Wireless Access

Reply
Frequent Contributor I

How to provision RAP via Internet ? are the anybody have the experiance can help us ?

How to provision RAP via Internet ? are the anybody have the experiance can help us ?

1.Our controller is VMC in standlone mode have the public ip 47.104.193.111

(AOS83) [mynode] (config) #show license limits

License Limits
--------------
Limit Value
----- -----
1000 Access Points
0 RF Protect
0 120abg Upgrade
0 121abg Upgrade
0 124abg Upgrade
0 125abg Upgrade
1000 Next Generation Policy Enforcement Firewall Module
0 Advanced Cryptography
0 Service provider AP
0 WebCC
0 Beta AP
0 MM-VA
1000 MC-VA-RW
0 MC-VA-EG
0 MC-VA-IL
0 MC-VA-JP
0 MC-VA-US
0 VIA
(AOS83) [mynode] (config) #

 

2. we try to connet our RAP to this VMC, but we get the followed error information

微信图片_20180623070049.png

(AOS83) [mynode] (config) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP Responder IP Flags Start Time Private IP
------------ ------------ ----- --------------- ----------
36.110.67.20 172.31.4.51 r-v2-c-R Jun 23 16:33:35 172.16.2.19

Flags: i = Initiator; r = Responder
m = Main Mode; a = Agressive Mode; v2 = IKEv2
p = Pre-shared key; c = Certificate/RSA Signature; e = ECDSA Signature
x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
3 = 3rd party AP; C = Campus AP; R = RAP; Ru = Custom Certificate RAP; I = IAP
V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1
(AOS83) [mynode] (config) #show crypto ipsec sa


IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
------------ ------------ ---------------- ----- --------------- --------
36.110.67.20 172.31.4.51 f860b400/56798a00 UT2 Jun 23 16:33:43 172.16.2.22

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

Guru Elite

Re: How to provision RAP via Internet ? are the anybody have the experiance can help us ?

cloudq,

 

You are in a chicken-and-egg situation:

 

- A VMC does not have a TPM (trusted platform module) so you cannot just connect a remote AP using the RAP Console (which uses certificates).  That is why you are getting the selfsigned_verify_failed error.

 

You would have to connect the RAP as a Campus AP to the VMC and then use a username/password preshared key to provision it.  If you can get the RAP on the same network as the VMC, you will then be able to enter the preshared key, username and password.  If you cannot do that, it would be impossible to connect the RAP the RAPConsole way, because the Rapconsole only uses certificates.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Regular Contributor II

Re: How to provision RAP via Internet ? are the anybody have the experiance can help us ?

Hi

I image that you could setup the RAP via CLI by stopping the boot process and entering the vmc IP address and username and password into the settings. On the vmc you then need to setup the user account for RAP.

At this moment I am not able to test this, family needs attention.

Hope it helps.
Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Guru Elite

Re: How to provision RAP via Internet ? are the anybody have the experiance can help us ?

There are a couple problems with that:

 

1.  The user would need a console cable for the RAP109 to attempt this. 

 

2.  In addition, the username is in cleartext, but the password and IKE preshared key are in an encrypted format that the user won't be able to enter via the console....that is why the user would need to provision the RAP function while the RAP109 is connected to the controller as a campus AP..

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Regular Contributor II

Re: How to provision RAP via Internet ? are the anybody have the experiance can help us ?

Hi

Check.

An unsafe and insecure temporarily option could be to open the PAPI ports from internet to be able to get the RAP as CAP first and then provision it

And limit the ACL for the open PAPI port on source ip
Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Frequent Contributor I

Re: How to provision RAP via Internet ? are the anybody have the experiance can help us ?

Dear Cjoseph

 

1.We are very happy to get your reply with very important information as follow:

- A VMC does not have a TPM (trusted platform module) so you cannot just connect a remote AP using the RAP Console (which uses certificates).  That is why you are getting the selfsigned_verify_failed error.

and we know the reasone why we can not connect to the VMC.

2.just as you say, we can not access the VMC in the same local network, because our VMC is in Cloud Server from Internet 

 

You would have to connect the RAP as a Campus AP to the VMC and then use a username/password preshared key to provision it.  If you can get the RAP on the same network as the VMC, you will then be able to enter the preshared key, username and password.  If you cannot do that, it would be impossible to connect the RAP the RAPConsole way, because the Rapconsole only uses certificates.

 

and are there any some other way to do this ?we can only connnect our VMC from Internet.

Frequent Contributor I

Re: How to provision RAP via Internet ? are the anybody have the experiance can help us ?

Yes ,we can access the apboot from console, and If you have any rap inhand ,we can tell you our VMC IP address and administrator username, you can try and help us

 

our VMC Public IP is 47.104.193.111 you can access it by http or ssh

and the manager username is admin password is 123456qq

you can try to check them.Thanks

Frequent Contributor I

Re: How to provision RAP via Internet ? are the anybody have the experiance can help us ?

Dear Mr

 

1.we indeed have the console cable, and we also can access apboot to do the setenv operation, but we do not know what we shut input ?

 

2.we can not access the VMC in local network, because It is on the Cloud Server from Internet. What should we do now ?

 

3. Can we image that we can install another VMC in our Local network to setup the RAP then connect this rap to the public ip VMC from Internet ?If this way are workable ?

Frequent Contributor I

Re: How to provision RAP via Internet ? are the anybody have the experiance can help us ?

could you tell us how to open the papi port ?

Regular Contributor II

Re: How to provision RAP via Internet ? are the anybody have the experiance can help us ?

Is there a firewall between the internet and the vmc?
Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: