Remote Networking

Reply
Occasional Contributor II

Has the default-role assigned to aaa authentication vpn been removed in 5.x?

I have a single RAP that is able to create a VPN tunnel to the controller where it gets assigned the sys-ap-role. I then see the remote IP in the "Logon" role with authentication of VPN and the MAC address for the device in the role "sys-ap-role" with the authentication method of VPN. The AP never comes fully active. Note: other AP's all work fine.

I enabled IPSEC and ISAKMP logging and the connection is built successfully but it never seems to transition to the correct role.

What strikes me as odd is that the mac address of the AP is showing as a user in the sys-ap-role. When I checked my config the rap-role I previously had assigned prior to the 5.x upgrade was not assigned to the aaa authentication vpn default-rap. The manual for 5.x shows that this is still required but I can't even add a default-role now. Entering default-role rap_role is not accepted as a valid command.

Has the application of roles changed in 5.x? I also checked the release notes for the various 5.x versions and I see no mention of a change there either.
Guru Elite

sys-ap-role

sys-ap-role is a built in role to have access points work. It cannot be changed. The AP should come up just fine. Do a "show crypto ipsec sa" to see if the AP indeed made that connection. If it is in there, do a "show ap database" to see why that AP is not up, to see if it has a flag on it.

An oh, yes, that aaa authentication VPN is no longer used for RAPs.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Has the default-role assigned to aaa authentication vpn been removed in 5.x?


sys-ap-role is a built in role to have access points work. It cannot be changed. The AP should come up just fine. Do a "show crypto ipsec sa" to see if the AP indeed made that connection. If it is in there, do a "show ap database" to see why that AP is not up, to see if it has a flag on it.

An oh, yes, that aaa authentication VPN is no longer used for RAPs.




Strangely the RAP came online after it sat overnight. I think the user was behind some type of NAT device that was causing an issue. I did see an IPSEC sa session coming up though. Odd, but now it is working!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: