Remote Access Point

The Remote Access Point (RAP) solution enables organizations to extend their Enterprise SSIDs to an Arista AP installed at a remote worker’s home office or a small branch office. The RAP solution uses industry-standard protocols to securely connect the remote AP deployed at a workplace with the enterprise data center over the public Internet.

The Network Administrators configure the APs with appropriate security and settings, and handover the APs to remote employees. Remote employees simply have to install the AP at their location and get connected to the broadcasted Enterprise SSID. All communication between the AP and the remote endpoint happens over a secure IPSec VPN tunnel. Network administrators can also delete the VPN tunnel for each remote AP when needed. For example, if a remote employee quits the organization, then network administrators can terminate the VPN tunnel for the specific remote AP so that the remote employee can no longer connect to the enterprise network.

This chapter contains the following topics:

Configure a Remote Access Point

You can configure all Wave 2 and Wi-Fi 6 Arista access points, except C-100 and C-110, to function as a remote AP using CV-CUE. First you create an IPSec VPN tunnel profile, then you add the IPSec VPN tunnel profile to an SSID, and finally deploy the SSID to the remote AP.
  1. In CV-CUE, navigate to the Configure > WiFi > Tunnel Interface and click Add Tunnel Interface Profile.
  2. From the Tunnel Type dropdown list, select VPN with IPSec.
  3. Provide the endpoint details for Primary and Secondary servers.
  4. Click the Use Standard Port checkbox to use the following IKE ports for UDP:
    • Port 500, if no NAT detected
    • Port 4500, if NAT is detected between two endpoints
    Info: If you have configured a custom port for IKE connections and want to use it, then clear the Use Standard Port checkbox, and specify the custom port number in the Port field.
  5. Provide the details for IPSec Phase 1 and Phase 2 parameters

    Note: For PANOS, when you configure the IKE Version 1 parameters for XAUTH authentication, you must provide only hexadecimal (hex) strings in Local (Left) Identifier. The Convert to Hex button appears when you enter any ASCII strings in the Identifier field. Click Convert to Hex to convert and add the hex strings to the Identifier field. Also, the hex string must always begin with @#. The Convert to Hex button automatically prepends the string with @#. If you use any other ASCII to Hex convertor, then ensure to prepend the hex string with @# before you add the string to the Identifier field.

Configure IPSec Credentials for Each Remote Access Point

Note: When you configure the IPSec credentials for each AP, this setting takes precedence over the IPSec credentials defined in the Tunnel profile.

The custom IPSec credential per AP provides network administrators the option to disable or break any tunnel between a remote AP and the enterprise data center. For example, when a remote employee quits an organization, network administrators can block the remote AP by changing the credentials so that the AP can no longer form the tunnel to the enterprise data center.

To configure the IPSec credentials for each AP:
  1. In CV-CUE, navigate to the Monitor > WiFi > Access Points .
  2. Right-click the AP and select Customize > IPSec Credentials .
  3. Click Customize, and provide either PSK or XAUTH/EAP credentials.
Similarly, you can also use the following navigation to access the Customize IPSec Credentials page for each AP:
  • Monitor > WIPS > Managed WiFi Devices
  • Floor Plans