A lot of research and also time on the GUI has been found to make the convenience of Aruba wireless controllers easier.
Although it took a lot of time to configure the controllers via the GUI, it is now much easier to do it via the CLI.
It turned out that finding the remote GUI Controller was more useful in troubleshooting and verifying wireless client connectivity.
This time we will discuss some of the knowledge and insights that I have gained while implementing Aruba wireless controllers for one of the best network device brands today.
Table of Contents
Controller Overview
Aruba offers wireless controllers in the 7000 series and 7200 series models. The 7000 series controllers are used for small to large enterprises from a maximum AP capacity of 16 to 64 with options for up to 24 switch ports for integrated wired and wireless access.
The 7200 series controllers are suitable for university networks and support 256 AP capacities up to 2,048 APs maximum.
Controllers can be used as Master or Local. Aruba recommends implementing the 7000 series Controller as Local, while the 7200 series is usually used as the Master Controller.
In a Master-Local implementation, the Master is responsible for all policy configurations. This will include services like WIPS, Initial AP configuration, user roles and authentication related configuration, etc.
The local controller stops the AP tunnel, processes and forwards user traffic (including authentication), manages ARM (Adaptive Radio Management), Mobility and QoS features.
Aruba also offers the Mobility Master Appliance which embeds additional features that are not available in other Controller models.
The Mobility Master Appliance has Controller clustering capabilities that enable a better user experience with features like Hitless Failover.
Automatic User Load Balancing, Automatic AP Load Balancing, and Seamless Roaming across the cluster.
This type of implementation might be considered for sensitive environments where high wireless performance and reliability are requirements for essential services.
Note: ArubaOS 8.X is required with the Mobility Master Appliance. APs cannot be stopped on a Master Controller or a Mobility Master with this code, they can only stop on a Controller that is used in Local mode.
ArubaOS 6.X allows termination of APs on Master or Local Controllers.
The License
master Controller Can be configured with the centralized licensing feature. Using the master controller we can create a shared AP license group that all controllers on the network can share.
When an AP joins a Local Controller it uses the AP License along with the PEF-NG (Aruba Policy Enforcement Firewall) and the RFProtect License from the pool.
While a Centralized License allows flexibility, it is important to note that the Maximum AP Capacity of some of the smaller Controllers can run into fatal flaws, if not designed carefully.
Suppose you have implemented the Controller model 7205 as Master and 7030 Controller as Local in an Active-Active HA Master-Local deployment, with a total of 100 AP licenses and the centralized licensing feature enabled.
[DD1] [NP2] If the APs are load balanced (50-50 on each Controller) and the Master Controller fails, only 14 APs will fail and 36 of them will die. This is because the AP capacity of the 7030 Controller model only allows 64 APs to join it.
Redundancy
To enable redundancy, any HA Deployment Model combination can be used:
- Master / Standby Master with HA Active-Active Local Controllers – Full Redundancy
- Masterwith HA Active-Standby Locals – N + 1 Redundancy withOverSubscription
- Master-Local HA Active-Active-or Standby-Active – Master Active or acts as backup LMS
- Independent Master HA Active-Active – No local Controller, each master acts as a backup for the other
As long as the AP license pool is not full, the AP has failover capability to the backup LMS IP, which can be Local or other Masters based on application.
During a failover to the backup LMS, the AP will usually reboot causing several minutes of outage, unless the Aruba AP’s Fast Failover feature is enabled.
This feature allows the AP to establish a standby tunnel to a backup LMS for instant failover and minimize downtime.
Configuration
Configuration Aruba wireless controllers use a hierarchical approach, where multiple configuration profiles are created separately and attached to a higher level profile.
The best practice is to configure the lowest level settings and profiles first, then build. Reviewing this Controller configuration might confuse many of us without fully understanding the configuration hierarchy.
Below is the CLI command “show profile-hierarchy” on Controller 7205, which shows how the profiles relate to each other and provides clarity.
| ap-group
wlan virtual-ap aaa profile aaa authentication mac aaa server-group aaa authentication-server radius aaa radius modifier aaa authentication dot1x aaa xml-api server aaa rfc-3576-server wlan dot11k-profile wlan handover-trigger-profile wlan rrm-ie-profile wlan bcn-rpt-req-profile wlan tsm-req-profile wlan hotspot hs2-profile wlan hotspot advertisement-profile wlan hotspot anqp-venue-name-profile wlan hotspot anqp-nwk-auth-profile wlan hotspot anqp-roam-cons-profile wlan hotspot anqp-nai-realm-profile wlan hotspot anqp-3gpp-nwk-profile wlan hotspot anqp-ip-addr-avail-profile wlan hotspot h2qp-wan-metrics-profile wlan hotspot h2qp-operator-friendly-name-profile wlan hotspot h2qp-conn-capability-profile wlan hotspot h2qp-op-cl-profile wlan hotspot h2qp-osu-prov-list-profile wlan hotspot anqp-domain-name-profile wlan ssid-profile wlan edca-parameters-profile station wlan edca-parameters-profile ap wlan ht-ssid-profile wlan dot11r-profile wlan wmm-traffic-management-profile wlan anyspot-profile rf dot11a-radio-profile rf spectrum-profile rf arm-profile rf ht-radio-profile rf am-scan-profile rf dot11g-radio-profile rf spectrum-profile rf arm-profile rf ht-radio-profile rf am-scan-profile ap wired-port-profile ap wired-ap-profile ap enet-link-profile ap lldp profile ap lldp med-network-policy-profile aaa profile aaa authentication mac aaa server-group aaa authentication-server radius aaa radius modifier aaa authentication dot1x aaa xml-api server aaa rfc-3576-server ap system-profile wlan voip-cac-profile wlan traffic-management-profile wlan virtual-ap aaa profile aaa authentication mac aaa server-group aaa authentication-server radius aaa radius modifier aaa authentication dot1x aaa xml-api server aaa rfc-3576-server wlan dot11k-profile wlan handover-trigger-profile wlan rrm-ie-profile wlan bcn-rpt-req-profile wlan tsm-req-profile wlan hotspot hs2-profile wlan hotspot advertisement-profile wlan hotspot anqp-venue-name-profile wlan hotspot anqp-nwk-auth-profile wlan hotspot anqp-roam-cons-profile wlan hotspot anqp-nai-realm-profile wlan hotspot anqp-3gpp-nwk-profile wlan hotspot anqp-ip-addr-avail-profile wlan hotspot h2qp-wan-metrics-profile wlan hotspot h2qp-operator-friendly-name-profile wlan hotspot h2qp-conn-capability-profile wlan hotspot h2qp-op-cl-profile wlan hotspot h2qp-osu-prov-list-profile wlan hotspot anqp-domain-name-profile wlan ssid-profile wlan edca-parameters-profile station wlan edca-parameters-profile ap wlan ht-ssid-profile wlan dot11r-profile wlan wmm-traffic-management-profile wlan anyspot-profile ap regulatory-domain-profile rf optimization-profile rf event-thresholds-profile ids profile ids general-profile ids signature-matching-profile ids signature-profile ids dos-profile ids rate-thresholds-profile ids impersonation-profile ids unauthorized-device-profile ap mesh-radio-profile ap mesh-ht-ssid-profile ap mesh-cluster-profile rf arm-rf-domain-profile ap provisioning-profile ap authorization-profile |
That way you h I need to configure a few things for the implementation to work.
Many of the profiles and parameters do not require adjustment in most environments. The following is a schematic of some of the important configurations and profiles that have recently been implemented on the client website.
The schematic above guides the configuration flow from low profile (top) to high level (bottom).
Note: the example configuration shown is only a partial configuration to provide visuals and applies to command line ArubaOS 6.x code.
When viewed from the schematic below the graph. The AP group put it all together. Each AP must be assigned to an AP group at the time of deployment.
The AP group basically defines the SSID that the AP will know and advertise, the authentication used, the VLAN deployment, etc.
You can use a single AP group for the entire network or break it down per site or region. Unless you advertise different SSIDs for different sets of APs (per site or region) it’s easier to use one AP Group.
Virtual-AP profiles are created per SSID and assigned to AP-Group. Each Virtual-AP profile is assigned an SSID Profile that specifies the SSID and an AAA Profile that specifies all authentication parameters that correspond to that SSID.
VLANs are also configured under the Virtual-AP profile and assigned to all users by default, unless a specific VLAN is assigned to a user-defined User Roles, which takes precedence. The attributes are then configured under the AAA profile.
AAA authentication parameters specified in AAA server / group, dot1x, captive portal, etc. User Roles are also configured in AAA profiles to define pre- or post-authentication roles for users.
User Roles determines which access is allowed by the user based on the Firewall Policies configured for each role. Firewall policies are basically ACLs (standard, extended, service-based, etc.).
When users try to connect to any SSID, they are assigned the initial role. This initial role determines what type of access the user will have before authenticating (i.e. only http / https access to the captive portal for guest authentication).
Upon successful authentication, the user is assigned a post-authentication role providing administrator-defined network access (i.e. only http / https access to the internet, blocking all communication to the RFC 1918 address space).
The User Role can also be inherited as a Radius attribute from the AAA server with successful authentication.
VLANs can be assigned to User Roles, either to assign them to an initial VLAN with restricted access or to assign them to a dedicated access VLAN (i.e. Network Admin Access).
Overall, the Aruba Wireless Controller is quite simple to configure and seems to provide great flexibility in implementing a Wireless solution for your needs.
More of my experience this year is with ArubaOS 6.x code which is very different from the new 8.x buggy, new features, new look, etc.
That is our discussion about Aruba Wireless Controllers which might be used as a reference.
