Controllerless Networks

I want to start deploying IAP-VPN configured Instant AP's to some of our home users.

I have been testing this in our lab and have the IAP configured to connect to our Airwave server, where the config is pushed down to it via Instant GUI config.

This all works pretty well.

The issue is that when the IAP is sent to the home user, the IAP's IP address is now different and Airwave is no longer able to contact it and classes it as down.

I am able to connect to the IAP remotely by https to the inner IP of the VPN tunnel, but I need to be able to get to it from Airwave so that if we need to push out a change across multiple IAP's it can be done one time only without the need to login to each IAP.

I woud appreciate some help in working this out

Thanks

I'll have someone run through this in the lab and then update.

Here's my IAP config

18:64:72:c5:49:c4# sh run
version 6.3.1.0-4.0.0
virtual-controller-country GB
virtual-controller-key 573d3cc301f2d17e5f2d3dcf51a7231da78b0f63e2c5b53c6b
name e17447
organization EMEA-IAP
virtual-controller-ip 172.18.109.1
syslog-server 10.101.1.243
terminal-access
ntp-server 172.17.0.1
clock timezone none 00 00
rf-band all
ams-ip 10.101.1.243
ams-key b6ce5a0e3999a796d6a5bf45a9a13270
ams-identity 844460756981198a0fa95e406bd32caf

allowed-ap 18:64:72:c5:49:c4

routing-profile
 route  0.0.0.0  0.0.0.0  <controller public IP>

snmp-server community a71f5328091c090d28b41ed6c6767d5a296fb87cc5850d5d
snmp-server community 0b0a9cf540c2c0833a4dc955c588adb92a78c2f61779b4c0

arm
 wide-bands 5ghz
 80mhz-support
 min-tx-power 127
 max-tx-power 127
 band-steering-mode disable
 air-time-fairness-mode default-access
 client-aware
 scanning
 client-match

rf dot11g-radio-profile
 interference-immunity 3

rf dot11a-radio-profile
 interference-immunity 3

internal-domains
 domain-name kcc.com

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless


extended-ssid

vpn primary <controller public ip>
vpn monitor-pkt-send-freq 10



mgmt-user mgmtuser
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile
 index 1
 rule any any match any any any permit

wlan access-rule wired-instant
 index 2
 rule 192.168.1.70 255.255.255.255 match tcp 80 80 permit
 rule 192.168.1.70 255.255.255.255 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule testing
 index 3
 rule any any match any any any permit


wlan ssid-profile testing
 enable
 index 1
 type employee
 essid testing
 opmode wpa2-aes
 max-authentication-failures 0
 vlan 100
 auth-server radius1
 auth-server radius2
 rf-band all
 captive-portal disable
 hide-ssid
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

auth-survivability cache-time-out 24

mgmt-auth-server mgmt-server1
mgmt-auth-server mgmt-server2

mgmt-auth-server-local-backup

wlan auth-server mgmt-server1
 ip 10.1.1.1
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan auth-server mgmt-server2
 ip 10.1.1.2
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan auth-server radius1
 ip 10.1.1.3
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan auth-server radius2
 ip 10.1.1.4
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"


blacklist-time 3600
auth-failure-blacklist-time 3600

ids
 wireless-containment none

ip dhcp cl2
 server-type Centralized,L2
 server-vlan 100

alg
 sccp-disable
 ua-disable
 vocera-disable

wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x


enet0-port-profile default_wired_port_profile
enet1-port-profile default_wired_port_profile
enet2-port-profile default_wired_port_profile

uplink
 preemption
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180


airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint

after checking IAP running-config, IAP team think this scenario should work.

We suggest upgrading IAP to lastest build and get tech-support if still not work.