Filter
Top Products
728 | InstantAP VPN Support DellPowerConnectW-SeriesArubaOS6.2 | User Guide
l L2 Switching Mode: In this mode, Instant supports distributed L2 and centralized L2 switching modes of
connection to corporate. When an Instant AP registers with the controller and has a L2 mode DHCP pool
configured, the controller automatically adds the GRE or VPN tunnel associated to this IAP into the VLAN
multicast table. This allows the clients connecting to this L2 mode VLAN to be part of the same L2 domain on
controller.
l L3 Routing Mode: In this mode, Instant supports L3 routing mode of connection to corporate. The VC assigns
an IP addresses from the configured subnet and forwards traffic to both corporate and non-corporate destinations.
Instant AP takes care of routing on the subnet and also adds a route on the controller after the VPN tunnel is set
up during the registration of the subnet. When the Instant AP registers with a L3 mode DHCP pool, the
controller automatically adds a route to this DHCP subnet enabling routing of traffic from the corporate to
clients on this VLAN in the branch.
VPN Configuration
The following VPN configuration steps on the controller, enable IAPs to terminate their VPN connection on the
controller:
Whitelist DB Configuration
Controller Whitelist DB
You can use the following CLI command to configure the whitelist DB if the controller is acting as the whitelist
entry:
(host) #local-userdb-ap add mac-address 00:11:22:33:44:55 ap-group test
The ap-group parameter is not used for any configuration, but needs to be configured. The parameter can be any
valid string. If an external whitelist is being used, the MAC address of the AP needs to be saved in the Radius server
as a lower case entry without any delimiter.
External Whitelist DB
The external whitelist functionality enables you to configure the RADIUS server to use an external whitelist for
authentication of MAC addresses of RAPs.
If you are using Windows 2003 server, perform the following steps to configure external whitelist on it. There are
equivalent steps available for Windows Server 2008 and other RADIUS servers.
1. Add the MAC addresses for all the RAPs in the Active Directory of the Radius server:
a. Open the Active Directory and Computers window, add a new user and specify the MAC address (without
the colon delimiter) of the RAP for the user name and password.
b. Right-click the user that you have just created and click Properties.
c. In the Dial-in tab, select Allow access in the Remote Access Permission section and click OK.
d. Repeat Step a through Step b for all RAPs.
2. Define the remote access policy in the Internet Authentication Service:
a. In the Internet Authentication Service window, select Remote Access Policies.
b. Launch the wizard to configure a new remote access policy.
c. Define filters and select select grant remote access permission in the Permissions window.
d. Right-click the policy that you have just created and select Properties.
e. In the Settings tab, select the policy condition, and Edit Profile....
f. In the Advanced tab, select Vendor Specific, and click Add to add new vendor specific attributes.
g. Add new vendor specific attributes and click OK.