Controller Based WLANs

RAP's coming in “default” ap-group
Problem:

RAP's coming in “default” ap-group even when they have another ap-group defined in the RAP-Whitelist



Diagnostics:

 

The reason being, the mac-address of the RAP would be its common name.

Thus, when we do certificate-based authentication the mac-address of the RAP would be used for authentication against the aaa server.

Hence when that knob is disabled the validation would not happen against the aaa server and thus the RAP falls back to the "default" ap-group.

 



Solution

 

The only instance when a certificate based RAP would come up in the "default" ap-group even when its whitelisted to another ap-group is when the "Check certificate common name against AAA server" is disabled (default: enabled) in the "default-iap" or in the "default-rap" L3 authentication profile - The RAP would come up in the "default" ap-group.

 

(Controller) (config) #show  aaa  authentication vpn  default-iap

VPN Authentication Profile "default-iap" (Predefined (changed))
---------------------------------------------------------------
Parameter                                         Value
---------                                         -----
Default Role                                      default-vpn-role
Server Group                                      default
RADIUS Accounting Server Group                    N/A
Max Authentication failures                       0
Check certificate common name against AAA server  Enabled          <<<<<<<<<<<< (default: Enabled)
Export VPN IP address as a route                  Disabled
User idle timeout                                 N/A
PAN Firewall Integration                          Disabled

(Controller) (config) #show  aaa  authentication vpn  default-rap

VPN Authentication Profile "default-rap" (Predefined (changed))
---------------------------------------------------------------
Parameter                                         Value
---------                                         -----
Default Role                                      default-vpn-role
Server Group                                      default
RADIUS Accounting Server Group                    N/A
Max Authentication failures                       0
Check certificate common name against AAA server  Enabled          <<<<<<<<<<<< (default: Enabled)
Export VPN IP address as a route                  Disabled
User idle timeout                                 N/A
PAN Firewall Integration                          Disabled
Version History
Revision #:
2 of 2
Last update:
‎03-28-2017 11:06 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.