Wireless Access

ArubaOS 8 - Setting up Remote Access Point (RAP)

The post shows the step by step configuration in setting up a Remote AP (RAP) in ArubaOS-8 (AOS8) on a standalone controller

This would be helpful for anyone new to AOS 8 and RAPs

Information is based on ArubaOS Version 8.3.0.0

Remote Access Points AOS6 versus AOS8

Points to Consider.

Cluster is limited to max 4 nodes in case of RAP.

If you have a cluster of 4 Mobility Controllers, We should configure public-ip in all 4 controllers. It might be changing in the upcoming release

RAP will establish ipsec tunnels to all 4 controllers, but at any point of time only one A-AAC and on S-AAC will be established.

How to configure a Aruba Controller to terminate RAPs:

ArubaOS Version: 8.3.0.0

Controller Model: 7005

Controller Mode: Standalone

AP Model: AP-303H

Network Diagram:

Bring up the Controller in Standalone mode:

Install the Licence:

RAPs do not require PEFV. Only the regular AP licenses (AP, PEFNG).

Mobility Controller -> Configuration -> System -> Licensing

Once Installed, Please ensure that "Feature Enabled" checkbox is ticked. This will enable the license.

Make the Physical Connections:

Aruba 7005 Controller - 0/0/0 - Connected to Internet (Public Network)

Aruba 7005 Controller - 0/0/1 - Connected to My Lab (Internal Network)

Create an L2 and L3 Interface:

L2 and L3 Interfaces - Configuration snippet:

Creating a user role for the RAP user:

//listing all the internal network, I should have access to.

netdestination internal-networks                         

    network 192.168.17.0 255.255.255.0

    network 192.168.26.0 255.255.255.0

    network 172.30.30.0 255.255.255.0

    network 172.30.29.0 255.255.255.0

!

//Tunnelling internal network traffic to Controller and other traffic are source natted.

ip access-list session split-tunnel                           

    any any svc-dhcp permit

    user alias internal-networks any permit

    alias internal-networks user any permit

    user any any route src-nat

!

user-role System-Engineer

    access-list session global-sacl

    access-list session apprf-system-engineer-sacl

    access-list session split-tunnel

!

Configure VPN Pool:

Configuration -> Services -> VPN -> General VPN -> Add the Address Pools

Equivalent CLI Command:

ip local pool "rap" 1.1.1.1 1.1.1.100

If you have an MM and MD setup, to support Remote AP in cluster configuration, you need to use Cluster RAP Pool.
In GUI, Goto MM -> MM-Node
Configuration -> Services -> Clusters -> Controller Cluster RAP Pool
In CLI, To Create rap pool on MM/mynode node
lc-rap-pool cluster-rap-pool <StartAddress> <EndAddress>

Define RAP AP Group and related settings:

ap-group-profile contains virtual-ap-profile and ap-system-profile.

virtual-ap-profile contains aaa-profile and ssid-profile.

//user-role "System-Engineer" is linked to aaa-profile

aaa profile "default"

    initial-role "System-Engineer"

    authentication-dot1x "default-psk"

!

//Creating the ssid-profile

wlan ssid-profile "Employee-ssid_prof"

    essid "KapilHome"

    wpa-passphrase "Aruba123!"

    opmode wpa2-psk-aes

!

//aaa-profile and ssid-profile is linked to the Virtual AP Profile.

wlan virtual-ap "Employee-rap-vap-profile"

    vlan 30

    aaa-profile "default"

    ssid-profile "Employee-ssid_prof"

!

//Creating the ap-system-profile

ap system-profile "rap-AP-system-profile"

    lms-ip 59.167.24.220

    ap-console-password "Aruba123!"

    bkup-passwords "CP0010727!+^>"

!

//virtual-ap-profile and ap-system-profile is linked to the AP-Group

ap-group "raphome"

    virtual-ap "Employee-rap-vap-profile"

    ap-system-profile "rap-AP-system-profile"

!

Note:

You can also create WLAN using the wizard under "Configuration -> WLANs".

All the configuration are done on the "default" ap-group.

Name you choose for ssid in WLAN Wizard, is used as name for virtual-ap profile, aaa profile, authentication-dot1x profile and ssid-profile.

Whitelist the Remote AP:

Aruba7005 -> Configuration -> Access Points -> Whitelist -> Remote AP Whitelist.

Equivalent CLI command

whitelist-db rap add mac-address "20:4c:03:21:85:2c" ap-group "raphome" ap-name "Kapil-RAP"

-group "raphome" ap-name "Kapil-RAP"

DHCP Server on the Controller:

This is to serve the clients on VLAN 30.

This can be done under "Configuration -> Services -> DHCP -> DHCP Server" in GUI

ip dhcp excluded-address 172.30.30.101 172.30.30.254

ip dhcp pool pool30

 default-router 172.30.30.1

 dns-server 8.8.8.8

 network 172.30.30.0 255.255.255.0

 authoritative

!

service dhcp

Provision the AP (Instant AP):

Here we are converting an Instant AP (IAP) into Remote AP (RAP).

I have got a brand new IAP. I need to Provision the Country Code and then convert to RAP.

Just go to Maintenance -> Convert ->

Select “Remote APs managed by a Mobility Controller”

Enter the IP Address of the Mobility Controller

Click “Convert Now”

Verification Commands:

AP database:

 AP bss-table:

Users:

 Interfaces on the RAP:

Different ways RAPs can be terminated on the Controller:

Staged:               Any CAP APs can be staged to become a RAP

Zero Touch:  RAPs have a GUI where the user can enter the IP address or URL of the controller.

Activate: RAPs can also automatically communicate with Aruba cloud based Activate. If an entry exists in Activate it will direct these RAPS to the controller.

Conversion: Instant AP can also be converted to RAPs by pointing to IP address of the Mobility Controller

 Hope you find this useful. Please post your feedback !

Regards,

Kapildev Erampu 

Thank you for the setup guide for the new OS ArubaOS 8.

It has helped a lot.

Welcome Mate :)

Could you help us to check why our RAP can not connect the VMC AOS8.3 ? please take a look the detail in the followed link

https://community.arubanetworks.com/t5/Wireless-Access/Aruba-RAP-contact-to-public-IP-VMC-AOS8-3-problem-need-help/td-p/438204

Hello,

Just had a look at the link you provided.

Getting the output to the following commands would be helpful.
show ap database
show ap-group <ap-group-name>
show wlan virtual-ap <vap-profile-name>
show aaa profile <aaa-profile-name>
show wlan ssid-profile <ssid-profile-name>
What role is your user connecting to RAP placed in? Could you please issue "show rights role-name"

Please email me the outputs to kapildev.erampu@hpe.com

You can contact Aruba TAC using the below link. Just call them based on which country you are located.
https://www.arubanetworks.com/support-services/contact-support/

Regards,

Kapil

Dear  Mr Kali

We are very happy to get your reply as Aruba community as follow:

and I think the followed information in not enough for you.

you can access our VMC by the public IP 47.104.193.111 directly

1. we have 1:1 nat and open all of policy in our firewall (any protocal included GRE, any tcp udp port)

2. you can access our VMC by 47.104.193.111 and username is admin ,password is (We have send email to you kapildev.erampu@hpe.com for the password)

3.This VMC is for test, So please do not worry about, you can do any change inside, because we can reset it to default in a few minitue

4.If you have any question,please send email to me or leave the message at Aruba community,Thanks for your help

5.In fact we have called China 400 support, and get very sadness reply, China Tec know only Money, and Know less about Aruba product and Tec, They even not sure about if RAP need PEF Lic (in fact RAP do not need PEF lic, but RAP with Split-Tunnel need PEF Lic)

(AOS83) [mynode] #show ap database

AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------

Flags: 1 = 802.1x authenticated AP use EAP-PEAP; 1+ = 802.1x use EST; 1- = 802.1x use factory cert; 2 = Using IKE version 2

(AOS83) [mynode] #show ap-group
default
NoAuthApGroup
rap
<profile-name> Profile name
| Output Modifiers
<cr>

(AOS83) [mynode] #show ap-group rap

AP group "rap"
--------------
Parameter Value
--------- -----
Virtual AP ArubaRAP
802.11a radio profile default
802.11g radio profile default
Ethernet interface 0 port configuration default
Ethernet interface 1 port configuration default
Ethernet interface 2 port configuration shutdown
Ethernet interface 3 port configuration shutdown
Ethernet interface 4 port configuration shutdown
AP system profile default
AP multizone profile default
802.11a Traffic Management profile N/A
802.11g Traffic Management profile N/A
Regulatory Domain profile default
RF Optimization profile default
RF Event Thresholds profile default
IDS profile default
Mesh Radio profile default
Mesh Cluster profile N/A
Provisioning profile N/A
AP authorization profile N/A

(AOS83) [mynode] #show wlan virtual-ap
ArubaRAP
default
<profile-name> Profile name
| Output Modifiers
<cr>

(AOS83) [mynode] #show wlan virtual-ap arubaRAP

Virtual AP profile "ArubaRAP"
-----------------------------
Parameter Value
--------- -----
AAA Profile ArubaRAP
802.11K Profile default
Hotspot 2.0 Profile N/A
Virtual AP enable Enabled
VLAN 1
Forward mode tunnel
SSID Profile ArubaRAP
Allowed band all
Band Steering Disabled
Cellular handoff assist Disabled
Openflow Enable Enabled
Steering Mode prefer-5ghz
Dynamic Multicast Optimization (DMO) Disabled
Dynamic Multicast Optimization (DMO) Threshold 6
Drop Broadcast and Multicast Disabled
Convert Broadcast ARP requests to unicast Enabled
Authentication Failure Blacklist Time 3600 sec
Blacklist Time 3600 sec
Deny inter user traffic Disabled
Deny time range N/A
DoS Prevention Disabled
HA Discovery on-association Enabled
Mobile IP Enabled
Preserve Client VLAN Disabled
Remote-AP Operation standard
Station Blacklisting Enabled
Strict Compliance Disabled
VLAN Mobility Disabled
WAN Operation mode always
FDB Update on Assoc Disabled
WMM Traffic Management Profile N/A
Anyspot profile N/A

(AOS83) [mynode] #show aaa profile
ArubaRAP
default
default-dot1x
default-dot1x-psk
default-iap-aaa-profile
default-mac-auth
default-open
default-tunneled-user
default-xml-api
NoAuthAAAProfile
<profile-name> Profile name
| Output Modifiers
<cr>

(AOS83) [mynode] #show aaa profile arubaRAP

AAA Profile "ArubaRAP"
----------------------
Parameter Value
--------- -----
Initial role authenticated
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Disabled
RADIUS Acct-Session-Id In Access-Request Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
Reauthenticate wired user on VLAN change Disabled
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled

(AOS83) [mynode] #show wlan ssid-profile
ArubaRAP
default
<profile-name> Profile name
| Output Modifiers
<cr>

(AOS83) [mynode] #show wlan ssid-profile arubaRAP

SSID Profile "ArubaRAP"
-----------------------
Parameter Value
--------- -----
SSID enable Enabled
ESSID ArubaRAP
WPA Passphrase N/A
Encryption opensystem
Enable Management Frame Protection Disabled
Require Management Frame Protection Disabled
DTIM Interval 1 beacon periods
802.11a Basic Rates 6 12 24
802.11a Transmit Rates 6 9 12 18 24 36 48 54
802.11g Basic Rates 1 2
802.11g Transmit Rates 1 2 5 6 9 11 12 18 24 36 48 54
Station Ageout Time 1000 sec
Max Transmit Attempts 8
RTS Threshold 2333 bytes
Short Preamble Enabled
Max Associations 64
Wireless Multimedia (WMM) Disabled
Wireless Multimedia U-APSD (WMM-UAPSD) Powersave Enabled
WMM TSPEC Min Inactivity Interval 0 msec
DSCP mapping for WMM voice AC (0-63) N/A
DSCP mapping for WMM video AC (0-63) N/A
DSCP mapping for WMM best-effort AC (0-63) N/A
DSCP mapping for WMM background AC (0-63) N/A
WMM Access Class of EAP traffic default
Multiple Tx Replay Counters Enabled
Hide SSID Disabled
Deny_Broadcast Probes Disabled
Local Probe Request Threshold (dB) 0
Auth Request Threshold (dB) 0
Disable Probe Retry Enabled
Battery Boost Disabled
WEP Key 1 N/A
WEP Key 2 N/A
WEP Key 3 N/A
WEP Key 4 N/A
WEP Transmit Key Index 1
WPA Hexkey N/A
Maximum Transmit Failures 0
EDCA Parameters Station profile N/A
EDCA Parameters AP profile N/A
BC/MC Rate Optimization Disabled
Rate Optimization for delivering EAPOL frames Enabled
Strict Spectralink Voice Protocol (SVP) Disabled
High-throughput SSID Profile default
802.11g Beacon Rate default
802.11a Beacon Rate default
Video Multicast Rate Optimization default
Advertise QBSS Load IE Disabled
Advertise Location Info Disabled
Advertise AP Name Disabled
Traffic steering from WLAN to cellular Disabled
802.11r Profile N/A
Enforce user vlan for open stations Disabled
Enable OKC Enabled

In Fact, we use the role logon frist, and change to authenticated, because we think if there are some limits for logon ?

(AOS83) [mynode] #show rights authenticated

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'authenticated'
Up BW:No Limit Down BW:No Limit
L2TP Pool = rap_pool1
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 79/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-authenticated-sacl session
3 ra-guard session
4 allowall session
5 v6-allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-authenticated-sacl
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
ra-guard
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any icmpv6 rtr-adv deny Low 6
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6
v6-allowall
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any any any-v6 permit Low 6

Expired Policies (due to time constraints) = 0

Dear Kapildev

You can try to access our public ip 47.104.193.111 again, We have improve our bandwidth to 20M

Jul 2 16:02:50 authmgr[3916]: <522125> <3916> <WARN> |authmgr| Could not create/find bandwidth-contract for user, return code (-11).
Jul 2 16:02:50 isakmpd[3839]: <103015> <3839> <INFO> |ike| IKE Main Mode Phase 1 succeeded for peer 111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103022> <3839> <INFO> |ike| IKE Quick Mode succeeded for peer 111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103033> <3839> <INFO> |ike| IKE Quick Mode succeeded internal 172.16.200.20, external 111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103047> <3839> <INFO> |ike| IKE XAuth succeeded for 172.16.200.20 (External 111.37.21.182) for authenticated
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| ike_auth.c:ike_auth_get_key:612 Found isakmp policy for peer 0.0.0.0 client:yes
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| sa.c:sa_setup_arubaap_expirations:2512 Setting short IKE SA for our AP external IP 111.37.21.182 until 2nd IPSEC rekey
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_main_mode.c:responder_send_ID_AUTH:260 Updated Phase1 port 25649->25649
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_main_mode.c:responder_send_ID_AUTH:280 finished
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_1.c:ike_phase_1_recv_ID:2218 received IKE ID Type 11 exchange:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_1.c:ike_phase_1_recv_KE_NONCE:1358 Responder, enabling NAT-T.
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_1.c:ike_phase_1_responder_recv_SA:1037 Ike Phase 1 received SA
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_1.c:ike_phase_1_responder_recv_SA:884 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP
111.37.21.182.
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_1.c:ike_phase_1_responder_recv_SA:913 Found our AP vendor ID from external IP 111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_quick_mode.c:ike_phase_2_validate_prop_for_client:3328 Skipping crypto map default-ikev2-dynamicmap
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_quick_mode.c:ike_phase_2_validate_prop_for_client:3328 Skipping crypto map default-rap-ipsecmap
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_quick_mode.c:ike_phase_2_validate_prop_for_client:3332 Trying crypto map default-dynamicmap
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_quick_mode.c:responder_recv_HASH_SA_NONCE:2726 message negotiation succeeded
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipc.c:ipc_auth_xauth:6013 ipc_auth_xauth user=arubarap, pass=******
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipc.c:ipc_modify_sb_data:4697 IPSEC dst_ip=172.16.200.20, dst_mask 0.0.0.0 inner_ip 172.16.200.20 client:yestrusted:no, Master-
Local:no
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipc.c:ipc_print_dp_packet:5443 DP: :TUNNEL::SA_ADD::L2TP: OFF::incoming::ESP::AES256::Auth = SHA1:, SPI A446CA00, OPPSPI
37520600, esrc 111.37.21.182, edst_ip 172.31.4.51, dst_ip 172.16.200.20, natt 1, natt_dport 1680932864, l2tp_
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipc.c:ipc_print_dp_packet:5443 DP: :TUNNEL::SA_ADD::L2TP: OFF::outgoing::ESP::AES256::Auth = SHA1:, SPI 37520600, OPPSPI
A446CA00, esrc 172.31.4.51, edst_ip 111.37.21.182, dst_ip 172.16.200.20, natt 1, natt_dport 1680932864, l2tp_
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipc.c:is_HA_crypto_map_present:2789 Looking for MAP default-ha-ipsecmap::
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> nat_traversal.c:nat_t_exchange_add_nat_d:390 NAT-T added hashes for src=172.31.4.51:4500, dst=111.37.21.182:4500
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> nat_traversal.c:nat_t_exchange_check_nat_d_has_us:656 Did not find our matching NAT-D payload for Port:500 in their packet
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> nat_traversal.c:nat_t_exchange_check_nat_d_has_us:666 Did not find our matching NAT-D payload for Port:4500 in their packet
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> nat_traversal.c:nat_t_generate_nat_d_hash:274 IP 111.37.21.182 Port 12644
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> nat_traversal.c:nat_t_generate_nat_d_hash:274 IP 172.31.4.51 Port 37905
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> nat_traversal.c:nat_t_generate_nat_d_hash:274 IP 172.31.4.51 Port 62465
Jul 2 16:02:50 isakmpd[3839]: <103060> <3839> <DBUG> |ike| 111.37.21.182:25649-> sa.c:ike_sa_setup_ph2complete_timer:3454 SA 0x2bb0bb0 ph2-completion timeout in 30 seconds
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| *** ipc_auth_recv_packet user=arubarap, pass=******, result=0 exch:0x2bb3220, exch-innerip:0 l2tp_pool:rap_pool1
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| GetFirstMatchIsakmpPSK: entering
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ike_phase_1_post_exchange_KE_NONCE IV len:16
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ike_phase_1_post_exchange_KE_NONCE done 111.37.21.182 g_x_len:128 skeyid_len:20
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipc_auth_recv_packet Inner-ip 172.16.200.20 from L2TP pool rap_pool1, DNS1:0.0.0.0, DNS2:0.0.0.0, WINS1:0.0.0.0, WINS2:0.0.0.0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipc_auth_recv_packet calling client_auth_ip_up for InnerIP 172.16.200.20:
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipc_auth_recv_packet cookie:1013654840 innerip 0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipc_auth_recv_packet innerip:172.16.200.20 user-pool:rap_pool1
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipc_auth_recv_packet pool rap_pool1
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipc_auth_recv_packet sa src=0xac1f0433, dst=0x6f2515b6
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| mask 0, ip 6F2515B6, key_ip 0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| xauth_responder_send_statusset peer:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| xauth_responder_send_userreq peer:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> Added the incoming IPSEC SA --- DONE !!
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> Added the outgoing IPSEC SA --- DONE !!
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ->Delete DOI_MIN Exchange ic 7aac704ef47ec136 rc 49eb0cd32b44f79d
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> Aruba RAP detected
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> Legacy IKE Fragmentation
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> New(2) ID_PROT Exchange ic 7aac704ef47ec136 rc 49eb0cd32b44f79d
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> Passing iptunnel as 0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> attribute_p2_unacceptable: no lifetime is configured in the map lifetime_units 1
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> attribute_p2_unacceptable: save_type = 1
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> exchange_setup_p1: ID is IPv4
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> exchange_setup_p1: USING exchange type ID_PROT
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> exchange_update_iv: udpating exch 0x2bb3220 from 0x7ea5cdf6 to 0xe3e824cb
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> get_rate_limit_val: File /flash/config/ikeRateLimit.txt does not exists, assuming rate limit of 8/sec
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> got password=******
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> got user=arubarap, pass=******
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> got username=arubarap
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> group_get entered id:2
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> group_get group:0x2bb1810
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> group_get ike_group:0x7d05e8
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_auth_hash
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_1_recv_ID_AUTH for peer:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_1_send_AUTH
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_1_send_ID 111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_1_send_KE_NONCE 111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_2_validate_prop_for_client sa is valid sa-phase 2 isakmpd_sa is valid isakmpd_sa phase 1
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ike_phase_2_validate_prop_for_client setting lifetime_units 1 in isakmpd sa curr_map default-dynamicmap
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ikev1_same_sa: cookies are the same
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipc_auth_xauth exch:0x2bb3220 exip:0 extype:6 cookie:1013654840
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipc_ike_recv_packet: RAP increment session-count 1
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipc_setup_ipsec_dp_sa add=1, out=0, sa=0x2bb5fb0, proto=0x2bb6bf0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipc_setup_ipsec_dp_sa add=1, out=1, sa=0x2bb5fb0, proto=0x2bb6bf0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipc_setup_ipsec_dp_sa sa src=0xac1f0433, dst=0x6f2515b6
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipsec_decode_attribute: lifetype 1 sa->lifetime_units = 1
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipsec_decode_transform: SUCCESS
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipsec_decode_transform: transform 1 chosen
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipsec_finalize_exchange: src_net 0.0.0.0 src_mask 0.0.0.0 dst_net 172.16.200.20 dst_mask 255.255.255.255 tproto 0 sport 0 dport 0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipsec_handle_leftover_payload: calling mac_hash_tbl entry id_i 24:DE:C6:CB:79:40
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipsec_handle_leftover_payload: isarubaCampusAp 0 or isarubaAP 1 phase 1 id_i_len 21 ike_auth 65001
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipsec_handle_leftover_payload: received INITIAL-CONTACT
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipsec_sa 0x2bb6660, proto 0x2bb6bf0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipsec_spi_hash_tbl_entry_add: adding IPSEC spi 0xca46a4 to SPI hash table
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> ipsec_spi_hash_tbl_entry_add: successfully added IPSEC spi 0xca46a4 to SPI hash table
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> length of attribute is 24
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> length of attribute is 8
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> mac_hash_tbl_entry_add: Cookies : Initiator cookie:7aac704ef47ec136 Responder cookie:49eb0cd32b44f79d
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> mac_hash_tbl_entry_add: added sa entry to sa list and then added new mac entry to MacHashTable
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> mac_hash_tbl_entry_add: adding mac hash table entry for user 24:DE:C6:CB:79:40 version 1
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> mac_hash_tbl_entry_add: adding new mac entry
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> mac_hash_tbl_entry_add: converted mac : 24:de:c6:cb:79:40
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> mac_hash_tbl_entry_add: deleting old sas
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> mac_hash_tbl_entry_add: found an existing mac entry salist numOfNodes 1
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> message_recv enabling early NATT since peer initiates on 4500
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> message_recv recvd packet on UDP 4500, therefore enable NATT
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> modp_create_exchange: entered
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> modp_init entered
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> nat_t_exchange_check_nat_d_has_us src-port:500 dst-port:25649
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> new length of attribute is 24
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> pf_key_v2_enable_sa isainnerip 172.16.200.20
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> pf_key_v2_enable_sa rekeying 0 saxauthip 0 isainnerip 0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> pf_key_v2_enable_sa saxauthip 0.0.0.0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> post_quick_mode keymat:0 len:52
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> post_quick_mode keymat:1 len:52
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> responder_send_ID_AUTH pskCount 0, newPsk 0
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> xauth_responder_recv_ipreq peer:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> xauth_responder_recv_statusack peer:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> xauth_responder_recv_userrep peer:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> xauth_responder_send_iprep peer:111.37.21.182 innerip:172.16.200.20
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> xauth_responder_send_iprep: Sending Aruba LMS IP 52.4.31.172 （We are not sure where is this ip come from ? we never input this IP in our VMC)

Jul 2 16:03:10 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ->Delete ID_PROT Exchange ic 7aac704ef47ec136 rc 49eb0cd32b44f79d
Jul 2 16:03:10 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ->Delete TRANSACTION Exchange ic 7aac704ef47ec136 rc 49eb0cd32b44f79d
Jul 2 16:03:10 isakmpd[3839]: <103063> <3839> <DBUG> |ike| modp_free entered
Jul 2 16:03:34 isakmpd[3839]: <103060> <3839> <DBUG> |ike| ipc.c:ipc_rcvcb:3295 pubsub msg
Jul 2 16:04:01 cli[5021]: USER: admin connected from 111.37.21.182 has logged out.
Jul 2 16:06:34 isakmpd[3839]: <103060> <3839> <DBUG> |ike| ipc.c:ipc_rcvcb:3295 pubsub msg
Jul 2 16:08:17 isakmpd[3839]: <103040> <3839> <INFO> |ike| IKE XAuth idle timeout for 172.16.200.20 (External 182.21.37.111)
Jul 2 16:08:17 isakmpd[3839]: <103056> <3839> <INFO> |ike| IKE XAuth client down IP:172.16.200.20 External 111.37.21.182
Jul 2 16:08:17 isakmpd[3839]: <103060> <3839> <DBUG> |ike| ipc.c:ipc_modify_sb_data:4697 IPSEC dst_ip=172.16.200.20, dst_mask 0.0.0.0 inner_ip 172.16.200.20 client:yestrusted:no, Master-Local:no
Jul 2 16:08:17 isakmpd[3839]: <103060> <3839> <DBUG> |ike| ipc.c:ipc_print_dp_packet:5443 DP: :TUNNEL::SA_DEL::L2TP: OFF::incoming::ESP::AES256::Auth = SHA1:, SPI A446CA00, OPPSPI 37520600, esrc
111.37.21.182, edst_ip 172.31.4.51, dst_ip 172.16.200.20, natt 1, natt_dport 1680932864, l2tp_
Jul 2 16:08:17 isakmpd[3839]: <103060> <3839> <DBUG> |ike| ipc.c:ipc_print_dp_packet:5443 DP: :TUNNEL::SA_DEL::L2TP: OFF::outgoing::ESP::AES256::Auth = SHA1:, SPI 37520600, OPPSPI A446CA00, esrc
172.31.4.51, edst_ip 111.37.21.182, dst_ip 172.16.200.20, natt 1, natt_dport 1680932864, l2tp_
Jul 2 16:08:17 isakmpd[3839]: <103060> <3839> <DBUG> |ike| ipc.c:ipc_rcvcb:3587 Auth ip down message.ip=172.16.200.20. flags 1
Jul 2 16:08:17 isakmpd[3839]: <103060> <3839> <DBUG> |ike| ipc.c:ipc_rcvcb:3602 sa_xauth_down ok for ip20.200.16.172 flags 1
Jul 2 16:08:17 isakmpd[3839]: <103060> <3839> <DBUG> |ike| sa.c:sa_xauth_down:2727 RET 1 for ip 2.0.0.0 flag 1
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| Deleted the incoming IPSEC SA --- DONE !!
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| Deleted the outgoing IPSEC SA --- DONE !!
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| Passing iptunnel as 0
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| freeL2TPIP freeing IP 172.16.200.20 from pool
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ikev1_same_sa: cookies are the same
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipc_setup_ipsec_dp_sa add=0, out=0, sa=0x2bb5fb0, proto=0x2bb6bf0
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipc_setup_ipsec_dp_sa add=0, out=1, sa=0x2bb5fb0, proto=0x2bb6bf0
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipc_setup_ipsec_dp_sa sa src=0xac1f0433, dst=0x6f2515b6
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipsec_sa 0x2bb6660, proto 0x2bb6bf0
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| ipsec_spi_hash_tbl_entry_remove: Successfully removed IPSEC spi 0xca46a4 from SPI hash table
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| mac_hash_tbl_delete_sa_entry: deleting for mac 24:DE:C6:CB:79:40
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| sa_free: 172.16.200.20 not found in InnerIPHashTable
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| sa_release phase:1 calling client_auth_ip_down with ip=0xac10c814, extip=0x6f2515b6
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| sa_release-> SA ph:1 ref:0 flags:10583 ic 7aac704ef47ec136 rc 49eb0cd32b44f79d
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| sa_release-> SA ph:2 ref:0 flags:10583 ic 7aac704ef47ec136 rc 49eb0cd32b44f79d
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| sa_release: Removing spi 0xca46a4 from spi hash table
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| sa_release: calling mac_hash_tbl_delete_sa_entry id_i 24:DE:C6:CB:79:40
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| sa_release: decrement limit 0
Jul 2 16:08:17 isakmpd[3839]: <103063> <3839> <DBUG> |ike| sa_release: sa->isarubaAP 1 isarubaCampusAP 0 sa->id_i_len 21
Jul 2 16:08:17 isakmpd[3839]: <103101> <3839> <INFO> |ike| IPSEC SA deleted for peer 111.37.21.182
Jul 2 16:08:44 cli[6217]: USER: admin has logged in from 111.37.21.182.

Very useful, thanks a lot.

I drawn a flowchart for your configuration. I share it with you.

Q:

Please, what will be the configuration changes in a topology with a Firewall and NAT, liken in the graphic?

Regards,

Attachment(s)

ArubaOS 8 rap config flowchart - v01a 20191106.pdf   169 KB 1 version

Quick question. For these 303H deployed as RAPs, in the system-profile, can we configure parameters for bluetooth console access: 'ble-op-mode persistentConsole'. Has anyone tested this to be working?