Controller Based WLANs

Environment : This article applies to all controller models and OS versions.

1. The RAP obtains an IP address on the wired interface (Eth 0) by using DHCP. In remote deployment scenarios, the IP address is typically provided by the Internet service provider (ISP) when directly connected to the Internet. 

2. The RAP can be provided with an FQDN or a static IP of the master controller. If a FQDN is used, the RAP resolves the host name by using the DNS service provided by the ISP. 

3. The RAP attempts to form an IPsec connection to the master controller through the Ethernet interface. 

a.Depending on the provisioning type, either the RAP's certificate or Internet Key Exchange (IKE) PSK is used to complete IKE 
phase 1 negotiation. 
b. XAuth, which is an extension to the IKE phase 1, is used to authenticate the RAP. If IKE PSK is used, XAUTH authenticates with username and password. If authentication is successful, the RAP gets an inner IP address and an IKE SA is established between it and the controller. If certificate is used, XAUTH authenticates the MAC address in the CERT against the RAP whitelist. If authentication is successful, the RAP gets an inner IP address and an IKE SA is established between it and the controller. 

4. An IPsec SA is then established between the RAP and the controller. 

5. The master controller provides the RAP with the IP addresses of the controller (LMS and backup LMS IP) on which it should terminate. In remote deployments where the master also terminates RAPs, this is the same controller. 

6. One or more IPsec-encrypted GRE tunnels are formed between the RAP and the designated controller depending on the configuration.