Log in to ask questions, share your expertise, or stay connected to content. Don’t have a login? Join now.
Problem:
The reason being, the mac-address of the RAP would be its common name.
Thus, when we do certificate-based authentication the mac-address of the RAP would be used for authentication against the aaa server.
Hence when that knob is disabled the validation would not happen against the aaa server and thus the RAP falls back to the "default" ap-group.
The only instance when a certificate based RAP would come up in the "default" ap-group even when its whitelisted to another ap-group is when the "Check certificate common name against AAA server" is disabled (default: enabled) in the "default-iap" or in the "default-rap" L3 authentication profile - The RAP would come up in the "default" ap-group.
(Controller) (config) #show aaa authentication vpn default-iap VPN Authentication Profile "default-iap" (Predefined (changed)) --------------------------------------------------------------- Parameter Value --------- ----- Default Role default-vpn-role Server Group default RADIUS Accounting Server Group N/A Max Authentication failures 0 Check certificate common name against AAA server Enabled <<<<<<<<<<<< (default: Enabled) Export VPN IP address as a route Disabled User idle timeout N/A PAN Firewall Integration Disabled (Controller) (config) #show aaa authentication vpn default-rap VPN Authentication Profile "default-rap" (Predefined (changed)) --------------------------------------------------------------- Parameter Value --------- ----- Default Role default-vpn-role Server Group default RADIUS Accounting Server Group N/A Max Authentication failures 0 Check certificate common name against AAA server Enabled <<<<<<<<<<<< (default: Enabled) Export VPN IP address as a route Disabled User idle timeout N/A PAN Firewall Integration Disabled
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.