TTechclick All lessons
HPE Aruba Networking · Wireless · APs & ArubaOSInteractive · L1 / L2

Aruba APs & ArubaOS — Campus, Remote & Instant in 11 Minutes

Same physical AP, three personalities. Skip the manual — pick a mode below, watch the AP boot and find its controller live, learn ArubaOS 10 tunnel vs bridge forwarding, the RAP whitelist trap, and ap convert — then prove it on a 10-question test.

📅 2026-05-31 · ⏱ 11 min · 3 interactive demos · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

HPE Aruba access points explained the AI-era way — pick Campus, Remote or Instant AP, watch an AP boot and discover its controller live, learn ArubaOS 10 tunnel vs bridge forwarding, the RAP whitelist trap, and ap convert in 11 minutes instead of an hour.

Read it as:

By the end you'll be able to

Pick a mode — jump straight to it

1

Campus AP

Office APs on a trusted LAN, brain on the controller / gateway. The classic enterprise build.

 2

Remote AP

Home / branch AP over the public Internet, secured by an IPsec tunnel back to HQ.

 3

Instant AP

Controller-less. One AP becomes the virtual controller for the cluster. SMB favourite.

 4

Forwarding + Convert

ArubaOS 10 tunnel vs bridge, ap convert, the whitelist trap + PAPI hardening.

Before the modes — one AP, three jobs

Imagine one smart speaker that can be a home speaker, an office speaker, or a portable party speaker — depending on which app you load. An Aruba access point is like that. The hardware is identical; the mode decides its job. Today you learn the three "apps": Campus, Remote, and Instant.

Here's the one idea that unlocks everything: an Aruba AP's mode is just a question of where the "brain" lives and which link it trusts. A Campus AP trusts the office LAN. A Remote AP trusts an IPsec tunnel over the open Internet. An Instant AP trusts itself — the controller logic runs on the AP.

Architecturally, all three personalities ship in the same firmware image since ArubaOS 8, and ArubaOS 10 unifies management in Aruba Central. The mode is a provisioning decision, not a hardware SKU. What changes is the discovery path (how the AP finds its manager), the trust boundary (LAN vs IPsec vs none), and the data plane (locally bridged vs GRE-tunnelled to a gateway cluster). Get those three axes straight and every Aruba design question becomes a lookup, not a guess.

Aruba AP modes big picture One identical AP shown in three deployment contexts: Campus AP on a trusted LAN to a gateway, Remote AP over the Internet via IPsec, and Instant AP acting as its own virtual controller. One AP · Three Modes ① Campus AP AP trusted LAN Gateway Brain = controller Link = office LAN Use = HQ / campus ② Remote AP AP IPsec · Internet HQ Controller Brain = HQ controller Link = IPsec over WAN Use = home / branch ③ Instant AP AP = VC peer AP peer AP Brain = the AP itself Link = none needed Use = SMB / small site Identical hardware — the mode decides the brain, the trusted link, and the data plane.
Big picture: the same Aruba AP wears three hats — the mode picks where the brain lives and which link it trusts.
Trusted link / safe path Controller / gateway / AP node IPsec / untrusted Internet Failure / gotcha point
🏢
Campus AP
tap to flip

Joins a controller/gateway over a trusted private LAN. No IPsec needed. Config lives on the controller. Default for HQ buildings.

🏠
Remote AP
tap to flip

Same firmware, but it joins HQ across the untrusted Internet inside an IPsec tunnel. Plug-and-play for work-from-home.

Instant AP
tap to flip

Runs Instant OS. One AP is elected the Virtual Controller for the cluster. No appliance to buy. Scales to a few dozen APs.

☁️
ArubaOS 10
tap to flip

The cloud-native era. APs are managed by Aruba Central and forward traffic in bridge or tunnel mode to a gateway cluster.

Pre-quiz · Q1 of 10 · Remember

Across Campus, Remote and Instant modes, what is actually different about the AP hardware?

Correct: a. Since ArubaOS 8 the same firmware image carries all personalities. Campus, Remote and Instant are provisioning decisions — the silicon is identical. That's why ap convert can flip a unit between modes without swapping hardware.
Pre-quiz · Q2 of 10 · Apply

A 12-person startup wants Wi-Fi in one office with zero appliances and zero cloud subscription. Which mode fits?

Correct: b. Instant is purpose-built for small/medium sites — controller-less, the cluster elects a Virtual Controller. Campus and tunnel-mode both need a controller/gateway. Remote AP is for connecting back to HQ, not a standalone office.
Pre-quiz · Q3 of 10 · Apply

A teleworker plugs an Aruba AP into their home router and it must reach the corporate controller securely. Which mode and link?

Correct: c. Remote AP exists exactly for this: an untrusted Internet path secured by IPsec. Campus mode assumes a trusted private link, which a home router isn't. The RAP gets an inner IP and an IKE security association after authenticating to the master.

① Campus AP — the trusted-LAN workhorse

A Campus AP is like a desk phone in the office: it plugs into the company wall jack, finds the company switchboard, and just works. The "switchboard" here is the controller / gateway, and the wall jack is the trusted office LAN.

A Campus AP (CAP) lives on a private link — LAN, WLAN, WAN or MPLS — and terminates directly on a controller or, in ArubaOS 10, a gateway cluster. No IPsec is required because the path is trusted. This is the default build for office buildings, warehouses, hospitals and universities.

Design-wise, the CAP's strength is centralised policy: user roles, firewall rules and VLANs are enforced at the gateway, so a roaming client keeps the same IP and role across the campus. The trade-off is hairpinning — even local traffic may ride the tunnel to the gateway unless you choose bridge or mixed forwarding (covered in section 4).

War story Sneha at Infosys racks 40 new APs across a Pune floor. They all PoE-boot, pull DHCP, and find the gateway — except 3 in the lab that stay dark. Cause: the lab switchport was on a VLAN with no DHCP relay, so the AP never got an IP and never started discovery. Fix the relay, the APs light up. Lesson: no IP, no discovery, no AP.

▶ Watch a Campus AP boot & find its controller

Click Play. Each stage lights up as the AP powers on, gets an IP, and joins the gateway.

① POWER AP powers up over PoE on switchport Gi1/0/24 in zone trusted-lan
② DHCP AP requests an IP → gets 10.20.5.41 from the DHCP server, plus DNS + default gateway
③ DISCOVER AP looks for its manager — DHCP option 43 / DNS aruba-master / ADP multicast → finds gateway 10.20.5.10
④ JOIN AP registers with the gateway over PAPI (UDP 8211) — no IPsec, link is trusted
⑤ CONFIG Gateway pushes the AP's group config + image. AP reboots into its assigned AP group.
⑥ LIVE SSIDs go on air. Client traffic is tunnelled (GRE) to the gateway for centralised policy.
Press Play to step through how a Campus AP comes up. Each press of Next advances one stage.

Pause & predict: the AP got 10.20.5.41 from DHCP but never registers. Which single stage would you check first?

Stage 3 — Discovery. An IP alone isn't enough; the AP must learn the manager's address. If DHCP option 43, the DNS aruba-master record, and ADP multicast all fail, the AP has an IP but nowhere to phone home. Confirm one discovery method is reachable from the AP's VLAN.
Quick check · Q4 of 10 · Analyze

A Campus AP gets DHCP IP 10.20.5.41 but loops in "discovering controller". DHCP option 43 is empty, there's no aruba-master DNS record, and ADP multicast is blocked across the L3 boundary. What's the cleanest fix?

Correct: d. ADP multicast only works within an L2 domain, so across a router you need a routable discovery method — DHCP option 43 or the aruba-master DNS record. Rebooting changes nothing. Instant mode is a different design, not a fix. A public IP is wrong for a campus build.

② Remote AP — HQ in a box, over the open Internet

A Remote AP is the office Wi-Fi shrunk into a box you take home. Plug it into your home router, and it builds a secret armoured tunnel back to the office so your laptop behaves exactly like it's on the company floor.

A Remote AP (RAP) gets a DHCP address on its Eth0, then dials the master controller and forms an IPsec tunnel. After it authenticates, it receives an inner IP and an IKE security association, and the master hands it the LMS-IP (and backup LMS-IP) of the controller it should terminate on. Only then do the SSIDs come up.

The RAP's trust model flips Campus on its head: the path is hostile, so everything rides IPsec, and provisioning is gated by a RAP whitelist. Architecturally that whitelist is the soft underbelly — see the trap below. RAPs also support split-tunnel and bridge SSIDs so home-printer traffic stays local while corporate traffic tunnels home.

War story Rahul at TCS ships 200 RAPs to work-from-home staff. Half come up; half reboot every few minutes. Root cause: the RAP whitelist was imported only on the primary LMS, not the backup LMS — and the whitelist is not shared between them. When DNS steered some RAPs to the backup, they failed the whitelist check, hit the IPsec retry limit, and rebooted. Import the whitelist on both controllers and the reboot loop stops.

▶ Remote AP — IPsec provisioning journey

A home-office RAP dials HQ across the public Internet and earns its SSIDs.

① ETH0 DHCP RAP at home gets 192.168.1.55 from the home router (private, NAT'd to the Internet)
② DNS RAP resolves the provisioned FQDN vpn.techclick.in → public IP 203.0.113.20 of the master
③ IKE / IPsec RAP starts IKE to the master. Authenticates via factory cert (or PSK). IPsec SA established.
④ WHITELIST Master checks the RAP's MAC/serial against the RAP whitelist. Match → proceed. No match → drop + retry.
⑤ INNER IP + LMS RAP gets an inner IP and the LMS-IP 10.30.0.10 (+ backup LMS) to terminate on
⑥ LIVE RAP terminates on the LMS, pulls its config, SSIDs go on air. Corporate traffic tunnels; home traffic can split-tunnel.
Watch where authentication happens (stage 3 — IKE) vs where provisioning can silently fail (stage 4 — whitelist).
The #1 RAP provisioning trap

Symptom you see: some RAPs come up, others reboot every few minutes in a loop. Cause: the RAP whitelist must be imported manually on the LMS and the backup LMS — it is not synced between them. If DNS or redundancy steers a RAP to a controller that lacks its entry, the AP fails the check, exhausts the IPsec retry count, and reboots. Import the whitelist on every controller a RAP could land on.

Pause & predict: a single RAP forms IPsec fine but never gets SSIDs and keeps rebooting. Which stage is failing?

Stage 4 — Whitelist. IPsec succeeding (stage 3) proves auth + reachability are fine. If it still can't proceed, the AP's MAC/serial isn't in the whitelist on the controller it landed on. Add it (or import on the backup LMS too) and the retry/reboot loop clears.
Quick check · Q5 of 10 · Analyze

A RAP's IKE/IPsec tunnel comes up cleanly, yet the AP never broadcasts SSIDs and reboots on a timer. Logs show repeated IPsec re-tries before reboot. Most likely cause?

Correct: c. A clean IPsec SA proves auth and reachability work, so the failure is downstream — the whitelist check. Because the whitelist must be imported on each LMS separately, a RAP steered to the backup without an entry loops on retries then reboots. NAT/private IP on Eth0 is normal for a RAP; MTU wouldn't block provisioning entirely.
Remote AP IPsec provisioning flow Five-step horizontal flow showing a Remote AP getting DHCP, resolving the master FQDN, forming IPsec, passing the whitelist check, and receiving its LMS-IP before going live. RAP Provisioning — Five Gates RAP @ home 192.168.1.55 Internet IPsec tunnel HQ master 203.0.113.20 1 · DHCP Eth0 gets a private IP 2 · DNS resolve master FQDN 3 · IPsec IKE auth + SA up 4 · Whitelist silent-fail point ⚠ 5 · LMS-IP inner IP + go live Gate 4 is where good IPsec still ends in a reboot loop — whitelist isn't synced across LMS pairs.
Flow: a Remote AP must clear five gates. Gate 4 (whitelist) is the one that silently loops APs into reboots.

③ Instant AP — the controller that lives inside the AP

An Instant AP is a group project where one student volunteers to be the leader. The "leader" AP runs the brains for everybody. If the leader leaves, the group instantly picks a new leader — nobody notices.

Instant APs run the Instant OS, which virtualises controller capabilities right on the AP. The cluster elects one AP as the Virtual Controller (VC). You browse to the VC's IP, configure once, and the config replicates to every member. No appliance, no per-AP CLI. Aruba positions Instant for small and medium sites — it scales to several dozen APs.

Instant's elegance is also its ceiling: with the control plane on the AP, you lose the centralised data-plane policy and large-scale roaming domains a gateway cluster gives you. The migration path is clean, though — an Instant AP can be converted to a Campus or Remote AP, or onboarded to Aruba Central as an ArubaOS 10 AP, when the site outgrows controller-less.

Daily-life analogy Think of an Instant cluster like a Mumbai dabbawala team: there's no head office building. One senior dabbawala coordinates the route for the day. If he's absent, another instantly steps up and the tiffins still reach every desk on time. That hand-off with zero disruption is exactly Virtual Controller failover.
👑
Virtual Controller
tap

One AP is elected to run cluster management + the config GUI. Browse to its IP to set up the whole site at once.

🔁
Auto-failover
tap

If the VC dies, the cluster elects a new VC automatically. Clients keep surfing — no appliance, no single point of failure.

📈
Scale ceiling
tap

Great for several dozen APs. Beyond that, move to a gateway cluster for centralised policy + big roaming domains.

🚪
Exit ramp
tap

Outgrew Instant? Convert to Campus / Remote AP, or onboard to Aruba Central as an ArubaOS 10 AP. No re-buy.

Quick check · Q6 of 10 · Analyze

In an Instant cluster of 6 APs, the AP currently acting as Virtual Controller is unplugged. What happens to client Wi-Fi?

Correct: d. Virtual Controller is a role, not a fixed box — the cluster re-elects a new VC automatically, which is the whole point of controller-less resilience. There's no manual reassignment and no per-AP CLI. The dabbawala hands the route to the next senior member.

④ ArubaOS 10 forwarding + ap convert + hardening

Now the modern twist. In ArubaOS 10 the cloud (Aruba Central) is the manager. You also choose how each Wi-Fi network sends traffic: keep it local at the AP (bridge), or ship it to a central gateway (tunnel). Like deciding whether to cook at home or send the order to a central kitchen.

ArubaOS 10 APs forward client traffic two ways. In bridge mode the AP places traffic on the local VLAN at its uplink and acts as the authenticator. In tunnel mode the AP encapsulates traffic in GRE and tunnels it to the primary gateway cluster, which becomes the authenticator. Mixed mode decides per-VLAN: bridge if the VLAN isn't on the cluster, tunnel if it is.

The forwarding choice is really a scale + mobility decision. Aruba validates bridge forwarding to a maximum of 500 APs and 5,000 bridged clients across shared VLANs; beyond that you deploy a gateway cluster with centralised user VLANs for higher scale and seamless roaming. When clients tunnel to the same primary cluster, they keep their VLAN, IP and default gateway as they roam — even across config groups. So tunnel mode buys mobility and central policy at the cost of gateway hardware and tunnel overhead.

War story Priya at HCL migrates a 700-AP campus from bridge to ArubaOS 10. She leaves everything in bridge mode to "keep it simple" — then roaming users on the guest VLAN keep dropping calls between buildings. Cause: bridge mode is validated to ~500 APs / 5,000 clients and has no central roaming domain. Moving the user VLANs to a gateway cluster in tunnel mode restored seamless roaming.

▶ Tunnel vs Bridge — where does the client packet go?

A client sends one frame. Watch the two forwarding paths diverge at the AP.

① CLIENT Laptop on SSID corp sends a frame → 10.40.7.88 heading to 10.50.0.20
② AP DECIDES AP checks the SSID's forwarding mode: is the user VLAN present on the gateway cluster?
③ BRIDGE PATH Bridge: AP is the authenticator → drops the frame straight onto local VLAN at its uplink. Lowest latency.
④ TUNNEL PATH Tunnel: AP wraps the frame in GRE → sends to gateway cluster 10.50.5.10, which authenticates + applies role
⑤ POLICY Tunnel mode = central firewall + role at the gateway. Bridge mode = policy enforced at the AP.
⑥ ROAM Tunnel to one cluster → client keeps VLAN + IP + gateway while roaming. Bridge → re-IPs across subnets.
Stage 2 is the fork. Bridge = local + fast. Tunnel = central + roamable. Mixed mode picks per-VLAN.
Forwarding mode decision tree A decision tree: is the user VLAN on the gateway cluster? No leads to bridge mode, yes leads to tunnel mode, with mixed mode shown as the per-VLAN combination, plus the 500-AP bridge scale gate. Pick a Forwarding Mode User VLAN on the gateway cluster? NO Bridge mode AP = authenticator local VLAN · low latency ≤ 500 APs / 5,000 clients YES Tunnel mode gateway = authenticator GRE to cluster · central role seamless roaming + scale Mixed mode Per-VLAN: bridge if VLAN not on cluster, tunnel if it is. Best of both.
Decision: bridge keeps it local (and caps at ~500 APs); tunnel centralises policy + roaming; mixed chooses per VLAN.

Converting an AP between modes — ap convert

Need to repurpose an Instant AP as a Campus or Remote AP? You don't re-buy hardware — you convert it. On ArubaOS the controller-side command provisions APs into a new persona; on an Instant AP you point it at the controller IP and pick the target mode.

ArubaOS controller — convert an Instant AP to a Campus AP 
(Aruba-Controller) #ap convert active-all
(Aruba-Controller) #ap convert add-mac 20:4c:03:1a:2b:3c controller-ip 10.20.5.10
(Aruba-Controller) #show ap convert-status
Expected output 
Conversion Status
-----------------
MAC                 Mode-From   Mode-To   Controller-IP   State
20:4c:03:1a:2b:3c   instant     campus    10.20.5.10      converting
20:4c:03:1a:2b:3d   instant     campus    10.20.5.10      converted
Total APs converting: 1   converted: 1

Pause & predict: you ran ap convert to Campus mode, but one AP stays on Instant. What's the usual blocker?

Reachability to the controller IP. Convert needs the AP to reach the target controller (and, for Campus, a trusted L3 path + discovery). If that AP sits on a VLAN that can't route to 10.20.5.10, it has nothing to convert onto and falls back to Instant. Same root cause as a failed discovery.
Hardening trap — the PAPI RCE advisory

Symptom you'd see in a scan: APs flagged critical on the management plane. Cause: HPE Aruba disclosed unauthenticated command-injection / buffer-overflow flaws (CVE-2024-42509, CVE-2024-47460, CVE-2024-26305 — all CVSS 9.8) reachable via the PAPI protocol on UDP 8211. Fix: patch AOS-8 / AOS-10, and on AOS-10 block UDP/8211 from untrusted networks (on Instant AOS-8, enable cluster-security). Never expose PAPI to the Internet.

Three Pro-Tips that save real outages

1. Always seed a routable discovery method (DHCP option 43 or aruba-master DNS) — multicast ADP dies at the first router. 2. For RAPs, import the whitelist on every LMS a RAP could land on; it isn't synced. 3. Choose tunnel mode the moment you need roaming across >500 APs or central role-based policy — don't fight bridge mode past its validated ceiling.

Quick check · Q7 of 10 · Analyze

A campus runs ArubaOS 10 bridge mode at 620 APs. Voice users roaming between buildings drop calls and re-authenticate. What's the design-level fix?

Correct: a. Bridge forwarding is validated to a maximum of 500 APs / 5,000 clients and re-IPs clients across subnets when roaming. Tunnel mode to a single primary gateway cluster keeps VLAN + IP + gateway during roam, fixing the call drops. More SSIDs or lower power treats symptoms, not the architecture.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from HPE Aruba TechDocs + Airheads community. For a live issue, paste your show ap database + show ap convert-status into chat.techclick.in.

📝 Wrap-up — three more

You've already answered 7 inline. Three left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q8 · Apply

An Aruba AP must drop guest traffic onto the local VLAN at the wiring closet with the lowest possible latency and no gateway dependency. Which ArubaOS 10 forwarding mode?

Correct: b. Bridge mode keeps traffic local at the AP's uplink with the AP as authenticator — lowest latency, no gateway in the path. Tunnel mode sends GRE to a gateway (central but adds a hop). Remote AP and Instant VC are different personalities, not forwarding modes.
Q9 · Evaluate

An architect proposes: "Use bridge mode for our entire 900-AP hospital so we never need gateways." Clinical carts roam constantly across floors. Is the proposal sound?

Correct: c. Aruba validates bridge forwarding to a maximum of 500 APs and 5,000 clients, and bridge has no central roaming domain — clients re-IP across subnets. A 900-AP hospital with roaming carts needs tunnel mode to a gateway cluster so clients keep VLAN/IP/gateway while moving. Disabling roaming breaks the clinical use case.
Q10 · Evaluate

A security audit finds APs reachable on UDP/8211 from a partner network. The vendor recommends "just rotate the admin password." Best response?

Correct: d. The critical PAPI vulnerabilities are unauthenticated remote code execution — a password change does nothing. The real mitigation is patching AOS-8/AOS-10, restricting UDP/8211 to trusted networks, and enabling cluster-security on Instant AOS-8. Disabling Wi-Fi or mass-converting to Instant are not appropriate fixes (Instant still uses PAPI).
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".
Aruba AP modes cheat-sheet A four-column comparison cheat sheet of Campus AP, Remote AP, Instant AP and ArubaOS 10 Central across brain location, trusted link, manager, and best use case. AP Modes — Pocket Cheat-Sheet Brain Trusted link Manager Best use Campus AP Remote AP Instant AP ArubaOS 10 Controller / gateway HQ controller The AP (Virtual Ctrl) Gateway cluster Trusted LAN IPsec / Internet None needed GRE/IPsec to GW ArubaOS / Central ArubaOS master Browse to VC IP Aruba Central cloud HQ / campus Home / branch SMB / small site Modern cloud-managed Screenshot this. It answers 80% of exam mode-selection questions.
Cheat-sheet: the one table that answers most "which mode?" questions on the ACMA/ACMP exam.

🧠 Self-explanation — lock it in

In one or two sentences, explain to yourself: "If the link to HQ is the untrusted Internet, which AP mode do I pick and what secures it?" Writing it in your own words is the single biggest retention booster.

👩‍🏫 Teach a friend

Explain the Campus-vs-Remote-vs-Instant decision to a teammate in under 60 seconds, using the "where does the brain live + which link does it trust" framing. If you can teach it, you own it.

🔔 Spaced-recall reminder (optional)

Want a 3-question recap mailed to you in 3 days? Spaced repetition is how this sticks for the exam. Enter your email — we only use it for this nudge.

✓ Saved on this device — we'll nudge you in 3 days.

📕 Glossary

Campus AP (CAP)
An AP that joins a controller/gateway over a trusted private LAN — the default enterprise build.
Remote AP (RAP)
An AP that joins HQ over the untrusted Internet inside an IPsec tunnel; gated by the RAP whitelist.
Instant AP (IAP)
A controller-less AP running Instant OS; the cluster elects a Virtual Controller.
Virtual Controller (VC)
The elected Instant AP that runs cluster management and the config GUI; auto-fails over.
LMS-IP
Local Management Switch IP — the controller an AP should actually terminate on (plus a backup LMS).
PAPI
Aruba's proprietary AP-to-controller management protocol over UDP 8211 — the surface for the 2024 RCE CVEs.
Tunnel / Bridge / Mixed
ArubaOS 10 forwarding modes: GRE to a gateway cluster / local VLAN at the AP / per-VLAN choice.

📚 Sources

  1. HPE Aruba TechDocs — Forwarding Modes of Operation (ArubaOS 10 Design) & Tunnel / Traffic Forwarding Modes (Aruba Central). arubanetworking.hpe.com
  2. HPE Aruba TechDocs — Converting an Instant AP to Remote AP or Campus AP & ap convert (CLI Bank). arubanetworking.hpe.com
  3. HPE Aruba TechDocs — Configuring the Secure Remote Access Point Service (RAP whitelist, IPsec, LMS-IP). arubanetworking.hpe.com
  4. Airheads Community — Difference Between Campus AP and Remote AP; What steps does a RAP follow to come up on the controller? community.arubanetworks.com
  5. evanmccann.net — Aruba Instant On / Instant Overview (practitioner: IAP vs CAP vs RAP, Virtual Controller).
  6. HPE Aruba Security Advisory + BleepingComputer — Critical PAPI RCE flaws (CVE-2024-42509, CVE-2024-47460, CVE-2024-26305, CVSS 9.8, UDP/8211).
  7. HPE Certification — ACMA / ACMP datasheets & ACA (HPE6-A85) blueprint (AP modes, controller/AP config, mobility & roaming). certification-learning.hpe.com

What's next?

Your APs are on air — now make the radios smart. Next we tune the RF: how AirMatch plans channels overnight, how ARM reacts in real time, and how ClientMatch steers sticky clients to the best AP.

Next · Aruba RF Optimization — AirMatch, ARM & ClientMatch → ← All lessons