The controllers can act as the default gateway for all clients and forward user packets to the upstream router.Each IAP-VPN can be defined a separate subnet derived from the corporate intranet pool to allow IAP-VPN devices to work independently. The implementation of OSPFv2 allows controllers to deploy effectively in a Layer 3 topology. The premise of OSPF is that the shortest or fastest routing path is used. The IAP-VPN configuration is not supported on 600 Series controllers.Open Shortest Path First (OSPF) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. ArubaOS 6.3 or later is the recommended version to run on the controllers for the IAP-VPN configuration. For information on specific deployment scenarios, see.This role is assigned to IAPs after successful authentication.(host) (config) #ip access-list session iaprole(host) (config-sess-iaprole)#any host any src-nat(host) (config-sess-iaprole)#any any any permit(host) (config-role) #session-acl iaprole VPN Profile ConfigurationThe VPN profile configuration defines the server used to authenticate the IAP (internal or an external server) and the role assigned to the IAP after successful authentication.(host) (config) #aaa authentication vpn default-iap(host) (VPN Authentication Profile "default-iap") #server-group default(host) (VPN Authentication Profile "default-iap") #default-role iaprole Branch-ID AllocationFor branches deployed in distributed L3 and distributed L2 mode, the master AP in the branch and the controller should agree upon a subnet/IP addresses to be used for DHCP services in the branch. 1.Add the MAC addresses for all the IAPs in the Active Directory of the RADIUS server:Open the Active Directory and Computers window, add a new user and specify the MAC address (without the colon delimiter) of the IAP for the user name and password.Right-click the user that you have just created and click Properties.In the Dial-in tab, select Allow access in the Remote Access Permission section and click OK.Repeat Step a through Step b for all IAPs.Define the remote access policy in the Internet Authentication Service:In the Internet Authentication Service window, select Remote Access Policies.Launch the wizard to configure a new remote access policy.Define filters and select grant remote access permission in the Permissions window.Right-click the policy that you have just created and select Properties.In the Settings tab, select the policy condition, and Edit Profile.In the Advanced tab, select Vendor Specific, and click Add to add new vendor specific attributes.Add new vendor specific attributes and click OK.In the IP tab, provide the IP address of the IAP and click OK.The VPN local pool is used to assign an IP Address to the IAP after successful XAUTH VPN.(host) # ip local pool "rapngpool" Role Assignment for the Authenticated IAPsDefine a role that includes a src-nat rule to allow connections to the RADIUS server and for the Dynamic Radius Proxy in the IAP to work. There are equivalent steps available for the Windows Server 2008 and other RADIUS servers. The parameter can be any valid string.If an external server is used as the location for the whitelist database, add the MAC addresses of the valid IAPs in the external database or external directory server and then configure a RADIUS server to authenticate the IAPs using the entries in the external database or external directory server.If you are using the Windows 2003 server, perform the following steps to configure the external whitelist database on it. This list can be either stored in the controller database or on an external server.You can use the following CLI command to configure the whitelist database entry if the controller is acting as the whitelist database:(host)# whitelist-db rap add mac-address 00:11:22:33:44:55 ap-group testThe ap-group parameter is not used for any configuration, but needs to be configured.
0 Comments
Leave a Reply. |
Details
AuthorDavid ArchivesCategories |