403
| IAP-VPN Deployment Scenarios
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
Configuration Steps
CLI Commands
UI Procedure
(Instant AP)(DHCP Profile "l3-dhcp")# client-count
200
NOTE:
The IP range configuration on each branch will be the
same. Each IAP will derive a smaller subnet based on the client
count scope using the Branch ID (BID) allocated by controller.
6. Create authentication
servers for user
authentication. The
example in the next
column assumes 802.1X
SSID.
(Instant AP)(config)# wlan auth-server server1
(Instant AP)(Auth Server "server1")# ip 10.2.2.1
(Instant AP)(Auth Server "server1")# port 1812
(Instant AP)(Auth Server "server1")# acctport 1813
(Instant AP)(Auth Server "server1")# key
"presharedkey"
(Instant AP)(Auth Server "server1")# exit
(Instant AP)(config)# wlan auth-server server2
(Instant AP)(Auth Server "server2")# ip 10.2.2.2
(Instant AP)(Auth Server "server2")# port 1812
(Instant AP)(Auth Server "server2")# acctport 1813
(Instant AP)(Auth Server "server2")# key
"presharedkey"
See
Configuring an
External Server
for
Authentication
7. Configure wired port and
wireless SSIDs using the
authentication servers.
Configure wired ports to operate in L3 mode and associate
Distributed, L3 mode VLAN 30 to the wired port profile.
(Instant AP)(config) # wired-port-profile wired-port
(Instant AP)(wired-port-profile "wired-port")#
switchport-mode access
(Instant AP)(wired-port-profile "wired-port")#
allowed-vlan all
(Instant AP)(wired-port-profile "wired-port")#
native-vlan 30
(Instant AP)(wired-port-profile "wired-port")# no
shutdown
(Instant AP)(wired-port-profile "wired-port")#
access-rule-name wired-port
(Instant AP)(wired-port-profile "wired-port")# type
employee
(Instant AP)(wired-port-profile "wired-port")# auth-
server server1
(Instant AP)(wired-port-profile "wired-port")# auth-
server server2
(Instant AP)(wired-port-profile "wired-port")# dot1x
(Instant AP)(wired-port-profile "wired-port")# exit
(Instant AP)(config)# enet1-port-profile wired-port
Configure a wireless SSID to operate in L2 mode and associate
Centralized, L2 mode VLAN 20 to the WLAN SSID profile.
(Instant AP)(config) # wlan ssid-profile guest
(Instant AP)(SSID Profile "guest")# enable
(Instant AP)(SSID Profile "guest")# type guest
(Instant AP)(SSID Profile "guest")# essid guest
(Instant AP)(SSID Profile "guest")# opmode
opensystem
(Instant AP)(SSID Profile "guest")# vlan 20
See
and
Table 85:
IAP Configuration for Scenario 2—IPsec: Single Datacenter with Multiple controllers for Redundancy