Wireless Access Configuration
The primary function of the wireless access layer is to provide network connectivity anywhere on the campus for wireless devices. Wireless access must be secure, available, fault tolerant, and reliable to meet the demands of today’s users.
To satisfy the requirements for wireless access in a variety of network designs, the Aruba ESP Campus supports two modes of switching traffic between wireless and wired networks.
- In bridged mode, the AP converts the 802.11 frame to an 802.3 Ethernet frame.
- In tunneled mode, the AP encapsulates the 802.11 frame in a GRE packet and tunnels the traffic to a gateway device for decapsulation, additional inspection, and, if permitted, switching onto the correct VLAN.
An SSID is used to segment traffic between WLANs. A typical reason for using multiple SSIDs is to separate employee traffic from visitor traffic. Another reason is to separate IoT devices from other types of endpoints.
The Aruba ESP Campus for large campus topology uses bridged mode for a Visitor SSID and for an SSID using pre-shared key authentication as might be required for devices in a warehouse or healthcare setting. The same topology implements tunneled mode for an 802.1X authenticated SSID.
The figure below shows the wireless APs in the ESP Campus.
The following table shows the access VLANs for bridge-mode SSIDs.
Example: AP Access VLANs
VLAN Name | VLAN ID |
---|---|
EMPLOYEE | 3 |
BLDG_MGMT | 4 |
CAMERA | 5 |
PRINTER | 6 |
VISITOR | 12 |
REJECT_AUTH | 13 |
CRITICAL_AUTH | 14 |
MGMT | 15 |
The following table shows the ClearPass Policy Managers for the RADIUS server configuration.
Example: RADIUS Servers
Hostname | IP Address | Role |
---|---|---|
CPPM-1.EXAMPLE.LOCAL | 10.2.120.94 | Publisher |
CPPM-2.EXAMPLE.LOCAL | 10.2.120.95 | Subscriber |
Table of contents
Configure the WPA3-Enterprise Wireless LAN
Use this procedure to configure a WPA3-Enterprise SSID.
WPA3-Enterprise enables authentication using passwords or certificates to identify users and devices before they are granted access to the network. The wireless client authenticates against a RADIUS server using an EAP-TLS exchange, and the AP acts as a relay. Both the client and the RADIUS server use certificates to verify their identities.
Step 1 Navigate to Central and login using administrator credentials.
Step 2 On the Central Account Home page, launch the Network Operations app.
Step 3 In the dropdown, select an AOS10 Group name. On the left menu, select Devices.
Step 4 In the upper right of the Access Points page, select Config.
Step 5 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click + Add SSID.
Step 6 In the Create a New Network page on the General tab, expand Advance Settings, then click the + (plus sign) to expand Broadcast/Multicast.
Step 7 Click the + (plus sign) to expand Transmit Rates (Legacy Only), assign the following settings, then click Next.
- Name (SSID): EXAMPLE-8021X
- Broadcast filtering: ARP
- Dynamic Multicast Optimization (DMO): Slide to the right
- DMO Client Threshold: 40
- 2.4 GHz: Min: 12
- 5 GHz: Min: 12
Note: The SSID name should not include spaces or special characters for compatibility with all client devices.
A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance results.
Step 8 On the VLANs tab, assign the following settings, then click Next.
- Traffic Forwarding Mode: Tunnel
- Primary Gateway Cluster: UI-WIRELESS:SERVICES-7210
- Secondary Gateway Cluster: None (default)
- Client VLAN Assignment: Static (default)
- VLAN ID: EMPLOYEE (103)
Note: The Primary Gateway Cluster and VLAN ID were created in the Configuring Gateway Devices section.
If they have not been configured, create the named VLANs for the SSID in this section.
Step 9 On the Security tab, assign the following settings.
- Security Level: Slide to Enterprise
- Key Management: WPA3 Enterprise(CMM 128)
Note: WPA3 provides significant security improvements over WPA2 and should be used when possible. Consult endpoint documentation to confirm support.
Step 10 On the Security tab, click the + (plus sign) next to Primary Server.
Step 11 In the NEW SERVER window, assign the following settings, then click OK.
- Server Type: RADIUS
- Name: CPPM-1
- IP Address: 10.2.120.94
- Shared Key: shared key
- Retype Key: shared key
Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.
Step 12 Repeat the two previous steps for the second CPPM server using the appropriate values.
Step 13 On the Security tab, assign the following setting.
- Load Balancing: Slide to the right
Note: Best practice is to deploy 2 RADIUS servers and enable load balancing.
Step 14 On the Security tab, expand Advanced Settings, scroll down and click the + (plus sign) to expand Fast Roaming. Assign the following settings, then click Next.
- Opportunistic Key Caching: Slide to the right
- 802.11K: Slide to the right
Step 15 On the Access tab, assign the following setting, then click Next.
- Access Rules: Slide to Unrestricted
Note: The restrictions for this type of SSID are assigned in the gateway.
Step 16 On the Summary tab, review the settings and click Finish.
Configure ClearPass for the WPA3-Enterprise Wireless LAN
Use this procedure to configure ClearPass Policy Manager for the WPA3-Enterprise SSID.
Step 1 Browse to the ClearPass Policy Manager server, and login with administrator credentials.
Step 2 On the left navigation menu, select Configuration, click the + (plus sign) to expand Network, then select Devices.
Step 3 In the upper right of the Network Devices page, click + Add.
Step 4 On the Add Device page, assign the following settings, then click Add.
- Name: EXAMPLE.LOCAL 10
- IP or Subnet Address: 10.0.0.0/8
- Description: <subnet description>
- Radius Shared Secret & Verify: RADIUS-SECRET
- TACACS Shared Secret & Verify: RADIUS-SECRET
- Vendor Name: Aruba (default)
- Enable RADIUS Dynamic Authorization: checkmark
- Port: 3799 (default)
Step 5 Repeat this procedure for additional ClearPass Policy Manager servers in the network.
Configure the Pre-Shared Key Wireless LAN
Use this procedure to configure a WPA3-Personal SSID with a pre-shared key.
WPA3-Personal allows for authentication using a pre-shared key on a device that does not support 802.1X authentication.
Step 1 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click + Add SSID.
Step 2 In the Create a New Network page on the General tab, expand Advance Settings, then click the + (plus sign) to expand Broadcast/Multicast.
Step 3 Click the + (plus sign) to expand Transmit Rates (Legacy Only), assign the following settings, then click Next.
- Name (SSID): EXAMPLE-PSK
- Broadcast filtering: ARP
- Dynamic Multicast Optimization (DMO): Slide to the right
- DMO Client Threshold: 40
- 2.4 GHz: Min: 5
- 5 GHz: Min: 18
Step 4 On the VLANs tab, assign the following settings, then click Next:
- Traffic Forwarding Mode: Bridge
- Client VLAN Assignment: Static
- VLAN ID: PRINTER(6)
Step 5 On the Security tab, assign the following settings, then click Next:
- Security Level: Slide to Personal
- Key Management: WPA3 Personal
- Passphrase: passphrase
- Retype: passphrase
Step 6 On the Access tab, assign the following setting, then click Next.
- Access Rules: Slide to Unrestricted
Note: The restrictions for this type of SSID are made in the switch network.
Step 7 On the Summary tab, review the settings and click Finish.
Configure the Visitor Wireless LAN
Use this procedure to configure a visitor SSID.
Step 1 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click + Add SSID.
Step 2 On the Create a New Network page on the General tab, expand Advance Settings, then click the + (plus sign) to expand Broadcast/Multicast.
Step 3 Click the + (plus sign) to expand Transmit Rates (Legacy Only), then assign the following settings.
- Name (SSID): EXAMPLE-VISITOR
- Broadcast filtering: ARP
- Dynamic Multicast Optimization (DMO): Slide to the right
- DMO Client Threshold: 40
- 2.4 GHz: Min: 5
- 5 GHz: Min: 18
Step 4 On the General tab, scroll down and click the + (plus sign) to expand Time Range Profiles. In the middle of the section, click + New Time Range Profile.
Step 5 In the New Profile window, assign the following settings, then click Save.
- Name: Visitor Weekdays
- Type: Periodic
- Repeat: Daily
- Day Range: Monday - Friday (Weekdays)
- Start Time Hours: 7 Minutes: 0
- End Time Hours: 18 Minutes: 0
Step 6 In the Time Range Profiles section in the Status dropdown, find the newly created profile, and select Enabled. At the bottom of the page, click Next.
Step 7 On the VLANs tab, assign the following settings, then click Next.
Traffic Forwarding Mode: Bridge
Client VLAN Assignment: Static
VLAN ID: VISITOR(12)
Step 8 On the Security tab, assign the following settings.
- Security Level: Slider to Captive Portal
- Captive Portal Type: External
Step 9 In the Splash Page section, click the + (plus sign) next to Captive Portal Profile.
Step 10 In the External Captive Portal-New window, assign the following settings, then click OK.
- Name: CPPM-Portal
- Authentication Type: RADIUS Authentication
- IP or Hostname: cppm.example.local
- URL: /guest/example_guest.php
- Port: 443
- Redirect URL: http://arubanetworking.hpe.com
Step 11 On the Security tab in the Splash Page section, click the + (plus sign) next to Primary Server.
Step 12 In the New Server window, assign the following settings, then click OK.
- Server Type: RADIUS
- Name: CPPM-1
- IP Address: 10.2.120.94
- Shared Key: shared key
- Retype Key: shared key
Step 13 Repeat the two previous steps for the second CPPM server using the appropriate values.
Step 14 On the Security tab in the Splash Page section, assign the following settings, then click Next.
- LOAD BALANCING: slide to the right
- Encryption: slide to the left
- Key Management: Enhanced Open
Note: The Captive Portal Profile requires information from the CPPM server on the network. For detailed steps, see Appendix 1: How to Find ClearPass Details for the Visitor WLAN.
Step 15 On the Access tab, move the slider to Network Based, select the Allow any to all destinations rule, then click the edit (pencil) icon.
Step 16 In the Access Rules window, assign the following settings, then click OK.
- Action: Deny
Caution: This step changes the default allow any to all destinations rule to a deny any to all destinations rule for visitor traffic. This line always must be the last entry in the Access Rules to prevent unauthorized access to internal network resources.
Step 17 On the Access tab, select + Add Rule.
In most cases, the visitor needs access only to DHCP and DNS services, and HTTP/HTTPS access to all destinations on the Internet. Allow access to DHCP servers on the internal network and allow DNS to two well-known DNS servers. To prevent access to internal resources, add an exception network and mask covering the internal IP addresses to the HTTP and HTTPS allow rules.
Example: Access Rules for Visitors
Rule Type | Service type | Service name | Action | Destination |
---|---|---|---|---|
Access control | Network | DHCP | Allow | 10.2.120.98 (internal DHCP server) |
Access control | Network | DHCP | Allow | 10.2.120.99 (internal DHCP server) |
Access control | Network | DNS | Allow | 8.8.4.4 (well-known DNS server) |
Access control | Network | DNS | Allow | 8.8.8.8 (well-known DNS server) |
Access control | Network | HTTP | Allow | To all destinations, except internal |
Access control | Network | HTTPS | Allow | To all destinations, except internal |
Access control | Network | Any | Deny | To all destinations |
Step 18 In the Access Rules window, assign the following settings, then click OK.
- Rule Type: Access Control
- Service: Network
- Service: Dropdown: dhcp
- Action: Allow
- Destination: To a particular server
- IP: 10.2.120.98
- Options: none selected
Note: When using the provided table, the easiest way to add the rules is from the bottom up to ensure they are in the correct order when finished.
Step 19 Repeat the previous two steps to add all the rules in the table.
Step 20 On the Access tab, click Next.
Step 21 On the Summary tab, review the settings, and select Finish.