A while back, I posted about how to set up an Aruba wireless bridge using the built-in mesh method. Today I’ll show you how to accomplish a similar goal, but using the Wi-Fi Uplink approach. You’ll need to do it this way if you:
- Need to connect an Ethernet Bridge to a non-Aruba network such as Starlink or a cellular hotspot
- Need to connect to a network that is using 802.1X/EAP enterprise authentication
- Need to connect to an Aruba network but can’t deploy dedicated mesh portals (because deploying an AP as a mesh portal disables any other VAPs configured on that AP’s group)
The setup is much like you would for a mesh AP, except we’re going straight to the mesh point, since the root is your existing infrastructure.
Perform the initial setup in the boot loader. IP address is optional, but since the AP will be in bridge mode, you may want an IP address to be able to manage it either manually or by adding it to Airwave. This IP address will exist on the uplink VLAN, and won’t be reachable even on the ethernet side until the uplink is active:
factory_reset purgeenv setenv standalone_mode 1 setenv uap_controller_less 1 setenv enet0_bridging 1 setenv enet1_downlink 1 setenv uplink_vlan 1 setenv ipaddr 184.108.40.206 setenv netmask 255.255.255.0 setenv gatewayip 220.127.116.11 saveenv boot
Power up the AP, either via PoE or external DC power (If your AP has a 12V input, I’ve found that a Type C PD to 12V cable is very handy for powering an AP off a standard Type C battery). Make sure you also have something like a laptop connected to the eth0 port because Instant gets a little cranky about operating when it doesn’t have Ethernet.
Your boot time will vary by your specific AP model, but I’ve observed the following boot times to be typical:
- AP-514/515: 3-4 minutes
- AP-303H: 8-10 minutes
Once the AP has booted up and the CLI is ready and not in degraded mode, log in.
- Default credentials:
- standalone mode : admin/admin
- virtual controller mode : admin/<serial number>
Start with the initial configuration (initial clock set time is in UTC). If you need to configure DST, follow the instructions for clock summer-time:
clock set <year> <month 1-12> <day> <hour (24)> <minutes> <seconds> configure name AP-OPLECTIC terminal-access clock timezone EST -05 00 rf-band 5.0 no extended-ssid wlan ssid-profile dummy_ssid_to_disable_setup_mode disable index 0 type employee essid "Literally Anything, Nobody will ever see this" wpa-passphrase aruba123 opmode wpa2-psk-aes max-authentication-failures 0 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 exit
This section is critical for two reasons:
The first is that you are setting your regulatory domain for RF operation. The access point will not turn on the radio until you set a regulatory domain. Any radio operations will still look like they’re running even if they’re not, and it won’t tell you that you forgot to set it… Ask me how I know, and which hairs turned gray from this!
The second is that you are creating a dummy SSID profile to tell Instant that you’ve configured the AP and so it will stop trying to enter SetMeUp mode. Disabling extended-ssid is critical to the ability to act as a wifi client, and it will not take effect until the AP is out of setup mode.
Continue with the following configuration. This establishes and applies your Ethernet port profiles. Your native-vlan number should match whatever you configured in the boot loader for the uplink-vlan:
wlan access-rule IAP_DownLink index 4 rule any any match any any any permit exit wired-port-profile IAP_DownLink switchport-mode access allowed-vlan all native-vlan 1 trusted no shutdown access-rule-name IAP_DownLink speed auto duplex auto no poe type employee auth-server InternalServer captive-portal disable no dot1x exit enet0-port-profile IAP_DownLink enet1-port-profile IAP_DownLink enet2-port-profile IAP_DownLink enet3-port-profile IAP_DownLink enet4-port-profile IAP_DownLink
You only need to apply this profile to the ports that exist on your particular AP. If you’re using a 303H or 505H, or an outdoor AP with PoE output, you will want to make sure the poe setting reflects what you need. Applying poe to a port that doesn’t support it won’t hurt anything, it just won’t output PoE on those ports.
Continuing with the configuration of the WLAN station profile (for an SSID with enterprise auth). Your username will be in whatever format the NAC backend is expecting.
wlan sta-profile essid CorporateWifi cipher-suite wpa2-ccmp uplink-band dot11a wifi1x peap domain\username aruba123 exit
If your target network is using WPA2-PSK, use the following instead:
wlan sta-profile essid CorporateWifi cipher-suite wpa2-ccmp-psk uplink-band dot11a wpa-passphrase SSIDPassphrase!!! exit
As of this writing, the CLI bank documentation does not correctly reflect the acceptable values for uplink-band, which are dot11g for 2.4 GHz and dot11a for 5 GHz. Make sure the allowed-band that you set up earlier matches this or it won’t work. Generally speaking, stick to 5 GHz.
Then follow with this to establish uplink priorities
uplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180 uplink-priority ethernet 9 uplink-priority wifi 8 uplink-priority cellular 10 exit
exit out of the configuration context, save with write memory and then apply with commit apply, and reboot the AP with reload.
Once it’s back up, log back in and check that wifi uplink is configured with show wifi-uplink configuration.
Check to see the connection status with show wifi-uplink status. If it’s still in PROBE mode, run show wifi-uplink candidates to see if it’s found any APs to connect to. If it shows none, make sure you’ve got sufficient signal, and that you have in fact set your country code. If it’s showing that it’s associated, check the device connected to the e0 port and see if it can get an address (if you’re using DHCP), or configure one manually and try pinging both the AP and the gateway IP addresses. If that’s working, you’re done!