ARUBA EXCELLENCE PROGRAMME

WLAN CONTROLLERS – PART 1

Presented by Michael Owen
7/20/21

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Agenda

• WLAN Controller Overview

• Connecting Access Points
• Configuring the WLAN Controller
– Basic Pre-shared Key
– Practical lab
– 802.1X authentication
– Practical lab
– Guest Captive Portal
– Practical lab
– Using the Wizard
• Questions and Answers

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

What is a WLAN Controller?

Manage Configure

Control Protect

Guest Monitor

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Connecting Access Points

Discovering the Controller

GRE Tunnel

1) DNS Record for aruba-master

2) DHCP Option 43 and 60
3) ADP

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

My AP doesn’t connect to the controller….

ACCESS POINT
CONNECTS

ACCESS POINT MAY

FAIL TO CONNECT

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Resolving the issue

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Discovery using DHCP Options 43 and 60

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Converting Instant to Campus AP

Set the Controller IP

Address to be on
the SAME Layer 3
subnet as the AP

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

CONFIGURING THE WLAN
CONTROLLER
 ARUBA EXCELLENCE PROGRAMME

Virtual AP Workflow

User Role Set roles

Firewall AAA SSID
– Assign within AAA
Policy Profile Profile
FW Policy profile

Create VLAN Create VAP

Set Wireless Associate Associate AAA
(if design and associate
Security Type SSID with VAP with VAP
requires it) to VLAN

Associate Associate
Create Provision
VAP with AP with Test
Group AP
Group Group

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Example Run Through – Pre Shared Key

• Creating a Pre-shared key secured SSID

• Create a user specific VLAN
• Provision an AP to advertise the SSID
• Associate Client
• Test and confirm correct IP address used

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME Firewall
Policy

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 User Role
ARUBA EXCELLENCE PROGRAMME – Assign
FW Policy

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 AAA
ARUBA EXCELLENCE PROGRAMME Profile

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Set roles
ARUBA EXCELLENCE PROGRAMME within AAA
profile

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 SSID
ARUBA EXCELLENCE PROGRAMME Profile

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME Set Wireless
Security Type

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Create VLAN
ARUBA EXCELLENCE PROGRAMME (if design
requires it)

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Create VAP
ARUBA EXCELLENCE PROGRAMME and associate
to VLAN

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Create VAP
ARUBA EXCELLENCE PROGRAMME and associate
to VLAN

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME Associate
SSID with VAP

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME Associate AAA
with VAP

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Create
ARUBA EXCELLENCE PROGRAMME Group

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Associate
ARUBA EXCELLENCE PROGRAMME VAP with
Group

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Provision
ARUBA EXCELLENCE PROGRAMME AP

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Provision
ARUBA EXCELLENCE PROGRAMME AP

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Your next question is probably………

Can I have a copy of those slides??

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Practical Lab RULES……PLEASE BE CAREFUL

1) DO NOT make changes to other Teams configuration

2) Mark your Team Config CLEARLY using TeamX-AAAProf, TeamX-SSID etc

3) DO NOT change the Default Profiles. Create your own using SAVE AS

4) If in doubt…..ASK before clicking APPLY

5) If I have to reload the Controller, it affects everyone

Classmarker.com Questions 1 to 4

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Information

• Controller IP – 192.168.2.240
• Username – admin Password – aruba123

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Example Run Through - 802.1X Security

• Lets change the Pre-shared Key SSID to use 802.1X

• Internal RADIUS Server
• Change your Current VAP rather than create a new one
• You will need to create internal user accounts

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 AAA
ARUBA EXCELLENCE PROGRAMME Profile

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Set roles
ARUBA EXCELLENCE PROGRAMME within AAA
profile

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Set roles
ARUBA EXCELLENCE PROGRAMME within AAA
profile

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Set roles
ARUBA EXCELLENCE PROGRAMME within AAA
profile

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME Set Wireless
Security Type

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME Associate AAA
with VAP

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME CREATE
USERS

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME CREATE
USERS

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• The answer to the problem is GET A PUBLIC CERTIFICATE..

• However…..
• Here is something you can do within lab and test environments

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• Windows does not trust privately issued certificates

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• It will just keep trying different methods, but will ultimately fail

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• Manually create the Wireless Network

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• Manually create the Wireless Network

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• Enter the SSID information

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• Change the connection settings

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• Change the connection settings

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• UNCHECK – Validate Server Certificate

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• Configure MSCHAPv2 Properties and UNCHECK Use my Windows
name and password

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• Advanced Settings – specify authentication mode and save
username and password for the SSID

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

802.1X certificates and Windows

• OR……….

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Practical Lab RULES……PLEASE BE CAREFUL

1) DO NOT make changes to other Teams configuration

2) Mark your Team Config CLEARLY using TeamX-AAAProf, TeamX-SSID etc

3) DO NOT change the Default Profiles. Create your own using SAVE AS

4) If in doubt…..ASK before clicking APPLY

5) If I have to reload the Controller, it affects everyone

Classmarker.com Questions 5 and 6

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Example Run Through - Guest Captive Portal

• Lets create a NEW VAP

• Use the Controller VLAN 99 for Guest Client IP address
• Use the configured DHCP Scope 172.16.99.0
• Guest Portal Customisation

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Virtual AP Workflow

User Role Set roles

Firewall AAA SSID
– Assign within AAA
Policy Profile Profile
FW Policy profile

Create VLAN Create VAP

Set Wireless Associate Associate AAA
(if design and associate
Security Type SSID with VAP with VAP
requires it) to VLAN

Associate Associate
Create Provision
VAP with AP with Test
Group AP
Group Group

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 User Role
ARUBA EXCELLENCE PROGRAMME – Assign
FW Policy

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 AAA
ARUBA EXCELLENCE PROGRAMME Profile

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Set roles
ARUBA EXCELLENCE PROGRAMME within AAA
profile

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 SSID
ARUBA EXCELLENCE PROGRAMME Profile

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Create VAP
ARUBA EXCELLENCE PROGRAMME and associate
to VLAN

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Create VAP
ARUBA EXCELLENCE PROGRAMME Associate
Associate
and
SSID
AAA
associate
withwith
VAP
to VLAN
VAP

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 DHCP
ARUBA EXCELLENCE PROGRAMME Server

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 DHCP
ARUBA EXCELLENCE PROGRAMME Server

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 DHCP
ARUBA EXCELLENCE PROGRAMME Server

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 DHCP
ARUBA EXCELLENCE PROGRAMME Server

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Create
ARUBA EXCELLENCE PROGRAMME Users

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Creating a
ARUBA EXCELLENCE PROGRAMME Portal

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Creating a
ARUBA EXCELLENCE PROGRAMME Portal

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 Creating a
ARUBA EXCELLENCE PROGRAMME Portal

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

 ARUBA EXCELLENCE PROGRAMME

Practical Lab RULES……PLEASE BE CAREFUL

1) DO NOT make changes to other Teams configuration

2) Mark your Team Config CLEARLY using TeamX-AAAProf, TeamX-SSID etc

3) DO NOT change the Default Profiles. Create your own using SAVE AS

4) If in doubt…..ASK before clicking APPLY

5) If I have to reload the Controller, it affects everyone

Classmarker.com Questions 7 to 9

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved