Aruba IAP Workgroup Bridge (Wifi-sta)

I’ve had some questions lately from several about if Aruba has a way for an AP to operate as a “workgroup bridge” and I’m happy to say that the answer is YES! In Aruba lingo the term that I want to drill into you is “Wifi-sta” as this is what we’ll call this workgroup mode.

Before I go into details on how to set this up, please note that in my opinion Aruba has a much better offering for doing this in the Aruba 501 Wireless Client Bridge. The client bridge is purpose built to hang up to 15 devices off of while using it as the wireless to wired interface for your devices AND is very cost effective.

With that out of the way, let’s get to the config! The steps below will walk you through setting up an Aruba Instant AP (IAP) as a wifi-sta uplink.

IAP as Wifi-sta Configuration (GUI Config)

  1. Update your IAP to 8.5.0.x or later
  2. Put the IAP into ‘standalone’ mode
    • Maintenance>Convert>Standalone
  3. Under Configuration>System>Advanced Options
    • Under ‘General’
      • Disable ‘Extended SSID’
    • Under ‘Uplink’
      • Set ‘Enforce Uplink’ to ‘Wifi’
      • Move ‘Wifi-sta’ to the top of the Uplink Priority List
      • Enter the SSID and password etc under ‘Wifi’
        • I also like to set this to 5 GHz so it utilizes the least crowded band that provides the most throughput to the client devices.
  4. Reboot the IAP

The nice thing about this mode is that you can still use the radio that is providing the uplink for the AP to serve clients. However, my recommendation is that you use the 5 GHz band (under the Uplink settings) for your backhaul and that you use the 2.4 GHz radio on the IAP to service clients (under Network>”Network Name”>802.11>Band>2.4 GHz).

It’s important to note that when connecting clients to the IAP operating as a wifi-sta, the clients will undergo NAT as the idea is that the AP is bridging traffic to the existing Wi-Fi network. In order for this to work, you’ll need to setup a DHCP scope on the IAP and tell the client ethernet link (or client WLAN) to use that scope for assigning client addresses. You can do this very easily by going to Configuration>DHCP Server as shown in the image below.

IAP DHCP Scope Setup

The last tip I’ll provide is ensure that something is plugged into the eth0 port of the AP, otherwise the AP doesn’t like to come online. It took me a few tries before I figured that out.

For wired clients:

If you want to hang a wired client off of the AP ethernet port, you’ll need to do the following steps. Pictures are included in the gallery below. I talk about eth0 mainly as some AP only have a single uplink. If you have an AP with multiple ethernet ports, you can skip step 1 and simply assign the port profile at the end to the needed AP ports.

  1. Configuration>Access Points>Enable eth0 bridging
  2. Configuration>Networks>Create/Modify the wired port profile to allow traffic
    • Change ‘Admin state’ to UP
    • Change VLAN Management mode to ‘Access’
    • Set the Client IP assignment to ‘Virtual Controller Managed’
      • IMPORTANT: This needs to be VC managed as the AP is doing NAT on the client traffic
    • Set the port Security to either ‘Trusted’ (easiest) or ‘Untrusted’ if you want to assign different roles to the users
      • Set the access needed if Untrusted
    • Assign the port profile to the ethernet ports as necessary

IAP as Wifi-sta Configuration (CLI Config)

The following commands will complete the same setup as above, only using the CLI instead of the IAP GUI. If there are choices, my preferences are in bold.

  1. # swarm-mode standalone
  2. # reboot
  3. (config) # no extended-ssid
  4. (config) # uplink
  5. (uplink) # enforce wifi
  6. (uplink) # uplink-priority wifi 1
  7. (config) # wlan sta-profile
  8. (sta uplink) # essid <ESSID>
  9. (sta uplink) # uplink-band <dot11a(5 GHz)/dot11g(2.4 GHz)>
  10. (sta uplink) # wpa-passphrase <key>
  11. (sta uplink) # cipher-suite <clear/wpa-tkip-psk/wpa2-ccmp-psk>
  12. (sta uplink) # exit
  13. (config) # exit
  14. # commit apply
  15. # reboot

Once the AP has rebooted you can confirm the uplink setup with the following commands:

Uplink config command: # sh wifi-uplink config

Uplink status command: # sh wifi-uplink status

For more troubleshooting commands I also found this guide that is very helpful on the Aruba Airheads Community Site. Click the link to download the PDF.

I hope this helps you in configuring your IAP as wifi-sta mode and wish you luck!


Updated at 5/5/2020 6:10pm GMT to include wired client setup instructions.

3 thoughts on “Aruba IAP Workgroup Bridge (Wifi-sta)

  1. What a great post, thank you for this. Can’t seem to get it to work on an IAP-225 though, just sits there in “Probe” mode and does not authenticate.

    Double checked authentication type, band, password. Maybe not supported on that WAP ?


      • Using ArubaInstant_Centaurus_8.6.0.6_77124 (It was the most recent firmware I could find for that AP), connecting to a simple home wireless network – WPA2 Personal, AES, 5 GHZ. If it had worked I was going to try an 802.1X connection next !


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s