Aruba Remote AP (RAP) Configuration step-by-step

Aruba OS version: 6.5.4.5 build 63925

This guide will take you through step-by-step to configure Aruba Remote AP (RAP)

I will use the following topology:

Device/Host IP Address Description

Aruba MC 192.168.99.1 Internal address used as
master IP address
Campus AP 192.168.99.2 Internal IP
FW #1 192.168.99.254 Internal IP
10.0.0.1 External IP
FW #2 172.16.0.254 Internal IP
10.0.0.2 External IP
Remote AP 172.16.0.5 Internal IP

The Aruba MC and the remote AP are behind firewalls which using NAT when accessing the
internet.
     1.    Log in into the MC
     2.    Go to Configuration -> Advanced Services -> VPN Services -> IPSEC
     3.    Under Address Pools click Add
     4.    Configure address pool for remote AP's:

     5.    Click Done

     6.    Under NAT-T Check Enable NAT-T:

     7.    Scroll down and click Apply

     8.    Next go to Configuration -> Wireless -> AP Configuration and create new group for remote
AP's
     9.    In the group (KS-RAP in this example) go to AP -> AP system profile and create new
profile for this group:

     10.  In this profile make sure that the LMS IP address is the MC external IP:
 

     11.  Now go to Configuration -> Wireless -> AP Installation -> Whitelist, click on Remote AP
and then click on Entries:
     12.  Insert the MAC address of the remote AP to the MC localdb and choose the newly created
AP group (KS-RAP) and click Add:

      13.  Click the Save Configuration on the MC to save all changes.

Next let's configure the remote AP, connect to the RAP using console cable
     1.    Click Enter to stop the autoboot process
     2.    Type setenv remote_ap 1
     3.    Type setenv master 10.0.0.1
     4.    Type setenv serverip 10.0.0.1
     5.    Type saveenv
     6.    Type boot
NAT Traversal

Because the firewalls are doing NAT we will have to use NAT traversal (UDP port 4500) to
allow traffic between the MC and the RAP.
On firewall #1 we will need to configure static NAT with port forwarding and to allow UDP port
4500 to the MC (outside to inside), while on FW #2 we will need to configure policy to allow
the remote AP access to UDP port 4500 outside.

Each firewall/router configuration is different and it's not part of the scope of this post.

Remote AP Authentication
In the following example I'm using certificate-based authentication where the RAP using
factory-based certificate and the MC authenticate the RAP MAC address using the localdb. In
this way we can configure pre-provision AP which never was connected to the MC before.
We can also use IPSec PSK but this requires the RAP to be connected to the MC as campus
AP prior to conversion to RAP