Campus Wireless Networks Validated Reference Design Version 3.3 | Design Guide WLAN Extension with Remote AP | 69
Appendix BWLAN Extension with
Remote AP
Remote Access Point (RAP) solutions involve configuring a standard thin access point to provide a
customer-defined level of service to the user by tunneling securely back to the corporate network over
a wide area network. The WAN may be either be a private network such as a frame relay or MPLS
network, or a public network such as a residential or commercial broadband Internet service. The same
SSIDs, encryption, and authentication that exist on the corporate network are present on the RAP, or
the administrator can choose to enable just a subset of the functionality of campus-connected APs. The
Remote AP is a licensed feature, with each Remote AP requiring a separate license.
For telecommuter or home-office applications, an Aruba RAP is much more than a simple home
wireless device. It is instead an extension of all of services available on the corporate network including
voice and video in a similar fashion to a branch office but with fewer configuration headaches. For
instance, the user’s laptop will automatically associate with the RAP just as it would in the corporate
network, and allows for centralized management of a truly mobile edge. Dual-mode voice devices can
place and receive calls.
The feature integration of the RAP functions into both the Mobility Controller and thin AP as an end-to-
end system is critical to having a solution that is both technologically and cost effective. By integrating
authentication, encryption, firewall, and QoS features the network administrator has a single point of
troubleshooting and maintenance. This reduces both initial capital expenditure as well as ongoing
maintenance costs.
A much larger benefit that comes with this solution is transparent security. The RAP provides a solution
that does not add any additional burden to the user beyond their regular login credentials. They simply
see connectivity to the home office the same as it is when they are in the office. There is nothing new to
remember to do, no tokens to lose, and no mistakes in connecting.
To connect to the Mobility Controller that is inside the corporate network, the Remote AP uses NAT
Transversal (NAT-T) to connect through the corporate firewall to the Mobility Controller.
arun_096
Corporate
SSID
Corporate
SSID
Firewall /
NAT-T
Internet
Websites
Internet traffic
(split tunnel)
IPSec
tunnel
Corporate HQ
Voice
SSID
Voice
SSID
Guest
SSID
Remote location
IPSec/AES-CCM encrypted control channel