Controller Based WLANs

How do I verify that the VPN role has the correctly configured policies, so that the RAP can bootstrap?

Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.

After a remote access point (RAP) has successfully built its IPsec tunnel to the controller and has acquired an L2TP IP address as a VPN user, the RAP is assigned a role. This role can be either the VPN default role or a role derived from the VPN authentication server. If the authentication server is "local db", make sure that the desired role is configured here. The VPN default role in this example is named "RemoteAP". The RAP remains in this role until it finishes bootstrapping, and then it automatically transitions into the system role named "ap-role".

The following traffic must be permitted from the Mobility Controller to the AP and back to facilitate the bootstrap process:

1. AP control traffic via the Aruba PAPI protocol: Port # 8211
2. GRE tunnel traffic: Protocol Number # 47
3. TFTP traffic from the RAP to the controller: Port # 69
4. FTP traffic from the RAP to the controller: Port # 21 UDP

To verify that the VPN role has the correctly configured policies, issue the following command:

#show rights RemoteAP

The command output should be similar to this output (not all fields shown):

access-list List

----------------

Position Name Location

-------- ---- --------

1 RemoteAP

RemoteAP

--------

Priority Source Destination Service Action . . . . Queue . . . .

-------- ------ ----------- ------- ------ . . . . ------- . . .

1 any any svc-papi permit Low . . . .

2 any any svc-ntp permit Low . . .

3 any any svc-syslog permit Low . . .

4 any any svc-tftp permit Low . . .

5 any any svc-ftp permit Low . . .

6 any any svc-gre permit Low . . .

Expired Policies (due to time constraints) = 0

If the VPN role is missing any of the required policies, add the necessary policies to the role.

For more information, see the "Troubleshooting Remote Access Points" chapter in the Virtual Branch Networks Validated Reference Design document.

Version history
Revision #:
1 of 1
Last update:
‎06-30-2014 04:57 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.