jw
当前位置:主页 > R_S >

Aruba Remote AP

发布时间:2012-07-30 | 佚名:www.07net01.com

Remote AP Configuration Steps

Aruba Remote AP

1. Configure a public IP address (or setup NAT in your firewall) for the Mobility Controller

路由器等设备上配置NAT将控制器映射到公网上去:

网关路由器上的配置:

interface FastEthernet0/0

ip address 59.172.208.222 255.255.255.252

ip nat outside

interface FastEthernet0/1

ip address 10.100.61.1 255.255.255.0 secondary

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip dhcp excluded-address 192.168.5.1 192.168.5.100

ip dhcp excluded-address 192.168.5.200 192.168.5.254

!

ip dhcp pool office

network 192.168.5.0 255.255.255.0

default-router 192.168.5.1

option 150 ip 100.100.140.254

dns-server 202.103.44.150 202.103.24.68

ip nat inside source static tcp 192.168.5.100 4343 interface FastEthernet0/0 4343 (通过internet访问控制器的web和相关配置)

ip nat inside source static tcp 192.168.5.100 443 interface FastEthernet0/0 443

ip nat inside source static udp 192.168.5.100 4500 interface FastEthernet0/0 4500 (将NAT-T映射到公网上去)

ip nat inside source static udp 192.168.5.100 69 interface FastEthernet0/0 69 (将AP下载OS的tftp映射到公网)

ip nat inside source static tcp 192.168.5.100 22 interface FastEthernet0/0 22 (将控制器的SSH登录映射到公网上去)

!

ip route 0.0.0.0 0.0.0.0 59.172.208.221

AP以及WLAN的相关配置:

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

AP system的做远端的VPN时LMS地址为公网地址,在本地直连控制器则为私网地址。

Aruba Remote AP

Aruba Remote AP

控制器的状态化防火墙上定义相关的网络参数

在状态化防火墙的destination中定义指定的内部网络

Aruba Remote AP

Aruba Remote AP

在access-control中的policies中新建spilt-tunnel策略,指定DHCP服务和内部网络等

定义角色:

Aruba Remote AP

Aruba Remote AP

2. Configure the VPN server style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px" title="dae3142a600274abfacb7215a7c41c9e" border="0" src="http://www.07net01.com/uploads/allimg/120730/1S20334K-12.png" "713" height="296" />

Layer-2 Tunneling Protocol over IPsec (L2TP/IPsec)

Point-to-Point Tunneling Protocol (PPTP)

XAUTH IKE/IPsec

IKEv2 with Certificates

IKEv2 with EAP

3. Configure the remote AP role

在authentication中新建一个RAP角色

Aruba Remote AP
4. Configure the authentication server that will validate the username and password for the remote AP

根据不同的认证方式,认证服务器可选(dot1x,MAC,captive portal等)

可以在AP installation中选择去设定相关用户名和密码。

Aruba 650的相关配置:

Building Configuration...
version 6.1
enable secret "******"
telnet cli
telnet soe
hostname "Aruba650"
clock timezone PST -8
location "Building1.floor1"
controller config 8
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list eth validuserethacl
permit any
!
netservice svc-snmp-trap udp 162
netservice svc-netbios-dgm udp 138
netservice svc-dhcp udp 67 68 alg dhcp
netservice svc-smb-tcp tcp 445
netservice svc-https tcp 443
netservice svc-ike udp 500
netservice svc-l2tp udp 1701
netservice svc-syslog udp 514
netservice svc-pptp tcp 1723
netservice svc-telnet tcp 23
netservice svc-sccp tcp 2000 alg sccp
netservice svc-sec-papi udp 8209
netservice svc-tftp udp 69 alg tftp
netservice svc-kerberos udp 88
netservice svc-sip-tcp tcp 5060
netservice svc-netbios-ssn tcp 139
netservice svc-lpd tcp 515
netservice svc-pop3 tcp 110
netservice svc-adp udp 8200
netservice svc-cfgm-tcp tcp 8211
netservice svc-noe udp 32512 alg noe
netservice svc-http-proxy3 tcp 8888
netservice svc-dns udp 53 alg dns
netservice svc-msrpc-tcp tcp 135 139
netservice svc-rtsp tcp 554 alg rtsp
netservice svc-http tcp 80
netservice svc-vocera udp 5002 alg vocera
netservice svc-h323-tcp tcp 1720
netservice svc-h323-udp udp 1718 1719
netservice svc-nterm tcp 1026 1028
netservice svc-sip-udp udp 5060
netservice svc-http-proxy2 tcp 8080
netservice svc-papi udp 8211
--More-- (q) quit (u) pageup (/) search (n) repeat netservice svc-noe-oxo udp 5000 alg noe
netservice svc-ftp tcp 21 alg ftp
netservice svc-natt udp 4500
netservice svc-svp 119 alg svp
netservice svc-microsoft-ds tcp 445
netservice svc-gre 47
netservice svc-smtp tcp 25
netservice svc-smb-udp udp 445
netservice svc-sips tcp 5061 alg sips
netservice svc-netbios-ns udp 137
netservice svc-esp 50
netservice svc-ipp-tcp tcp 631
netservice svc-bootp udp 67 69
netservice svc-snmp udp 161
netservice svc-v6-dhcp udp 546 547
netservice svc-icmp 1
netservice svc-ntp udp 123
netservice svc-msrpc-udp udp 135 139
netservice svc-ssh tcp 22
netservice svc-ipp-udp udp 631
netservice svc-http-proxy1 tcp 3128
netservice svc-v6-icmp 58
netdestination internal-network
host 192.168.5.100
network 192.168.5.0 255.255.255.0
network 172.16.0.0 255.255.255.0
host 59.172.208.222
!
netexthdr default
!
ip access-list session allow-diskservices
any any svc-netbios-dgm permit
any any svc-netbios-ssn permit
any any svc-microsoft-ds permit
any any svc-netbios-ns permit
!
ip access-list session control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-papi permit
any any svc-sec-papi permit
any any svc-cfgm-tcp permit
any any svc-adp permit
any any svc-tftp permit
any any svc-dhcp permit
--More-- (q) quit (u) pageup (/) search (n) repeat any any svc-natt permit
!
ip access-list session v6-icmp-acl
ipv6 any any svc-v6-icmp permit
!
ip access-list session spilt-tunnel
any any svc-dhcp permit
user alias internal-network any permit
alias internal-network user any permit
any any any route src-nat
!
ip access-list session validuser
network 169.254.0.0 255.255.0.0 any any deny
any any any permit
ipv6 any any any permit
!
ip access-list session vocera-acl
any any svc-vocera permit queue high
!
ip access-list session v6-https-acl
ipv6 any any svc-https permit
!
ip access-list session icmp-acl
any any svc-icmp permit
!
ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
!
ip access-list session v6-dhcp-acl
ipv6 any any svc-v6-dhcp permit
!
ip access-list session allowall
any any any permit
ipv6 any any any permit
!
ip access-list session v6-dns-acl
ipv6 any any svc-dns permit
!
ip access-list session sip-acl
any any svc-sip-udp permit queue high
any any svc-sip-tcp permit queue high
--More-- (q) quit (u) pageup (/) search (n) repeat !
ip access-list session https-acl
any any svc-https permit
!
ip access-list session dns-acl
any any svc-dns permit
!
ip access-list session ra-guard
ipv6 user any icmpv6 rtr-adv deny
!
ip access-list session allow-printservices
any any svc-lpd permit
any any svc-ipp-tcp permit
any any svc-ipp-udp permit
!
ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
!
ip access-list session vpnlogon
user any svc-ike permit
user any svc-esp permit
any any svc-l2tp permit
any any svc-pptp permit
any any svc-gre permit
!
ip access-list session srcnat
user any any src-nat
!
ip access-list session skinny-acl
any any svc-sccp permit queue high
!
ip access-list session tftp-acl
any any svc-tftp permit
!
ip access-list session v6-allowall
ipv6 any any any permit
!
ip access-list session cplogout
user alias controller svc-https dst-nat 8081
!
ip access-list session captiveportal6
ipv6 user alias controller6 svc-https captive
--More-- (q) quit (u) pageup (/) search (n) repeat ipv6 user any svc-http captive
ipv6 user any svc-https captive
ipv6 user any svc-http-proxy1 captive
ipv6 user any svc-http-proxy2 captive
ipv6 user any svc-http-proxy3 captive
!
ip access-list session dhcp-acl
any any svc-dhcp permit
!
ip access-list session http-acl
any any svc-http permit
!
ip access-list session v6-http-acl
ipv6 any any svc-http permit
!
ip access-list session ap-uplink-acl
any any udp 68 permit
any any svc-icmp permit
any host 224.0.0.251 udp 5353 permit
!
ip access-list session ap-acl
any any svc-gre permit
any any svc-syslog permit
any user svc-snmp permit
user any svc-snmp-trap permit
user any svc-ntp permit
user alias controller svc-ftp permit
!
ip access-list session svp-acl
any any svc-svp permit queue high
user host 224.0.1.116 any permit
!
ip access-list session noe-acl
any any svc-noe permit queue high
!
ip access-list session h323-acl
any any svc-h323-tcp permit queue high
any any svc-h323-udp permit queue high
!
ip access-list session v6-logon-control
ipv6 user any udp 68 deny
ipv6 any any svc-v6-icmp permit
ipv6 any any svc-v6-dhcp permit
ipv6 any any svc-dns permit
!
vpn-dialer default-dialer
--More-- (q) quit (u) pageup (/) search (n) repeat ike authentication PRE-SHARE ******
!
user-role rap-role
access-list session spilt-tunnel
!
user-role ap-role
access-list session control
access-list session ap-acl
!
user-role default-vpn-role
access-list session allowall
access-list session v6-allowall
!
user-role voice
access-list session sip-acl
access-list session noe-acl
access-list session svp-acl
access-list session vocera-acl
access-list session skinny-acl
access-list session h323-acl
access-list session dhcp-acl
access-list session tftp-acl
access-list session dns-acl
access-list session icmp-acl
!
user-role default-via-role
access-list session allowall
!
user-role guest-logon
captive-portal "default"
access-list session logon-control
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6
!
user-role guest
access-list session http-acl
access-list session https-acl
access-list session dhcp-acl
access-list session icmp-acl
access-list session dns-acl
access-list session v6-http-acl
access-list session v6-https-acl
access-list session v6-dhcp-acl
access-list session v6-icmp-acl
access-list session v6-dns-acl
--More-- (q) quit (u) pageup (/) search (n) repeat !
user-role stateful-dot1x
!
user-role authenticated
access-list session allowall
access-list session v6-allowall
!
user-role logon
access-list session logon-control
access-list session captiveportal
access-list session vpnlogon
access-list session v6-logon-control
access-list session captiveportal6
!
!
controller-ip vlan 2
interface mgmt
shutdown
!
dialer group evdo_us
init-string ATQ0V1E0
dial-string ATDT#777
!
dialer group gsm_us
init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"
dial-string ATD*99#
!
dialer group gsm_asia
init-string AT+CGDCONT=1,"IP","internet"
dial-string ATD*99***1#
!
dialer group vivo_br
init-string AT+CGDCONT=1,"IP","zap.vivo.com.br"
dial-string ATD*99#
!
vlan 2 "employee"
vlan 3 "GUEST"
--More-- (q) quit (u) pageup (/) search (n) repeat
interface gigabitethernet 1/0
description "GE1/0"
trusted
trusted vlan 1-4094
switchport access vlan 3
!
interface gigabitethernet 1/1
description "GE1/1"
trusted
trusted vlan 1-4094
switchport access vlan 3
!
interface gigabitethernet 1/2
description "GE1/2"
trusted
trusted vlan 1-4094
switchport access vlan 3
!
interface gigabitethernet 1/3
description "GE1/3"
trusted
trusted vlan 1-4094
switchport access vlan 3
!
interface gigabitethernet 1/4
description "GE1/4"
trusted
trusted vlan 1-4094
switchport access vlan 3
!
interface gigabitethernet 1/5
description "GE1/5"
trusted
trusted vlan 1-4094
switchport access vlan 2
!
interface gigabitethernet 1/6
description "GE1/6"
trusted
--More-- (q) quit (u) pageup (/) search (n) repeat trusted vlan 1-4094
!
interface gigabitethernet 1/7
description "GE1/7"
trusted
trusted vlan 1-4094
!
interface vlan 2
ip address 192.168.5.100 255.255.255.0
!
interface vlan 1
ip address 172.16.0.254 255.255.255.0
!
interface vlan 3
ip address 192.168.0.1 255.255.255.0
operstate up
!
ip default-gateway 192.168.5.1
no uplink wired vlan 1
uplink disable
ap mesh-recovery-profile cluster Recovery612uIbICuUp80BZu wpa-hexkey 718dc8cb5cf42cb4d6e856213176ce0af656ef6943efd9d15c98ec26097eb1dbbc678b0a56f1d4728fa5e506879e3c4e941bcbd0f2e423e0c2703c7a3b85f164933415865bc6c7933fd53697d256a825
wms
general poll-interval 60000
general poll-retries 3
general ap-ageout-interval 30
general adhoc-ap-ageout-interval 5
general sta-ageout-interval 30
general learn-ap disable
general persistent-neighbor enable
general propagate-wired-macs enable
general stat-update enable
general collect-stats disable
general learn-system-wired-macs disable
!
wms-local system max-system-wm 1000
wms-local system system-wm-update-interval 8
crypto isakmp policy 20
encryption aes256
!
--More-- (q) quit (u) pageup (/) search (n) repeat
crypto isakmp key "******" address 0.0.0.0 netmask 0.0.0.0
crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
set transform-set "default-transform" "default-aes"
!
crypto isakmp eap-passthrough eap-tls
crypto isakmp eap-passthrough eap-peap
crypto isakmp eap-passthrough eap-mschapv2
ip local pool "remote" 10.10.10.1 10.10.10.10
vpdn group l2tp
!
ip dhcp pool Guest
default-router 192.168.0.1
network 192.168.0.0 255.255.255.0
authoritative
!
service dhcp
!
vpdn group pptp
!
tunneled-node-address 0.0.0.0
adp discovery disable
adp igmp-join enable
adp igmp-vlan 0
voice rtcp-inactivity disable
voice sip-midcall-req-timeout disable
ssh mgmt-auth username/password
mgmt-user admin root 3df510210184bbbce77287b2aa3cb58f9f4f9fe40c2e09c422
no database synchronize
--More-- (q) quit (u) pageup (/) search (n) repeat database synchronize rf-plan-data
ip mobile domain default
!
ip igmp
!
ipv6 mld
!
no firewall attack-rate cp 1024
!
firewall cp
!
firewall cp
packet-capture-defaults tcp disable udp disable sysmsg disable other disable
!
ip domain lookup
!
country US
aaa authentication mac "default"
!
aaa authentication dot1x "default"
termination enable
termination inner-eap-type eap-mschapv2
!
aaa server-group "default"
auth-server Internal
set role condition role value-of
!
aaa authentication via connection-profile "default"
!
aaa authentication via web-auth "default"
!
aaa authentication via global-config
!
aaa profile "default"
!
aaa profile "employee"
initial-role "authenticated"
mac-default-role "authenticated"
authentication-dot1x "default"
dot1x-default-role "authenticated"
--More-- (q) quit (u) pageup (/) search (n) repeat l2-auth-fail-through
!
aaa profile "guest"
authentication-dot1x "default"
l2-auth-fail-through
!
aaa profile "remote-ap"
initial-role "authenticated"
mac-default-role "authenticated"
authentication-dot1x "default"
dot1x-default-role "authenticated"
l2-auth-fail-through
!
aaa authentication captive-portal "default"
!
aaa authentication wispr "default"
!
aaa authentication vpn "default"
!
aaa authentication vpn "default-rap"
!
aaa authentication mgmt
!
aaa authentication stateful-ntlm "default"
!
aaa authentication stateful-kerberos "default"
!
aaa authentication stateful-dot1x
!
aaa authentication via auth-profile "default"
!
aaa authentication wired
!
web-server
!
papi-security
!
guest-access-email
!
voice logging
!
voice dialplan-profile "default"
!
voice real-time-config
!
voice sip
--More-- (q) quit (u) pageup (/) search (n) repeat !
aaa password-policy mgmt
!
control-plane-security
no cpsec-enable
auto-cert-prov
!
ids management-profile
!
ids ap-rule-matching
!
valid-network-oui-profile
!
ap system-profile "default"
lms-ip 192.168.5.100
rap-dhcp-server-id 10.10.10.7
rap-local-network-access
!
ap system-profile "employee-ap-system"
lms-ip 192.168.5.100
!
ap system-profile "Guest-AP-system"
!
ap system-profile "RapHome-ap-system"
lms-ip 59.172.208.222
rap-dhcp-server-id 10.0.0.7
rap-local-network-access
!
ap regulatory-domain-profile "default"
country-code US
valid-11g-channel 1
valid-11g-channel 6
valid-11g-channel 11
valid-11a-channel 36
valid-11a-channel 40
valid-11a-channel 44
valid-11a-channel 48
valid-11a-channel 149
valid-11a-channel 153
valid-11a-channel 157
valid-11a-channel 161
valid-11a-channel 165
valid-11g-40mhz-channel-pair 1-5
valid-11g-40mhz-channel-pair 7-11
valid-11a-40mhz-channel-pair 36-40
valid-11a-40mhz-channel-pair 44-48
--More-- (q) quit (u) pageup (/) search (n) repeat valid-11a-40mhz-channel-pair 149-153
valid-11a-40mhz-channel-pair 157-161
!
ap wired-ap-profile "default"
!
ap enet-link-profile "default"
!
ap mesh-ht-ssid-profile "default"
!
ap mesh-cluster-profile "default"
!
ap wired-port-profile "default"
!
ap mesh-radio-profile "default"
!
ids general-profile "default"
!
ids rate-thresholds-profile "default"
!
ids signature-profile "default"
!
ids impersonation-profile "default"
!
ids unauthorized-device-profile "default"
!
ids signature-matching-profile "default"
signature "Deauth-Broadcast"
signature "Disassoc-Broadcast"
!
ids dos-profile "default"
!
ids profile "default"
!
rf arm-profile "arm-maintain"
assignment maintain
no scanning
!
rf arm-profile "arm-scan"
!
rf arm-profile "default"
!
rf optimization-profile "default"
!
rf event-thresholds-profile "default"
!
rf am-scan-profile "default"
--More-- (q) quit (u) pageup (/) search (n) repeat !
rf dot11a-radio-profile "default"
!
rf dot11a-radio-profile "rp-maintain-a"
arm-profile "arm-maintain"
!
rf dot11a-radio-profile "rp-monitor-a"
mode am-mode
!
rf dot11a-radio-profile "rp-scan-a"
arm-profile "arm-scan"
!
rf dot11g-radio-profile "default"
!
rf dot11g-radio-profile "rp-maintain-g"
arm-profile "arm-maintain"
!
rf dot11g-radio-profile "rp-monitor-g"
mode am-mode
!
rf dot11g-radio-profile "rp-scan-g"
arm-profile "arm-scan"
!
wlan dot11k-profile "default"
!
wlan voip-cac-profile "default"
!
wlan ht-ssid-profile "default"
!
wlan edca-parameters-profile station "default"
!
wlan edca-parameters-profile ap "default"
!
wlan ssid-profile "default"
!
wlan ssid-profile "employee"
essid "employee"
opmode wpa2-psk-aes
wpa-passphrase 99156e1784c915b6e1892ef0bce4737fde01ccdad287d023
!
wlan ssid-profile "Guest"
essid "instant"
opmode wpa2-psk-aes
wpa-passphrase 26417d1dfc98183df53da8f6c61e5f2238ba200cc9480fc0
!
wlan ssid-profile "remote"
--More-- (q) quit (u) pageup (/) search (n) repeat essid "Remote"
opmode wpa2-psk-aes
wpa-passphrase 652524b166c7abd9214dcc5dcf803d9a98e663ca14e236b5
!
wlan virtual-ap "default"
!
wlan virtual-ap "employee"
aaa-profile "employee"
ssid-profile "employee"
vlan 2
!
wlan virtual-ap "Guest"
aaa-profile "guest"
ssid-profile "Guest"
vlan 3
!
wlan virtual-ap "remote"
aaa-profile "remote-ap"
ssid-profile "remote"
vlan 2
forward-mode split-tunnel
!
ap provisioning-profile "default"
!
ap spectrum local-override
!
ap-group "default"
!
ap-group "employee"
virtual-ap "employee"
ap-system-profile "employee-ap-system"
!
ap-group "guest"
virtual-ap "Guest"
ap-system-profile "Guest-AP-system"
!
ap-group "RapHome"
virtual-ap "remote"
ap-system-profile "RapHome-ap-system"
!
logging level warnings security subcat ids
logging level warnings security subcat ids-ap
logging level debugging security process crypto subcat ike
logging level debugging security subcat ike
logging level debugging security process crypto subcat vpn
logging level debugging security subcat vpn
--More-- (q) quit (u) pageup (/) search (n) repeat
snmp-server enable trap
process monitor log
network-printer max-jobs 500
network-printer max-clients-per-host 10
network-printer max-clients 10
end

5.Provision the AP with IPSec settings, including the username and password for the AP, before you install it at the remote location

在RAP使用之前,先在控制器上provision AP当然也可以在家里provision RAP,这里先将RAP E0口连到Internel上,

并将PC连到E1口,访问RAP的web管理界面http://rapconsole.arubanetworks.com ,进入后,输入远端控制器的公网IP进行连接和provision。

这个是因为当时没映射4500端口导致的IKE错误

Aruba Remote AP

NOTE: You must install style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px" title="SSID" border="0" src="http://www.07net01.com/uploads/allimg/120730/1S2033024-15.png" "312" height="449" />

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

PC上的路由表:

Aruba Remote AP

Aruba Remote AP

客户端地址:

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

Aruba Remote AP

数据路径:

Aruba Remote AP

Aruba Remote AP

编译:Aruba Remote AP

地址:http://www.07net01.com/r_s/6793.html

  • 更多
    相关内容
    jw
    关于我们 | 联系我们 | 版权声明 | 意见反馈 | 网站地图 | 在线帮助 | | HowToBeautiful | HowSmokeyEye
    本站为您提供优质的Cisco网络技术相关文档与资讯,如果您有好的建议或意见,请发邮件告知我们。Email:bbc12000@163.com
    www.07net01.com 版权所有 Copyright 2000-2011 All rights reserved. 鲁ICP备11010007号-1