Table of Contents
Advertisement
If you are using the Windows 2003 server, perform the following steps to configure the external whitelist
database on it. There are equivalent steps available for the Windows Server 2008 and other RADIUS servers.
1. Add the MAC addresses of all the IAPs in the Active Directory of the RADIUS server:
a. Open the Active Directory and Computers window, add a new user and specify the MAC address
(without the colon delimiter) of the IAP for the username and password, respectively.
b. Right-click the user that you have just created and click Properties.
c. On the Dial-in tab, select Allow access in the Remote Access Permission section and click OK.
d. Repeat Step a through Step c for all IAPs.
2. Define the remote access policy in the Internet Authentication Service:
a. In the Internet Authentication Service window, select Remote Access Policies.
b. Launch the wizard to configure a new remote access policy.
c. Define filters and select grant remote access permission in the Permissions window.
d. Right-click the policy that you have just created and select Properties.
e. In the Settings tab, select the policy condition, and click Edit Profile....
f. In the Advanced tab, select Vendor Specific, and click Add to add new vendor-specific attributes.
g. Add new vendor-specific attributes and click OK.
h. In the IP tab, provide the IP address of the IAP and click OK.
VPN Local Pool Configuration
The VPN local pool is used to assign an IP address to the IAP after successful XAUTH VPN.
(Instant AP) # ip local pool "rapngpool" <startip> <endip>
Role Assignment for the Authenticated IAPs
Define a role that includes an Source-NAT rule to allow connections to the RADIUS server and for the Dynamic
RADIUS Proxy in the IAP to work. This role is assigned to IAPs after successful authentication.
(host) (config) #ip access-list session iaprole
(host) (config-sess-iaprole)#any host <radius-server-ip> any src-nat
(host) (config-sess-iaprole)#any any any permit
(host) (config-sess-iaprole)#!
(host) (config) #user-role iaprole
(host) (config-role) #session-acl iaprole
VPN Profile Configuration
The VPN profile configuration defines the server used to authenticate the IAP (internal or an external server)
and the role assigned to the IAP after successful authentication.
(host) (config) #aaa authentication vpn default-iap
(host) (VPN Authentication Profile "default-iap") #server-group default
(host) (VPN Authentication Profile "default-iap") #default-role iaprole
Branch-ID Allocation
For branches deployed in Distributed, L3 and Distributed, L2 modes, the master IAP in the branch and the
controller should agree upon a subnet/IP addresses to be used for DHCP services in the branch. The process or
protocol used by the master IAP and the controller to determine the subnet/IP addresses used in a branch is
called BID allocation. The BID allocation process is not essential for branches deployed in local or Centralized,
L2 mode. The following are some of the key functions of the BID allocation process:
Determines the IP addresses used in a branch for Distributed, L2 mode
l
Determines the subnet used in a branch for Distributed, L3 mode
l
Avoids IP address or subnet overlap (that is, avoids IP conflict)
l
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
IAP-VPN Deployment |
250
Hide quick links:
Advertisement
Table of Contents
