE heartbeats. This is the default setting but sometimes on slow connections this value can be reached and the RAP still function, by moving the missed heartbeats to 12 it just makes the RAP less likely to disconnect on slower internet connections. This number may be adjusted up to as high as 30 seconds but most internet connections today are not that unreliable.
The Heartbeat DSCP value of 46 just tags the GRE heartbeats with the QOS value for Expedited Forwarding (EF). If the ISP and network between the RAP and the remote access controller supports DSCP it just makes delivery of the heartbeats more reliable.
Some More Optional Settings
One concern for RAPs is that the local network that the RAP is connected to requires authentication to access. In this case the RAP will be blocked from gaining access to the network and not be able to reach the remote access controller. There are two solutions to this:
- Configure a bridge mode SSID to NAT to the local interface so that the user can connect to this SSID and then negotiate the authentication. Because the user is NATed through the RAP it is the MAC address of the RAP that ends up in the client table of the network.
- The second method is to configure an Ethernet port on the RAP to bridge to the Ethernet 0 port. This works the same as the Bridged SSID but requires an AP with at least two Ethernet ports.
Configure IPsec VPN settings
The second option that needs to be configured on the controller is the IPsec settings for the RAP’s secure tunnel. This is simple as these are Aruba Networks APs designed to work with Aruba Networks controllers.
Navigate to “Configuration>Advanced Services>VPN Services>” the main tab is the IPsec tab
Scroll down the page to “Address Pools” and add one or more IP address pools.
This address pool becomes the IP address of the VPN tunnel built by the RAP. You will need at least enough IP addresses to cover all the expected concurrent RAP sessions. Remember if you are hosting VIA Clients (Virtual Internet Access VPN clients) on the same controller you will need enough IP addresses to cover the concurrent VIA clients and the RAPs.
Also consider that this IP will be routed into the controller thus it cannot be an IP range that is already in the internal network and should avoid the common ISP provided IP addresses. 172.16.X.X seems to work as very few internet modems use this, most are 192.168.x.x or 10.x.x.x
In my example the controller would support 150 concurrent IP addresses.
Next you will need to consider if you need an IPsec Pre-shared key to authenticate your RAPs tunnel connections. It is best to use certificates and the whitelist, this is dependent on the APs having a TPM and supporting certificates. Generation one RAPs do not support TMP/certificates and recently there have been a few RAPs released that do not support the TMP but they do support software certificates. Checking the feature sets of your RAPs will tell you if you can use Certificates.
To configure Pre-shared Keys, navigate down the page to “IKE Shared Secrets” and select “New” to create a shared secret for the RAPs that do not support TMP to use for IKE authentication. Click “Done”
Don’t forget to “Apply” the IPSEC page
Provision the AP as a RAP
For normal Access pets that can stage to the controller provisioning is easy – simply stage the AP onto the network, let the AP connect to the Master Controller. Then you can navigate to “Configuration> Ap Installation> “and select the AP you want to use as a RAP and then click the “Provision” button.
Next Provision the Remote AP like any campus AP with exception that you will need to set the Remote AP settings. For the remote AP section select “YES” and select “Certificate” for the ‘Remote AP Authentication Method’
If you have one of the RAPs that does not support TPM you will need to select “YES” for ‘Remote AP’. Next select “Pre-Shared Key” for the ‘Remote AP Authentication Method’. You will need to enter the ‘IKE Key’ configured above on the ‘VPN Settings’ Page and a User account. Both credentials are used to build up the IPsec tunnel that the RAP uses for security.
One final note on security for the RAP. It is recommended to not use IKE PSK unless there is no support or the TPM on the AP you are using as a RAP. With Certificate based authentication the RAP gets its own entry in the RAP Whitelist and thus can be blocked from accessing the remote access controller based on this Whitelist entry. when you use IKE PSK the whole block of RAPs that have been configured to use the same IKE shared secret use the same credentials to build up the ISkemp phase of the IPsec tunnel. if you wish to block one AP from accessing you will need to change the PSK on all of the other RAPs as well and this can really be a mess.
Of course, one might say why not just look for the user account in the internal DB and just disable that and that is the first option but this stops the second phase of IPsec the rouge or lost RAP will still be able to build up phase 1. I would rather have a 1 to 1 option.