I've changed settings so that the AP-GROUP-NAME and profiles are the same. It now DOES connect to the back-up controller. However, it does not fully function.
The back-up controller DOES show the RAP being connected and being in the proper ap-group. However, the RAP does not let any traffic through to port E1 it seems.
It shows the following messages in the logs of the back-up controller:
2013-08-16 09:02:05 User 192.168.124.25 with MAC address 00:00:00:00:00:00 and name 00:0c:87:c4:90:1f is authenticated with authentication mechanism 3 and the Role given is sys-ap-role
2013-08-16 09:02:05 User 192.168.124.25 with MAC address 00:00:00:00:00:00 and name 00:0c:87:c4:90:1f was authenticated with authentication mechanism 3 and the role assigned was sys-ap-role
2013-08-16 09:02:06 AP 00:0c:87:c4:90:1f has changed. Change type is 3
2013-08-16 09:02:06 Access point 00:0c:87:c4:90:1f (LMS 192.168.1.250) status 1
2013-08-16 09:02:06 For RAP with Mac address 00:0c:87:c4:90:1f uplink is 1
2013-08-16 09:02:06 Access point 00:0c:87:c4:90:1f is up
2013-08-16 09:02:06 AP 00:0c:87:c4:90:1f has changed. Change type is 1
2013-08-16 09:02:06 AP 00:0c:87:c4:90:1f is on backup controller xxx.xxx.165.147 (primary controller is xxx.xxx.165.146)
2013-08-16 09:02:06 Access point 00:0c:87:c4:90:1f with Name Erik and IP address 192.168.124.25 cold-started 1 time(s)
Aug 16 09:02:05 authmgr[2367]: <522048> <WARN> |authmgr| AP-Group is not present in the Radius server for username=00:0c:87:c4:90:1f; AP will take the ap-group as provisioned in the AP
The IP for the RAP has now (automatically?) changed to 192.168.124.26 and the result is still the same. This line in the log is very strange "2013-08-16 09:02:06 AP 00:0c:87:c4:90:1f is on backup controller xxx.xxx.165.147 (primary controller is xxx.xxx.165.146)" because it is actually connected to controller xxx.xxx.165.146 at that moment and it is the back-up controller xxx.xxx.165.146 that prints that message in its log.
xxx.xxx.165.146 = back-up LMS.
Also, the line "Aug 16 09:02:05 authmgr[2367]: <522048> <WARN> |authmgr| AP-Group is not present in the Radius server for username=00:0c:87:c4:90:1f; AP will take the ap-group as provisioned in the AP" is strange. 00:0c:87:c4:90:1f IS in the white list of the backup-controller, WITH a proper AP-Group.
EDIT: It suddenly works now. I don't know why. What I did was unplug the betwork cable from the client connected to the RAP, then plugged it back in. And then it suddenly received an IP. Before that, I was only trying ipconfig /release and /renew.
Edit2: I can reproduce this. Every time the RAP fails over to the backup controller, it gets an IP, for example 192.168.124.27 and then pretty quickly it changes to 192.168.124.28. In the meanwhile, the client behind the rap receives a 192.168.11.X ip address. After that, I have to pull the network cable between the RAP and the client and reconnect it, and then the client is connected to the office VLAN again. Normal ipconfig /release and /renew does not work for some reason, the RAP does not let the client talk to the office VLAN untill I reconnect the network cable. Weird.
Next problem: if the master that was manually entered in the RAP is not available and the rap is switched on (was powered off), then it does not find it's master. Apparently, the backup LMS is not saved in the RAP when it's turned off, because it does not connect to the backup controller either. It is pretty common for our employees to unplug the RAP at home when they don't use it. How can we manage redundancy now?
I found in other topics that we might have to set-up a DNS-name for the RAPS with 2 IP's. However, this means we lose the ability to control which RAP prefers which controller, because the DNS will return an IP at random. Are there any suggestions for us?
We would like a RAP that is switched on to connect to the preferred controller first. If that one is not available, connect to the other controller. I guess this means the RAP would have to store the backup-LMS when turned off, but it does not seem to do so.
Edit3: maybe I can answer my own question :D If I combine the DNS-thing with the 2 ap-groups kdisc98 suggested, it might just work fine. I'll give that a go. (in one ap-group X is the lms and Y is the backup-lms,and in the 2nd ap-group Y is the lms and X is the backup-lms)