Converting Aruba Access Points to Instant Mode

Used enterprise access points are generally cheaper and more reliable than consumer access points, usually they require a controller to configure them which is the best practice, however the are quite expensive. Aruba's access points can be converted to "Instant" AP's (IAPs) which run a virtual controller on the access point.
This is able to synchronise config's between access points, and should handle a small number of access points, suitable for most homes and small businesses.

This guide has been tested on Aruba AP225's, AP325's

Required Tools

You will need:

• An Aruba access point
• A POE or POE+ injector (or other method to power your access point)
• An ethernet cable
• An Aruba console cable (with a USB -> RS232 adapter so you can plug it into your computer)
• A terminal program (E.g. Tera Term: https://teratermproject.github.io/index-en.html)
• A tftp server (E.g. Tftpd: http://tftpd32.jounin.net)

Aruba Console Cable

You with need to build or buy a console cable to connect to the access point, below is the pinout of an aruba console port.

https://throughtheether.net/2021/05/15/aruba-console-cable/

Firmware Update

You probably want to update the firmware on your new access point to get new features and security patches

If you have existing aruba access points, you will first have to update the firmware of your new access point to a version of ArubaInstant with the same version number e.g. 8.6.0.21

You can download firmware at: https://networkingsupport.hpe.com/downloads

You can use the following filters to find appropriate firmware:

• File Type: Software
• Product: Aruba Access Points
• Software Group: InstantOS
• Product Series: Pick the series for your access point
• Major Version: Select what version your existing system is running if you have one
• Minor Version: Select what version your existing system is running if you have one

The major version, minor version, and build number must match the version running on your existing system

Factory Reset

You probably don't have the login for the access point, or some config may be different. I recommend performing a factory reset to get the access point to a known state.

To factory reset:

1. Unplug the access point
2. Press the reset button using a small tool such as a SIM ejection tool, the reset button is usually located near the DC socket, however it may be somewhere else depending on the model of access point
3. While holding the reset button, plug in the power
4. Hold the reset button until the power light starts flashing (this should take up to 5 seconds)
5. Release the reset button

The username should now be admin and the password should be the serial number of the access point (Look for SN: on a sticker)

https://www.arubanetworks.com/techdocs/Instant_83_WebHelp/Content/Instant_UG/IAP_maintenance/ResettingIAP.htm

Setup network

To setup the access point, I recommend creating a separate network with only the access point, a DHCP server and your computer connected.
If you are unable to do this, you can simply connect an ethernet cable between the access point and your computer, and set a static IP on your computer and on the access point.

For example:

• Access point: 192.168.1.10/24
• Computer: 192.168.1.20/24

Firmware update / Setting the country code / Converting to InstantOS

Depending on the firmware version of the access point, there are a few different ways to upgrade the firmware.
I use the bootloader method using the serial console cable, as it works regardless of the main firmware of the device, and allows you to change the country code of the device.

It is important to set the country code of you access point to match your existing installation (or pick the your country code to ensure you are operating legally in your control), as otherwise the access point will fail to join the existing controller.

The following instruction are based on those in the following forum post: https://forums.serverbuilds.net/t/aruba-ap-to-iap-conversion/8888

1. Connect the serial cable
2. Open your serial terminal (I use a baud rate of 9600)
3. Start your tftp server on your computer with the firmware in the root directory of the server, make sure your tftp server is running on a network interface the access point can reach
4. You will need to find the CCODE for your target country, all your access points need to be on the same country code in order to work with each other or you may see AP register fail because of regulatory domain mismatch
   1. To find the CCODE, you will first need to pick a country code e.g.: US, GB
      • Country Codes List: https://www.arubanetworks.com/techdocs/InstantWenger_Mobile/Advanced/Content/Instant%20User%20Guide%20-%20volumes/Country_Codes_List.htm
      • You may need to use RW depending on your model of access point
   2. Get the SHA-1 hash of [Country Code]-[Serial Number]
      • Example

        GB-CNC000000 -> a717165836fd07ef2a9fa3b8d3d71d4354bff0a8

      • https://gchq.github.io/CyberChef/#recipe=SHA1(80)&input=R0ItQ05DMDAwMDAw
      • This code will only work on the access point with that specific serial number
   3. Your CCODE is CCODE-[Country Code]-[SHA1 Hash]
      • Example

        CCODE-GB-a717165836fd07ef2a9fa3b8d3d71d4354bff0a8

5. Power cycle your access point, and press Enter at Hit <Enter> to stop autoboot:
6. You should now be at the apboot> shell
7. Run dhcp to get an ip address
   • Alternatively, you can set a static ip address using setenv ipaddr 192.168.1.20 where 192.168.1.20 is the ip address of the access point
8. To set the country code, run:
   • proginv system ccode [Your CCODE]
   • Example

     proginv system ccode CCODE-GB-a717165836fd07ef2a9fa3b8d3d71d4354bff0a8

9. Run invent -w to unlock the flash
10. Set the IP address of your tftp server by running:
    • setenv serverip [IP of your computer]
    • Example

      setenv serverip 192.168.1.52

11. Run the following command, repeating with both 0 and 1 to update the primary and backup partitions
    • upgrade os <0/1> [Firmware file]
    • Example

      upgrade os 0 ArubaInstant_Hercules_8.6.0.24_89728
      upgrade os 1 ArubaInstant_Hercules_8.6.0.24_89728
      

12. Run factory_reset to factory reset the device (this also removes the static ip you set earlier)
13. Run saveenv to save environment variables
14. Run reset to reboot the access point
15. Wait for the access point to reboot, after a few minutes (About 5), it will elect itself as a master and start hosting a virtual controller
16. Verify the access point is running the correct firmware and has the correct country code before connecting it to your existing installation
    1. Open the virtual controller, this is at https://[Access Point IP]:4343/
    2. Login using the username admin and with the serial number as the password
    3. If it says invalid password, you may need to wait a bit for it to finish initializing before logging in (this could take over 5 minutes)
    4. It will prompt you to change the default password
    5. Login again with the new password
    6. Go to Maintenance -> About and check the version number (it should match the firmware file you used), which should match the version running on your existing controller
    7. Go to Maintenance -> Configuration and look for virtual-controller-country, it should match the country code you set, which should match the country code of your existing controller
17. You are now ready to start using the access point if you do not have an existing virtual controller, otherwise you are ready to adopt the new access point.

Command Script

If you are updating multiple access points, you may want to copy the below script and edit the required fields so you can copy and paste.
It uses DHCP by default however you can replace the dhcp line with the command to set a static ip address shown above.
You will need to edit the highlighted lines before using this, see the instructions above for examples of what you need to put there.

dhcp
proginv system ccode [Your CCODE]
invent -w
setenv serverip [IP of your computer]
upgrade os 0 [Firmware file]
upgrade os 1 [Firmware file]
factory_reset
saveenv
reset

Adopting into an existing virtual controller

If this is the first access point you are using, it's ready to be plugged into your network. It should automatically elect itself as a master and run the virtual controller (It takes about 5 minutes to boot as it ensures that there isn't an existing master on the network).

If you are adding it to an existing virtual controller, follow these steps:

1. Make sure your existing virtual controller is working and accessible

2. Ensure Auto-Join is turned on (or you will have to manually join it to the controller)
3. Plug the new access point into your network and wait for it to join the existing controller

Conclusion

Repurposing old Aruba access points is a cheap way to get a good multi-access point network with good roaming support, as well as other enterprise features.
InstantOS allows us to run a virtual controller on the access points without having to buy an expensive enterprise mobility controller.
The apboot method is ideal as it is firmware-agnostic and allows us to also change the country code of the access point.

Once you have the equipment set up, flashing a large number of access points is a reasonable quick process.