Controller-less WLANs

Why we cannot convert an IAP to RAP on the controller

by on ‎04-09-2015 04:31 AM

Environment : this is tested on the IAP-155 and Aruba controller 7220

 

When we try to convert the IAP to RAP it fails 

 

By default the IAP falls in the user table and once VPN authenticated, its inner IP will fall in "default-vpn-role"

(Aruba) #show references user-role default-vpn-role

References to User Role "default-vpn-role"
------------------------------------------
aaa authentication vpn "default" default-role
aaa authentication vpn "default-iap" default-role
aaa authentication vpn "default-rap" default-role


In certain cases if we delete "default-vpn-role" the inner IP of the IAP will fall in logon role. Due to this it would fail to register ( as registration uses tcp port 80 ).

 

 

noticed that both inner and out IP are falling in logon role.
- created the “default-vpn-role” again.



#show user-table verbose

Users
-----
    IP            MAC            Name              Role      Age(d:h:m)  Auth  VPN link     AP name  Roaming  Essid/Bssid/Phy  Profile      Forward mode  Type  Host Name  Server    Vlan   Bwm  UaStr:ParseDisable/Flag/ShortIndex
----------   ------------       ------             ----      ----------  ----  --------     -------  -------  ---------------  -------      ------------  ----  ---------  ------    ----   ---  ----------------------------------
1.1.1.1      00:00:00:00:00:00  18:64:72:c4:05:26  logon     00:00:00    VPN   10.20.25.25  N/A                                default-iap  tunnel                         Internal  0 (o)       OFF/0/0
10.20.25.25  00:00:00:00:00:00                     logon     00:00:00    VPN                N/A                                             tunnel                                   0 (o)       OFF/0/0

User Entries: 2/2

#show references user-role default-vpn-role
Unknown role default-vpn-role


#configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(config) #ip access-list session allowall
(config-sess-allowall)#any  any any permit
(config-sess-allowall)#exit
(config) #user-role default-vpn-role
(config-role) #access-list session allowall
(config-role) #exit
(config) #
(config) #
(config) #exit
  #write memory
Saving Configuration...

Configuration Saved.

#show references user-role default-vpn-role

References to User Role "default-vpn-role"
------------------------------------------
aaa authentication vpn "default" default-role
aaa authentication vpn "default-iap" default-role
aaa authentication vpn "default-rap" default-role


#show user-table verbose

Users
-----
    IP            MAC            Name              Role              Age(d:h:m)  Auth  VPN link     AP name  Roaming  Essid/Bssid/Phy  Profile      Forward mode  Type  Host Name  Server    Vlan   Bwm  UaStr:ParseDisable/Flag/ShortIndex
----------   ------------       ------             ----              ----------  ----  --------     -------  -------  ---------------  -------      ------------  ----  ---------  ------    ----   ---  ----------------------------------
1.1.1.2      00:00:00:00:00:00  18:64:72:c4:05:26  default-vpn-role  00:00:00    VPN   10.20.25.25  N/A                                default-iap  tunnel                         Internal  0 (0)       OFF/0/0
10.20.25.25  00:00:00:00:00:00                     logon             00:00:00    VPN                N/A                                             tunnel                                   0 (0)       OFF/0/0

User Entries: 2/2
Curr/Cum Alloc:2/4 Free:0/2 Dyn:2 AllocErr:0 FreeErr:0

#show datapath  session table 1.1.1.2


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
      D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----
10.17.32.248    1.1.1.2         6    0     1024   0/0     0 0   1   tunnel 9    9    0         0          FY
10.17.32.248    1.1.1.2         1    0     0      0/0     0 0   0   tunnel 9    2    1         84         FI
1.1.1.2         10.17.32.248    6    61981 1024   0/0     0 0   0   tunnel 9    9    1583      63340      CU
1.1.1.2         10.17.32.248    6    52107 21     0/0     0 0   1   tunnel 9    9    11        520        CUI
1.1.1.2         10.17.32.248    6    52416 80     0/0     0 0   1   tunnel 9    a    0         0          FC
1.1.1.2         10.17.32.248    6    1024  0      0/0     0 0   1   tunnel 9    9    0         0          FYCU
1.1.1.2         10.17.32.248    1    0     2048   0/0     0 0   0   tunnel 9    2    1         84         FCI
10.17.32.248    1.1.1.2         6    1024  61981  0/0     0 0   0   tunnel 9    9    3145      4087244
10.17.32.248    1.1.1.2         6    80    52416  0/0     0 0   1   tunnel 9    a    0         0          F
10.17.32.248    1.1.1.2         6    21    52107  0/0     0 0   1   tunnel 9    9    10        686        I



#show ap active

Active AP Table
---------------
Name               Group    IP Address  11g Clients  11g Ch/EIRP/MaxEIRP  11a Clients  11a Ch/EIRP/MaxEIRP  AP Type  Flags  Uptime  Outer IP
----               -----    ----------  -----------  -------------------  -----------  -------------------  -------  -----  ------  --------
18:64:72:c4:05:26  default  1.1.1.3     0            AP:HT:11/15/25.5     0            AP:HT:48-/15/19      115      R2a    2m:55s  10.20.25.25

Flags: 1 = 802.1x authenticated AP; 2 = Using IKE version 2;
       A = Enet1 in active/standby mode;  B = Battery Boost On; C = Cellular;
       D = Disconn. Extra Calls On; E = Wired AP enabled; F = AP failed 802.1x authentication;
       H = Hotspot Enabled; K = 802.11K Enabled; L = Client Balancing Enabled; M = Mesh;
       N = 802.11b protection disabled; P = PPPOE; R = Remote AP;
       S = AP connected as standby; X = Maintenance Mode;
       a = Reduce ARP packets in the air; d = Drop Mcast/Bcast On; u = Custom-Cert RAP;
       r = 802.11r Enabled

Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

Num APs:1

 

if we remove the "default-vpn-role" the IAP inner IP will fall in logon role and it would fail to convert to remote AP. Adding "default-vpn-role" will resolve it.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.