Aruba Wireless Controller Explained

A lot of research and also time on the GUI has been found to make the convenience of Aruba wireless controllers easier.

Although it took a lot of time to configure the controllers via the GUI, it is now much easier to do it via the CLI.

It turned out that finding the remote GUI Controller was more useful in troubleshooting and verifying wireless client connectivity.

This time we will discuss some of the knowledge and insights that I have gained while implementing Aruba wireless controllers for one of the best network device brands today.

Controller Overview

Aruba offers wireless controllers in the 7000 series and 7200 series models. The 7000 series controllers are used for small to large enterprises from a maximum AP capacity of 16 to 64 with options for up to 24 switch ports for integrated wired and wireless access.

The 7200 series controllers are suitable for university networks and support 256 AP capacities up to 2,048 APs maximum.

Controllers can be used as Master or Local. Aruba recommends implementing the 7000 series Controller as Local, while the 7200 series is usually used as the Master Controller.

In a Master-Local implementation, the Master is responsible for all policy configurations. This will include services like WIPS, Initial AP configuration, user roles and authentication related configuration, etc.

The local controller stops the AP tunnel, processes and forwards user traffic (including authentication), manages ARM (Adaptive Radio Management), Mobility and QoS features.

Aruba also offers the Mobility Master Appliance which embeds additional features that are not available in other Controller models.

The Mobility Master Appliance has Controller clustering capabilities that enable a better user experience with features like Hitless Failover.

Automatic User Load Balancing, Automatic AP Load Balancing, and Seamless Roaming across the cluster.

This type of implementation might be considered for sensitive environments where high wireless performance and reliability are requirements for essential services.

Note: ArubaOS 8.X is required with the Mobility Master Appliance. APs cannot be stopped on a Master Controller or a Mobility Master with this code, they can only stop on a Controller that is used in Local mode.

ArubaOS 6.X allows termination of APs on Master or Local Controllers.

The License

master Controller Can be configured with the centralized licensing feature. Using the master controller we can create a shared AP license group that all controllers on the network can share.

When an AP joins a Local Controller it uses the AP License along with the PEF-NG (Aruba Policy Enforcement Firewall) and the RFProtect License from the pool.

While a Centralized License allows flexibility, it is important to note that the Maximum AP Capacity of some of the smaller Controllers can run into fatal flaws, if not designed carefully.

Suppose you have implemented the Controller model 7205 as Master and 7030 Controller as Local in an Active-Active HA Master-Local deployment, with a total of 100 AP licenses and the centralized licensing feature enabled.

[DD1] [NP2] If the APs are load balanced (50-50 on each Controller) and the Master Controller fails, only 14 APs will fail and 36 of them will die. This is because the AP capacity of the 7030 Controller model only allows 64 APs to join it.

Redundancy

To enable redundancy, any HA Deployment Model combination can be used:

  • Master / Standby Master with HA Active-Active Local Controllers – Full Redundancy
  • Masterwith HA Active-Standby Locals – N + 1 Redundancy withOverSubscription
  • Master-Local HA Active-Active-or Standby-Active – Master Active or acts as backup LMS
  • Independent Master HA Active-Active – No local Controller, each master acts as a backup for the other

As long as the AP license pool is not full, the AP has failover capability to the backup LMS IP, which can be Local or other Masters based on application.

During a failover to the backup LMS, the AP will usually reboot causing several minutes of outage, unless the Aruba AP’s Fast Failover feature is enabled.

This feature allows the AP to establish a standby tunnel to a backup LMS for instant failover and minimize downtime.

Configuration

Configuration Aruba wireless controllers use a hierarchical approach, where multiple configuration profiles are created separately and attached to a higher level profile.

The best practice is to configure the lowest level settings and profiles first, then build. Reviewing this Controller configuration might confuse many of us without fully understanding the configuration hierarchy.

Below is the CLI command “show profile-hierarchy” on Controller 7205, which shows how the profiles relate to each other and provides clarity.

ap-group

wlan virtual-ap

aaa profile

aaa authentication mac

aaa server-group

aaa authentication-server radius

aaa radius modifier

aaa authentication dot1x

aaa xml-api server

aaa rfc-3576-server

wlan dot11k-profile

wlan handover-trigger-profile

wlan rrm-ie-profile

wlan bcn-rpt-req-profile

wlan tsm-req-profile

wlan hotspot hs2-profile

wlan hotspot advertisement-profile

wlan hotspot anqp-venue-name-profile

wlan hotspot anqp-nwk-auth-profile

wlan hotspot anqp-roam-cons-profile

wlan hotspot anqp-nai-realm-profile

wlan hotspot anqp-3gpp-nwk-profile

wlan hotspot anqp-ip-addr-avail-profile

wlan hotspot h2qp-wan-metrics-profile

wlan hotspot h2qp-operator-friendly-name-profile

wlan hotspot h2qp-conn-capability-profile

wlan hotspot h2qp-op-cl-profile

wlan hotspot h2qp-osu-prov-list-profile

wlan hotspot anqp-domain-name-profile

wlan ssid-profile

wlan edca-parameters-profile station

wlan edca-parameters-profile ap

wlan ht-ssid-profile

wlan dot11r-profile

wlan wmm-traffic-management-profile

wlan anyspot-profile

rf dot11a-radio-profile

rf spectrum-profile

rf arm-profile

rf ht-radio-profile

rf am-scan-profile

rf dot11g-radio-profile

rf spectrum-profile

rf arm-profile

rf ht-radio-profile

rf am-scan-profile

ap wired-port-profile

ap wired-ap-profile

ap enet-link-profile

ap lldp profile

ap lldp med-network-policy-profile

aaa profile

aaa authentication mac

aaa server-group

aaa authentication-server radius

aaa radius modifier

aaa authentication dot1x

aaa xml-api server

aaa rfc-3576-server

ap system-profile

wlan voip-cac-profile

wlan traffic-management-profile

wlan virtual-ap

aaa profile

aaa authentication mac

aaa server-group

aaa authentication-server radius

aaa radius modifier

aaa authentication dot1x

aaa xml-api server

aaa rfc-3576-server

wlan dot11k-profile

wlan handover-trigger-profile

wlan rrm-ie-profile

wlan bcn-rpt-req-profile

wlan tsm-req-profile

wlan hotspot hs2-profile

wlan hotspot advertisement-profile

wlan hotspot anqp-venue-name-profile

wlan hotspot anqp-nwk-auth-profile

wlan hotspot anqp-roam-cons-profile

wlan hotspot anqp-nai-realm-profile

wlan hotspot anqp-3gpp-nwk-profile

wlan hotspot anqp-ip-addr-avail-profile

wlan hotspot h2qp-wan-metrics-profile

wlan hotspot h2qp-operator-friendly-name-profile

wlan hotspot h2qp-conn-capability-profile

wlan hotspot h2qp-op-cl-profile

wlan hotspot h2qp-osu-prov-list-profile

wlan hotspot anqp-domain-name-profile

wlan ssid-profile

wlan edca-parameters-profile station

wlan edca-parameters-profile ap

wlan ht-ssid-profile

wlan dot11r-profile

wlan wmm-traffic-management-profile

wlan anyspot-profile

ap regulatory-domain-profile

rf optimization-profile

rf event-thresholds-profile

ids profile

ids general-profile

ids signature-matching-profile

ids signature-profile

ids dos-profile

ids rate-thresholds-profile

ids impersonation-profile

ids unauthorized-device-profile

ap mesh-radio-profile

ap mesh-ht-ssid-profile

ap mesh-cluster-profile

rf arm-rf-domain-profile

ap provisioning-profile

ap authorization-profile

That way you h I need to configure a few things for the implementation to work.

Many of the profiles and parameters do not require adjustment in most environments. The following is a schematic of some of the important configurations and profiles that have recently been implemented on the client website.

Konfigurasi

The schematic above guides the configuration flow from low profile (top) to high level (bottom).

Note: the example configuration shown is only a partial configuration to provide visuals and applies to command line ArubaOS 6.x code.

When viewed from the schematic below the graph. The AP group put it all together. Each AP must be assigned to an AP group at the time of deployment.

The AP group basically defines the SSID that the AP will know and advertise, the authentication used, the VLAN deployment, etc.

You can use a single AP group for the entire network or break it down per site or region. Unless you advertise different SSIDs for different sets of APs (per site or region) it’s easier to use one AP Group.

Virtual-AP profiles are created per SSID and assigned to AP-Group. Each Virtual-AP profile is assigned an SSID Profile that specifies the SSID and an AAA Profile that specifies all authentication parameters that correspond to that SSID.

VLANs are also configured under the Virtual-AP profile and assigned to all users by default, unless a specific VLAN is assigned to a user-defined User Roles, which takes precedence. The attributes are then configured under the AAA profile.

AAA authentication parameters specified in AAA server / group, dot1x, captive portal, etc. User Roles are also configured in AAA profiles to define pre- or post-authentication roles for users.

User Roles determines which access is allowed by the user based on the Firewall Policies configured for each role. Firewall policies are basically ACLs (standard, extended, service-based, etc.).

When users try to connect to any SSID, they are assigned the initial role. This initial role determines what type of access the user will have before authenticating (i.e. only http / https access to the captive portal for guest authentication).

Upon successful authentication, the user is assigned a post-authentication role providing administrator-defined network access (i.e. only http / https access to the internet, blocking all communication to the RFC 1918 address space).

The User Role can also be inherited as a Radius attribute from the AAA server with successful authentication.

VLANs can be assigned to User Roles, either to assign them to an initial VLAN with restricted access or to assign them to a dedicated access VLAN (i.e. Network Admin Access).

Overall, the Aruba Wireless Controller is quite simple to configure and seems to provide great flexibility in implementing a Wireless solution for your needs.

More of my experience this year is with ArubaOS 6.x code which is very different from the new 8.x buggy, new features, new look, etc.

That is our discussion about Aruba Wireless Controllers which might be used as a reference.

Leave a Reply

Your email address will not be published. Required fields are marked *

Semua operasional PT. Network Data Sistem akan menggunakan domain nds.id per tanggal 8 Mei 2019. Semua informasi/promosi dalam bentuk apapun selain menggunakan domain nds.id bukan tanggung jawab PT. Network Data Sistem Dismiss