today I will talk about how you can automatic assignment tagged and untagged vlans for a aruba-ap.

create a device profile

In the device profile, you can configure the VLAN settings, Poe, jumbo frames, etc.
As example vlan 1502 untagged and vlan 224 tagged.

conf t
device-profile name "ArubaAPs"
   untagged-vlan 1502
   tagged-vlan 224
   allow-jumbo-frames
   exit

Assignment of the aruba APs to the created device profile

Now you must associate the aruba-aps to our new device profile “ArubaAPs”.

device-profile type "aruba-ap"
   associate "ArubaAPs"
   enable
   exit
write mem

test it

With “show device-profile status” you can see if it is running.

Have a nice day!

The post Aruba OS Switch automatic vlan assignment for aruba APs appeared first on Network Guy.

Today I am going to talk about a problem with my company’s wildcard certificate.

Because I wanted to display the Clearpass captive portal without certificate errors. I tried to import our company wildcard certificate. And in doing so, I encountered the following problem:

Here we have the problem that the certificate chain for the Clearpass is in the wrong order. Many systems like the Aruba Mobility Controller or Sophos SG don’t seem to care if the chain goes from root to server certificate or from server certificate to root CA. But not the Clearpass :D

The solution

The only thing that helps here is to rebuild the certificate chain. First, we need the root CA and all sub CAs. The easiest way to get this is from a system where the wildcard certificate is already integrated. For example, the Sophos SG Firewall.

extract the root and sub CAs

To do this, simply go to the Sophos SG webadmin or user portal  with the Google Chrome browser and display the certificate.

Als erstens Exportierst du das Root CA.

Click on the Root CA. Than details and Copy to files

Save the certifiact as base 64

save it under the name CA1.cer

Repeat the steps for the two sub CAs.

build the certificate chain

Now you have to detach the single certificate and the private key from the wildcard package without a certificate chain. The easiest way to do this is with openssl in a Linux machine. I have a Windows subsystem for Linux on my computer. Copy the wildcard certificate and the 3 certificates CA1 to CA3 into the home directory of the Linux machine.

For Ubuntu:
Detach the public and private keys from the certificate.

sudo -s
openssl pkcs12 -in networkguy.pfx -clcerts -nokeys -out networkguyStar.cer
openssl pkcs12 -in networkguy.pfx -nocerts -nodes  -out networkguyStar.key

With ll you can now see that you now have the public key “networkguyStar.cer” and the private key “networkguyStar.key”.

Now we need to build a new wildcard certificate where the certificate chain has the order required by the Clearpass. The Clearpass wants the wildcard certificate first, then the sub CAs and finally the root CA.

The following command is required for this:

cat networkguyStar.cer CA3.cer CA2.cer CA1.cer > networkguyStarfullchain.cer

Now we have created a chain of certificates suitable for the Clearpass. :D

The Clearpass does not trust the Root or Sub CA

If the wildcard certificate contains a root or sub CA that Clearpass does not know, this must be imported. For this we can simply use the CA1.cer to CA3.cer.
To do this, go to Administration / Certificates / Trust List in the Policy Manager and then click on Add. Select Usage under -Select to Add– Other. Do this with CA1.cer, CA2.cer and CA3.cer.

Then have fun with your Clearpass. (A cool product) :D

Have a nice day!

The post Aruba Clearpass problem with certificate chain appeared first on Network Guy.

Last week I had to replace a defective switch in a VSF stack for the first time.
Those who know the IRF stack from HPE Comware know that this is feasible, but you have to configure a lot until the stack is up and running again after replacing a stack member.
With Aruba CX, the whole thing is totally simple in comparison.

Check the firmware version
First you must check the firmware version of the current VSF stack. According to the Aruba instructions, you do not have to do this because the VSF master automatically distributes the firmware to the members, but it did not work for me.
Now install the same firmware version on the new switch that the VSF stack uses.

VSF configuration on the new switch
In my case, the first member had failed. That’s why I didn’t have to do a renumber-to. All in all, only the following must be configured on the new switch:

For example, if the defective switch was member 2, you must perform a renumber:

conf t
vsf renumber-to 2
write mem
boot system primary

As soon as the new switch is up again, simply copy the VSF configuration from the master and put it on the new member.

In my case, the VSF stack consisted of 2 Aruba CX 6300 switches:

conf t
vsf split-detect mgmt
vsf secondary-member 2
vsf member 1
    type jl663a
    link 1 1/1/52
vsf member 2
    type jl663a
    link 1 2/1/52
exit
write mem

Restoring the stack
Now, if you have not already done so, remove the defective switch and mount the new switch. Next, plug only the management port as split detection and the VSF link between the new switch and the rest of the VSF stack. Do not plug in the rest of the cables yet, because your ports are still all configured for VLAN 1 access. And your link aggregations are not configured yet either.
After about one to two minutes, the new switch automatically joins the VSF stack. The switch reboots and receives the complete port configuration of the old defective VSF member from the VSF master.
Now plug in the rest of the cables. that’s it.

Isn’t that cool? :D

Have a nice day!

The post Aruba CX how to exchange a defective VSF stack member appeared first on Network Guy.

today I will talk about how you can setup a WPA2/3 enterprise wifi with aruba Instant On Access Points.

Because I don’t have an AD integrated notebook in my private test environment, I limit myself to username / password and don’t do any authentication by computer account.

Settings in the Instant On Portal

Create a new SSID

I have named the SSID Wifi-Enterprise. Under NAS identifier I used the name of the SSID as the identifier. You can also enter something else, but it makes it easier to set up the policies for the individual SSIDs later.

As a last step, we need the IP addresses of the individual access points.

AP01:

AP02:

The NPS Settigns

First, we must create the Radius-Clients. (the two Instant On APs)

Next, the network policy must be created. I have it named like the SSID Wifi-Enterprise.

Under conditions, I specify the Windows group for the wifi users and the NAS identifier so that the policy for the correct SSID takes effect. With Instant On this is not a problem because I can specify the NAS identifier per SSID.

Under Restrictions, please configure the following:

And under settings just leave the default values as they are.

Check the Results:

I checked the wifi with my iPhone and my Windows notebook.

Under Networks you can see the devices per SSID.

And here I see my iPhone and my notebook :)

Anyone who wants great Wi-Fi for little money should take a closer look at Instant On World. For homes like mine or small businesses, the APs are just right. :D

If you are interested once the links

Aruba AP11

Aruba AP11D

Aruba AP12

Aruba AP15

Aruba AP17 (Outdoor)

Aruba AP22 (Wifi 6)

And 3 recommended Aruba PoE switches

1930 8P

1930 24P

1930 48P

Have a nice day!

The post Aruba Instant On how to setup 802.1x with Windows NPS appeared first on Network Guy.

today I will talk about how to configuring a guest Wifi with a Aruba Mobility Controller and the Sophos hotspot solution.

In this example I will using the Sophos SG hotspot solution. With Sophos XG, it’s basically the same.

Sophos SG

Create a new Interface

It’s recommandet, to use a own interface for the guests. If you use a hardware interface or a VLAN interface, it’s your choice. I using VLAN interfaces.

Create a firewall rule for the web access 

To avoid problems with VIP visitors, I recommend allowing any service to access the internet. I will come to the topic of proxy in a moment.

masquerading rule

Without it, the package also gets on the internet, but not back :D

The DHCP 

Do not use your AD DHCP server. If you still have a server at all thanks to Azure. Always keep guest solutions as far away as possible from your infrastructure. That’s why I use the DHCP server from the Sophos SG and also send DNS queries directly to google DNS. Do not use the SG as DNS server for guest solutions. Because most UTMs have a query route to their own domain and the guest user can query your SG/XG via DNS queries about your environment.

hotspot portal

Here you have to put in the new interface and activate the hotspot type of your choice. I prefer the voucher solution.

And finally the proxy

For the guests, only the transparent proxy comes into consideration. No guest user wants to enter a static proxy into the system first. You should also only activate URL filtering, because no one wants to import the proxy CA. Now you have to define the policy and that’s it for the UTM configuration.

What web categories you allow via policy, you have to decide yourself.

Aruba Mobility Controller

My recommendation, configure everything under Mobility Controller level and not on the individual controller.

Add a new VLAN interface

We only need a VLAN interface with the same VLAN ID as the guest interface on the Sophos SG. No IP configuration is required on the mobility controller.

Create the SSID

I recommend using the tunnel mode. This way I don’t have to maintain all VLANs at the access points. Instead, I let the traffic first break out at the Mobility Controller.

We need a simple open WLAN.
Because we are using the Sophos SG guest solution in this example, I won’t go into detail about the possible Aruba solutions.

Now we have to remember the name of the default role. Because we have to edit these right away.

Edit  the role

For simplicity, we could write an Any rule because the Sophos SG takes care of security. But for the good feeling, we restrict the traffic a bit.

Because it’s a bit hard to read, here’s the content: We only allow the client to talk to the Sophos SG on the guest interface. Forbid the rest of the private IP address ranges and then allow Any for the Internet access.

Have a nice day!

The post Aruba Mobility Controller with Sophos SG/XG hotspot Portal appeared first on Network Guy.

today I want to tell you how to create a redundant point-to-point connection with Aruba 387 access points.

Update

for this setup the firmware version 8.6.0.6 or newer is absolutely needed. Because in the older versions the bug AOS-216445 is not fixed yet.

AOS-216445
Clients connected to the mesh portal AP were unable to reach devices connected to the mesh point AP and vice versa. This issue occurred when the client roamed from a source mesh AP to another mesh AP and back to the source mesh AP. The fix ensures that clients communicate with devices in the mesh network as expected. This issue was observed in AP-387 access points running Aruba Instant 8.6.0.6 or later versions.

Let’s look at the background

The customer has 2 warehouses which are about 150 meters apart and connected by WLAN. The previous WLAN solution manages the redundancy with cold standby devices. Unfortunately the problem was that there is no IT staff at this location to connect the backup APs in case of failure.

Logical structure

We have 2 Aruba 2930 24G PoE switches in the VSF stack on each side. One AP 387 is connected to each stack member. The access points are in standalone mode and form a point to point connection in pairs. AP01 + AP03 and AP02 + AP04. To prevent a switching loop, one of the two connections is switched off via Spannig Tree.

Configuration

Since the article is more about the point-to-point connection, I will only roughly describe the switch configuration.

Switches

Build the stacks, activate Spanning Tree on the switches. Configure the switch facing the Internet (SW-Stack-01) as STP root. Otherwise, configure the typical switch configuration such as management IP, management user and password, etc.

Access Points

Basic configuration

The APs are all connected to SW-Stack-01. Alternatively you can also use a lan cable between SW-Stack-01 and SW-Stack-02. Convert all APs to standalone access points (no IAP cluster). Assign a fixed IP, gateway and DNS address on all APs.

Do the following on all APs:

Edit the default_wired:port_profile:

Activate extended view (last button at the very bottom) and do the following.

Edit the Access Point profile

Example based on AP01 (still perform on all APs)

Now reboot all APs.

Configure the mesh links

After the reboot we continue on the shell.

If you can’t access it via SSH, you can also do the steps via the Com Port of the AP.

link between AP01 and AP03

Perform the following configuration on AP01 and AP03

no mesh-disable
mesh-cluster-name Link-A
mesh-cluster-key MyPassword123

example AP01:

The mesh cluster name is freely selectable.

The mesh cluster key is also freely selectable.

Now you can reboot AP01 and AP03.

link between AP02 and AP04

On AP02 and AP04 the configuration is almost identical. Only a different mesh cluster name and mesh key is used.

example AP02:


Now you can also reboot AP02 and AP04.

Turn AP03 and AP04 into mesh points

The following steps must be performed on AP03 and AP04.

example AP03:

Then connect AP03 and AP04 to switch SW-Stack-02. Or remove the LAN cable between SW-Stack-01 and SW-Stack-02 if you have connected both switches for a test setup.

checking the result

The mesh is not visible in the Web GUI.

show ap-env

show ap mesh cluster status

show ap mesh cluster topology

Here you can see that AP03 is the mesh point (child) of AP01 the mesh portal.

show ap mesh link

The 60Ghz WLAN runs automatically in parallel to the 5GHz. In this example the 60GHz network runs on channel 2.

Example how the mesh link between 2 APs must look like. (AP01 and AP03)

During a failover test with this configuration I had 0 to 1 ping drop out during a continuous ping

Have a nice day!

The post How to setup a redundant WLAN point-to-point connection with aruba AP 387 appeared first on Network Guy.