Aruba Wireless

Deploy a Mobility Master (MM)

Follow manufacturer guidelines for deployment, and licensing, of Aruba Networks Mobility Master. MPSK is only available with a MM.

Configure Mobility Master

1. Locate the MAC address of the Mobility Controller by logging into the MC GUI, or running show switchinfo at the MC CLI

2. Add a Mobility Controller (MC) to the Managed Network Section.

3. Add the IP address of the MC to the controller definition.

4. Add the MAC from the MC to the controller definition.

5. Choose the appropriate device type for the controller definition.

6. Click the "Mobility Master" heirarchy level of the left panel, then Configuration -> Controllers.

7. Create a new controller IPSec key value. (This will be used in the MC deployment)

8. Deploy changes

Deploy Mobility Controller (MC)

Follow manufacturer guidelines for deployment of Aruba Networks Mobility Controller. Provide the IP, and IPSec PSK of the MM during setup.

Configure Mobility Controller

Once the MC is added to the Mobility Master, configuration is completed from the MM GUI.

1. At the heirarchy level of the group created in step 1 above, deploy a WLAN.

2. Provide an SSID Name, and choose Tunneling

3. Leave the default VLAN selection.

4. Set the security to wpa2personal, choose mpsk.

5. Create a new RADIUS Authentication Server with details with regards to rXg

6. Leave the default role selections

7. MAC authentication is enabled with MPSK by defualt. Manually edit the profile in order to associate the WLAN with the correct AAA server group. It does not use the server assigned for MPSK settings.

   • From the group hierarchy level go to configuration -> system -> profiles -> Wireless LAN -> AAA -> (wlanname)_aaa_prof -> MAC Authentication Server Group -> set to the (wlanname)_dot1_svg group that got created from the mpsk 802.1x settings

8. On the Group level, go to Configuration -> Interfaces -> VLANs and create the range of possible VLANs

9. In the same section, verify the ethernet port you are using is set to "trunk allow all", under the Ports tab

10. Deploy changes

Configure Aruba Central

1. Make sure the correct group is selected that contains the AP(s), you can verify this by looking in the upper left corner.

1. Click on devices, which will take us to the WLANs section. Click Add SSID

2. Give the SSID a name. Click next.

3. In the VLAN section leave defaults and click next.

4. Change Key Management to MPSK AES.Click the + in the Primary Server field, give the Server a name, and copy the shared secret from the Radius Server Options to the Shared Key and retype Key fields. Set the IP field to the IP Aruba Central will talk to the rxg on, and click OK. The Shared Secret can be obtained by navigating to Services::Radius in the rXg.

1. Expand advanced settings and enable "Called station ID include SSID" Click next.

2. For the Access section, click next without making changes.

3. Verify settings in the Summary view and click Finish. Note that with Aruba MPSK it is required that a devices MAC address be present in an account for the MPSK to work on any given device.

Configure Change of Authorization (CoA)

1. At the Group heirarchy level, navigate to Configuration -> Authentication -> Auth Servers -> All Servers
2. Create a new server, and provide the rXg IP, and RADIUS shared secret

3. Edit the AAA Profile and specify the newly created server under RFC3576

4. At the MC Heirarchy level (NOT the group level), navigate to Configuration -> Authentication -> Advanced

5. Set the RADIUS Client to the correct interface, and IP of the MC, so that the NAS-IP of RADIUS requests will be the MC (where CoA must be sent), and not the MM.

Configure rXg

Associate a RADIUS Server Attribute "Aruba-MPSK-Passphrase" with the value "%account.pre_shared_key%" to the RADIUS Realm