Link Search Menu Expand Document
calendar_month 27-Jan-25

Wireless Access Configuration

The primary function of the wireless access layer is to provide network connectivity anywhere on the campus for wireless devices. Wireless access must be secure, available, fault tolerant, and reliable to meet the demands of today’s users.

To satisfy the requirements for wireless access in a variety of network designs, the Aruba ESP Campus supports two modes of switching traffic between wireless and wired networks.

  • In bridged mode, the AP converts the 802.11 frame to an 802.3 Ethernet frame.
  • In tunneled mode, the AP encapsulates the 802.11 frame in a GRE packet and tunnels the traffic to a gateway device for decapsulation, additional inspection, and, if permitted, switching onto the correct VLAN.

An SSID is used to segment traffic between WLANs. A typical reason for using multiple SSIDs is to separate employee traffic from visitor traffic. Another reason is to separate IoT devices from other types of endpoints.

The Aruba ESP Campus for large campus topology uses bridged mode for a Visitor SSID and for an SSID using pre-shared key authentication as might be required for devices in a warehouse or healthcare setting. The same topology implements tunneled mode for an 802.1X authenticated SSID.

The figure below shows the wireless APs in the ESP Campus.

The following table shows the access VLANs for bridge-mode SSIDs.

Example: AP Access VLANs

VLAN NameVLAN ID
EMPLOYEE3
BLDG_MGMT4
CAMERA5
PRINTER6
VISITOR12
REJECT_AUTH13
CRITICAL_AUTH14
MGMT15

The following table shows the ClearPass Policy Managers for the RADIUS server configuration.

Example: RADIUS Servers

HostnameIP AddressRole
CPPM-1.EXAMPLE.LOCAL10.2.120.94Publisher
CPPM-2.EXAMPLE.LOCAL10.2.120.95Subscriber
Table of contents

Configure the WPA3-Enterprise Wireless LAN

Use this procedure to configure a WPA3-Enterprise SSID.

WPA3-Enterprise enables authentication using passwords or certificates to identify users and devices before they are granted access to the network. The wireless client authenticates against a RADIUS server using an EAP-TLS exchange, and the AP acts as a relay. Both the client and the RADIUS server use certificates to verify their identities.

Step 1 Navigate to Central and login using administrator credentials.

Step 2 On the Central Account Home page, launch the Network Operations app.

Step 3 In the dropdown, select an AOS10 Group name. On the left menu, select Devices.

Step 4 In the upper right of the Access Points page, select Config.

Step 5 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click + Add SSID.

Step 6 In the Create a New Network page on the General tab, expand Advance Settings, then click the + (plus sign) to expand Broadcast/Multicast.

Step 7 Click the + (plus sign) to expand Transmit Rates (Legacy Only), assign the following settings, then click Next.

  • Name (SSID): EXAMPLE-8021X
  • Broadcast filtering: ARP
  • Dynamic Multicast Optimization (DMO): Slide to the right
  • DMO Client Threshold: 40
  • 2.4 GHz: Min: 12
  • 5 GHz: Min: 12

Note: The SSID name should not include spaces or special characters for compatibility with all client devices.
A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance results.

Step 8 On the VLANs tab, assign the following settings, then click Next.

  • Traffic Forwarding Mode: Tunnel
  • Primary Gateway Cluster: UI-WIRELESS:SERVICES-7210
  • Secondary Gateway Cluster: None (default)
  • Client VLAN Assignment: Static (default)
  • VLAN ID: EMPLOYEE (103)

Note: The Primary Gateway Cluster and VLAN ID were created in the Configuring Gateway Devices section.
If they have not been configured, create the named VLANs for the SSID in this section.

Step 9 On the Security tab, assign the following settings.

  • Security Level: Slide to Enterprise
  • Key Management: WPA3 Enterprise(CMM 128)

Note: WPA3 provides significant security improvements over WPA2 and should be used when possible. Consult endpoint documentation to confirm support.

Step 10 On the Security tab, click the + (plus sign) next to Primary Server.

Step 11 In the NEW SERVER window, assign the following settings, then click OK.

  • Server Type: RADIUS
  • Name: CPPM-1
  • IP Address: 10.2.120.94
  • Shared Key: shared key
  • Retype Key: shared key

Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.

Step 12 Repeat the two previous steps for the second CPPM server using the appropriate values.

Step 13 On the Security tab, assign the following setting.

  • Load Balancing: Slide to the right

Note: Best practice is to deploy 2 RADIUS servers and enable load balancing.

Step 14 On the Security tab, expand Advanced Settings, scroll down and click the + (plus sign) to expand Fast Roaming. Assign the following settings, then click Next.

  • Opportunistic Key Caching: Slide to the right
  • 802.11K: Slide to the right

Step 15 On the Access tab, assign the following setting, then click Next.

  • Access Rules: Slide to Unrestricted

Note: The restrictions for this type of SSID are assigned in the gateway.

Step 16 On the Summary tab, review the settings and click Finish.

Configure ClearPass for the WPA3-Enterprise Wireless LAN

Use this procedure to configure ClearPass Policy Manager for the WPA3-Enterprise SSID.

Step 1 Browse to the ClearPass Policy Manager server, and login with administrator credentials.

Step 2 On the left navigation menu, select Configuration, click the + (plus sign) to expand Network, then select Devices.

Step 3 In the upper right of the Network Devices page, click + Add.

Step 4 On the Add Device page, assign the following settings, then click Add.

  • Name: EXAMPLE.LOCAL 10
  • IP or Subnet Address: 10.0.0.0/8
  • Description: <subnet description>
  • Radius Shared Secret & Verify: RADIUS-SECRET
  • TACACS Shared Secret & Verify: RADIUS-SECRET
  • Vendor Name: Aruba (default)
  • Enable RADIUS Dynamic Authorization: checkmark
  • Port: 3799 (default)

Step 5 Repeat this procedure for additional ClearPass Policy Manager servers in the network.

Configure the Pre-Shared Key Wireless LAN

Use this procedure to configure a WPA3-Personal SSID with a pre-shared key.

WPA3-Personal allows for authentication using a pre-shared key on a device that does not support 802.1X authentication.

Step 1 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click + Add SSID.

Step 2 In the Create a New Network page on the General tab, expand Advance Settings, then click the + (plus sign) to expand Broadcast/Multicast.

Step 3 Click the + (plus sign) to expand Transmit Rates (Legacy Only), assign the following settings, then click Next.

  • Name (SSID): EXAMPLE-PSK
  • Broadcast filtering: ARP
  • Dynamic Multicast Optimization (DMO): Slide to the right
  • DMO Client Threshold: 40
  • 2.4 GHz: Min: 5
  • 5 GHz: Min: 18

Step 4 On the VLANs tab, assign the following settings, then click Next:

  • Traffic Forwarding Mode: Bridge
  • Client VLAN Assignment: Static
  • VLAN ID: PRINTER(6)

Step 5 On the Security tab, assign the following settings, then click Next:

  • Security Level: Slide to Personal
  • Key Management: WPA3 Personal
  • Passphrase: passphrase
  • Retype: passphrase

Step 6 On the Access tab, assign the following setting, then click Next.

  • Access Rules: Slide to Unrestricted

Note: The restrictions for this type of SSID are made in the switch network.

Step 7 On the Summary tab, review the settings and click Finish.

Configure the Visitor Wireless LAN

Use this procedure to configure a visitor SSID.

Step 1 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click + Add SSID.

Step 2 On the Create a New Network page on the General tab, expand Advance Settings, then click the + (plus sign) to expand Broadcast/Multicast.

Step 3 Click the + (plus sign) to expand Transmit Rates (Legacy Only), then assign the following settings.

  • Name (SSID): EXAMPLE-VISITOR
  • Broadcast filtering: ARP
  • Dynamic Multicast Optimization (DMO): Slide to the right
  • DMO Client Threshold: 40
  • 2.4 GHz: Min: 5
  • 5 GHz: Min: 18

Step 4 On the General tab, scroll down and click the + (plus sign) to expand Time Range Profiles. In the middle of the section, click + New Time Range Profile.

Step 5 In the New Profile window, assign the following settings, then click Save.

  • Name: Visitor Weekdays
  • Type: Periodic
  • Repeat: Daily
  • Day Range: Monday - Friday (Weekdays)
  • Start Time Hours: 7 Minutes: 0
  • End Time Hours: 18 Minutes: 0

Step 6 In the Time Range Profiles section in the Status dropdown, find the newly created profile, and select Enabled. At the bottom of the page, click Next.

Step 7 On the VLANs tab, assign the following settings, then click Next.

  • Traffic Forwarding Mode: Bridge

  • Client VLAN Assignment: Static

  • VLAN ID: VISITOR(12)

Step 8 On the Security tab, assign the following settings.

  • Security Level: Slider to Captive Portal
  • Captive Portal Type: External

Step 9 In the Splash Page section, click the + (plus sign) next to Captive Portal Profile.

Step 10 In the External Captive Portal-New window, assign the following settings, then click OK.

  • Name: CPPM-Portal
  • Authentication Type: RADIUS Authentication
  • IP or Hostname: cppm.example.local
  • URL: /guest/example_guest.php
  • Port: 443
  • Redirect URL: http://arubanetworking.hpe.com

Step 11 On the Security tab in the Splash Page section, click the + (plus sign) next to Primary Server.

Step 12 In the New Server window, assign the following settings, then click OK.

  • Server Type: RADIUS
  • Name: CPPM-1
  • IP Address: 10.2.120.94
  • Shared Key: shared key
  • Retype Key: shared key

Step 13 Repeat the two previous steps for the second CPPM server using the appropriate values.

Step 14 On the Security tab in the Splash Page section, assign the following settings, then click Next.

  • LOAD BALANCING: slide to the right
  • Encryption: slide to the left
  • Key Management: Enhanced Open

Note: The Captive Portal Profile requires information from the CPPM server on the network. For detailed steps, see Appendix 1: How to Find ClearPass Details for the Visitor WLAN.

Step 15 On the Access tab, move the slider to Network Based, select the Allow any to all destinations rule, then click the edit (pencil) icon.

Step 16 In the Access Rules window, assign the following settings, then click OK.

  • Action: Deny

Caution: This step changes the default allow any to all destinations rule to a deny any to all destinations rule for visitor traffic. This line always must be the last entry in the Access Rules to prevent unauthorized access to internal network resources.

Step 17 On the Access tab, select + Add Rule.

In most cases, the visitor needs access only to DHCP and DNS services, and HTTP/HTTPS access to all destinations on the Internet. Allow access to DHCP servers on the internal network and allow DNS to two well-known DNS servers. To prevent access to internal resources, add an exception network and mask covering the internal IP addresses to the HTTP and HTTPS allow rules.

Example: Access Rules for Visitors

Rule TypeService typeService nameActionDestination
Access controlNetworkDHCPAllow10.2.120.98 (internal DHCP server)
Access controlNetworkDHCPAllow10.2.120.99 (internal DHCP server)
Access controlNetworkDNSAllow8.8.4.4 (well-known DNS server)
Access controlNetworkDNSAllow8.8.8.8 (well-known DNS server)
Access controlNetworkHTTPAllowTo all destinations, except internal
Access controlNetworkHTTPSAllowTo all destinations, except internal
Access controlNetworkAnyDenyTo all destinations

Step 18 In the Access Rules window, assign the following settings, then click OK.

  • Rule Type: Access Control
  • Service: Network
  • Service: Dropdown: dhcp
  • Action: Allow
  • Destination: To a particular server
  • IP: 10.2.120.98
  • Options: none selected

Note: When using the provided table, the easiest way to add the rules is from the bottom up to ensure they are in the correct order when finished.

Step 19 Repeat the previous two steps to add all the rules in the table.

Step 20 On the Access tab, click Next.

Step 21 On the Summary tab, review the settings, and select Finish.