Whitelist DB Configuration

If you decide to use the Controller as the whitelist entry to configure the whitelist database, use the following CLI command:

(Aruba3400) #local-userdb-ap add mac-address 00:11:22:33 44:55 ap-group test

(Aruba3400) #

The ap-group parameter is not used for any configuration, but needs to be configured. The parameter can be any valid string. If an external whitelist is being used, the AP MAC address needs to be saved in the RADIUS server as a lower-case entry without any delimiter.

VPN Local Pool Configuration

This pool is used to assign an IP Address to the IAP after successful VPN authentication.

(Aruba3400) # ip local pool "rapngpool" <startip> <endip>
(Aruba3400) #

IAP VPN Profile Configuration

This defines the server used to authenticate the IAP (internal or an external server) and the role for IAP user. This role is used to define the src-nat rule to RADIUS server to allow Dynamic RADIUS proxy.

(Aruba3400) (config) #ip access-list session iaprole

(Aruba3400) (config-sess-iaprole)#any host <radius-server-ip> any src-nat

(Aruba3400) (config-sess-iaprole)#any any any permit

(Aruba3400) (config-sess-iaprole)#!

(Aruba3400) (config) #user-role iaprole

(Aruba3400) (config-role) #session-acl iaprole

(Aruba3400) (config-role) #

(Aruba3400) (config) #aaa authentication vpn default-iap

(Aruba3400) (VPN Authentication Profile "default-iap") #server-group default

(Aruba3400) (VPN Authentication Profile "default-iap") #default-role iaprole

(Aruba3400) (VPN Authentication Profile "default-iap") #!

(Aruba3400) (config) #