Setup and Configure HP Wireless E-MSM720 Wireless Controller with HP E-MSM430 Access Points

KB ID 0000692 

Problem

We got some ‘demo stock’ in the office this week, I don’t do a lot of wireless, so I thought I would get it setup and have a look to see how easy/difficult it was.

Hardware used

HP E-MSM720 Premium Mobility Controller (J9694A)
HP E-MSM 430 Wireless N Dual Radio Access Point (J9651A)
HP HP 2915-8G-P-o-E Switch (J5692A)

The switch and controller are ‘tiny’ so if you want to put them in a cabinet you will need some ‘big brackets’, (or a shelf). I was disappointed that the controller didn’t have PoE on it (hence the reason we were supplied the switch). I was also disappointed the Access Point didn’t come with a network cable (seriously these things are pennies – and if a client buys hundreds of these things, someone will forget they also need an equal amount of network cables). In addition they are PoE, so you don’t get a power cable (or power injector) – so you cant even power them on without the network cable. That said all the gear is typical good quality HP Stuff. The documentation consists of a “quick setup sheet” for each piece of hardware and all the manuals are Online. I’m not a fan of manufacturers documentation at all, and HP’s is the same as most major vendors, to long, too complicated and to difficult to find what I’m looking for – I spent half a day reading pdf documents just trying to get the guest network working (a feat I will accomplish below with about three sentences and the same amount of pictures!)

Also See: Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks

Solution

Initial Setup E-MSM720 Wireless Controller

1. Connect the controller to your network (Note: Don’t use the two dual personality ports 5 and 6).

2. The controller sets itself up on 192.168.1.1 put yourself on the same network range (see below).

3. Connect to https://192.168.1.1.

4. The MSM720 Default username and password are both admin.

5. Accept the EULA > Skip Registration > Set country > Save > Set the new password > Save.

6. Configure Initial Controller Settings > Start.

7. Set System name > Location > Contact > Login Message > Next > We’ve just set the Password so leave it blank > Next.

8. Enable/disable management interfaces > Next > Configure the network interfaces > Next.

These are allocated as follows, (out of the box!)

And are controlled by these two settings,

9. Set the time and timezone > Next > Apply.

Configure a Corporate WLAN with the E-MSM720 Wireless Controller

1. If not already there, select ‘Automated Workflow’ > Configure a wireless network for employees > Start.

11. Create an SSID > Next > Set the WPA Key > Next.

12. Choose what access points to apply these settings to > Next > Apply.

Note: At this point I had not powered on or touched the access points, so I just selected ‘All’.

Configure a ‘Guest’ WLAN with the E-MSM720 Wireless Controller

I had a nightmare getting this running, until I fully understood the VLAN, IP address and interface allocation, but if you set things up as specified above it will just work.

1. Automated Workflows > Create a wireless network for guests > Start.

2. Create and SSID > Next > Configure guest authentication (or leave open) > Set IP Settings for clients > Next.

3. Select APs to apply to > Next > Apply.

Setup the HP E-MSM 430 Wireless N Dual Radio Access Point

Well you have already done all the work! Simply connect the AP to a POE capable network outlet.

By default the AP is in ‘Controlled’ mode, so it will start looking for a controller as soon at it powers on, it can take a little while to boot (go get a coffee), you will see it appear in the controllers web interface when its pulled its configuration down.

Updating Firmware MSM70 and MSM430

Very slick! update the firmware package on the controller, and it will update all the access points for you.

Final thoughts

This is good quality gear, it has built in support for IPSEC, SSL, RADIUS and a myriad of other features that you would expect to find on an enterprise class wireless solution. HP might be concerned by their lack of wireless sales, but they could make the experience with these things better by making the web interface easier to navigate, (ask someone who has never used it before to delete a wireless network! – over 90 minutes it took me to locate the VSC bindings section to remove that!) I’ve already mentioned the documentation, I appreciate that it needs to be comprehensive but come on!

Related Articles, References, Credits, or External Links

HP E Series Wireless – Cannot Access Local LAN

Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks

 

Cisco ASA – Remote VPN Client Internet Access

KB ID 0000977

Problem

I have answered a lot of questions in forums, that are worded something like, “When I have a remote client connected to my firewall VPN they lose Internet access!” Traditionally that’s exactly what the ‘default’ remote VPN solution (IPSEC or AnyConnect) gave you.

To ensure your remote VPN clients can access the Internet you have two options. The first (and most common) way is to enable ‘Split Tunneling’ this lets the user access the Internet form their LOCAL Internet connection.

Or you can provide Internet connection via the ASA’s public Internet connection, this is known as a ‘Tunnel All’ solution.

Solution

At this point I’m assuming you have a remote VPN setup and working, if not you need to do that first, here are some walk-throughs I’ve already done to help you set that up.

Cisco ASA 5500 AnyConnect Setup From Command Line
Note: Split tunneling is covered in this article.
Cisco ASA 5500 IPSEC VPN Setup
Note: Split tunneling is covered in this article.

Option 1 (Split Tunneling)

Rather than re-invent the wheel, I’ve already covered this before in the following article.

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients

Option 2 (Tunnel All Split Tunneling)

1. Connect to the ASA > Go to enable mode > Then to global configuration mode.

[box]

Type help or '?' for a list of available commands.
PetesASA> enable
Password: ******
PetesASA# configure terminal

[/box]

2. Now you need to create an object group for your remote VPN clients (show run ip local pool should tell you what subnet you are using). And create a NAT rule for traffic originating on the remote client and going back out of the ASA’s outside interface.

[box]

PeteASA(config)# object network VPN_Pool
PeteASA(config-network-object)# subnet 10.0.0.0 255.255.255.0
PeteASA(config-network-object)# nat (outside,outside) after-auto source dynamic VPN_Pool interface 

[/box]

3. Now as traffic is going to come in through the outside interface, turn around, and go back out of the same interface we need to allow that.

[box]

PeteASA(config)# same-security-traffic permit intra-interface

[/box]

4. Add the ‘tunnel all’, and force the remote client to use your DNS servers, to the policy you are using for your remote VPN, (if you are unsure issue a show run group-policy).

[box]

PeteASA(config)# group-policy SSL_Policy attributes
PeteASA(config-group-policy)# split-tunnel-policy tunnelall
PeteASA(config-group-policy)# split-tunnel-all-dns enable
PeteASA(config-group-policy)# exit
PeteASA(config)#

[/box]

5. Save the changes.

[box]

PeteASA(config)# write mem
Building configuration...
Cryptochecksum: cb28eeb2 3d203272 eda92e1c a3b70d09

3166 bytes copied in 0.890 secs
[OK]
PeteASA(config)#

[/box]

Related Articles, References, Credits, or External Links

NA