Owners manual

ManualsBrandsARUBA NETWORKS ManualsComputers & LaptopsAruba Instant IAP-325 IEEE 802.11ac 1.69 Gbit/s Wireless Access Point - 2.40 GHz, 5 GHz - 8 x Antenna(s) - 8 x Internal Antenna(

221

222

223

224

225

226

227

228

229

230

configured in the DHCP profiles, the IAP-VPN operations are affected. For example, if a local DHCP profile is

configured with a VLAN ID of 200, the VLAN configuration on the SSID must be set to a static VLAN ID 200.

For information on how to configure an SSID or wired port profile, seeWireless Network Profiles on page 93 and

Configuring a Wired Profile on page 112 respectively.

Enabling Dynamic RADIUS Proxy

The RADIUS server can be deployed at different locations and VLANs. In most cases, a centralized RADIUSor

local server is used to authenticate users. However, some user networks can use a local RADIUS server for

employee authentication and a centralized RADIUS based captive portal server for guest authentication. To ensure

that the RADIUS traffic is routed to the required RADIUS server, the dynamic RADIUSproxy feature must be

enabled. When enabled, dynamic RADIUSproxy ensures that all the RADIUS traffic is sourced from the Virtual

Controller IP or inner IP of the IAP IPsec tunnel depending on the RADIUS server IP and routing profile.

Ensure that a static Virtual Controller IP is configured before enabling dynamic RADIUS proxy, in order to tunnel

the RADIUS traffic to the central RADIUS server in the datacenter.

For information on enabling dynamic RADIUS proxy, see Configuring Dynamic RADIUSProxy Parameters on page

162.

Configuring Enterprise Domains

By default, all the DNS requests from a client are forwarded to the clients DNS server. In a typical IAP deployment

without VPN configuration, client DNS requests are resolved by the DNS server of clients. For the IAP-VPN

scenario, the enterprise domain settings on the IAP are used for determining how client DNS requests are routed.

For information on how to configure enterprise domains, see Configuring Enterprise Domains on page 189.

Configuring a Controller for IAP-VPN Operations

Aruba controllers provide an ability to terminate the IPSec and GRE VPNtunnels from the IAP and provide corporate

connectivity to the branch network. For IAP-VPN operations, ensure that the following configuration and verification

procedures are completed on the controller:

l OSPF Configuration

l VPN Configuration

l Branch-ID Allocation

l Branch Status Verification

This section describes the configuration procedures to perform on the controller for generic use cases. For

information on specific deployment scenarios, see IAP-VPN Deployment Scenarios on page 363.

ArubaOS 6.3 or later is the recommended version to run on the controllers for the IAP-VPN configuration. The IAP-

VPN configuration is not supported on 600 Series controllers.

OSPF Configuration

Open Shortest Path First (OSPF) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328.

The premise of OSPF is that the shortest or fastest routing path is used. The implementation of OSPFv2 allows

controllers to deploy effectively in a Layer 3 topology. The controllers can act as the default gateway for all clients

and forward user packets to the upstream router.

Each IAP-VPN can be defined a separate subnet derived from the corporate intranet pool to allow IAP-VPN devices

to work independently. For sample topology and configuration, see

ArubaOS User Guide

Aruba Instant 6.4.0.2-4.1 | User Guide IAP-VPN Deployment | 228