Requirement:Customer has RAP's deployed in the network with CPSEC enabled and wants them to communicate with RTLS server. APs have rebooted after enabling CPSEC and are in sys-ap-role. As a result controller is denying the communication between the RAP and the RTLS server.
10.253.245.242 159.8.85.88 17 1144 2311 0/0 0 0 0 tunnel 51 a 9 6860 fdf3f 0 0 0 20a 1b61 81 FDC
10.253.244.74 159.8.85.88 17 1144 2311 0/0 0 0 0 tunnel 1425 8 9 8612 251c 0 0 0 54 1bd6 81 FDC
10.253.245.28 159.8.85.88 17 1144 2311 0/0 0 0 0 tunnel 1155 8 8 8108 2cc6 0 0 0 172 1a37 81 FDC
159.8.85.88 : RTLS server
10.253.245.242 00:00:00:00:00:00 d8:c7:c8:c2:d0:52 sys-ap-role 07:11:40 VPN 10.2.240.148 N/A default-rap tunnel Internal 0 (0) OFF/0/0
Note:
Below deployments will not work with current AOS:
- CPSEC is ENABLED
- RTLS server is not routable from the RAP inner IP (irrespective of CPSEC)
Solution:We can support this deployment where the RTLS server (Aeroscout/Ekahau) is routable from the RAP inner IP AND when CPSEC is DISABLED on the controller. This requires an ACL to be added to the config.
Configuration:The config would be like this:
-------------------------------------
conf t
ip access-list session rtls
any <rtls-ip> <rtls-port> permit
!
User-role ap-role
Session-acl rtls
!
---------------------------------------
VerificationVerify the communication between RAP and RTLS server using the below command:
#show datapath session table <RTLS ip>