08-28-2017 12:24 PM
I am trying to change the default role that IAPs are getting because i need to src-nat my RADIUS requests. I have found many articles that explain how to do this but the options dont exist.
I am connecting the IAP to a 7210 controller running 220.127.116.11.
I am following this guide:
On page 135, figure 59 - It shows how to change the default role for the default-iap profile. This is not an option in my controller.
Here is another guide that shows how to do what i need to do:
At the end under "VPN Profile Configuration", the commands are not working for me and "default-role" is not an option:
(Master-Pref) (config) #aaa authentication vpn default-iap
(Master-Pref) (VPN Authentication Profile "default-iap") #default-role iap-role
% Invalid input detected at '^' marker.
(Master-Pref) (VPN Authentication Profile "default-iap") #?
cert-cn-lookup Check certificate common name against AAA server.
Default is enabled.
clone Copy data from another VPN Authentication Profile
export-route Whether to export server-returned VPN ip address as
a route to external world. Default is enabled.
max-authentication-fa.. Maximum auth failures before user is blacklisted.
Range: 1-10. Default: 0.
no Delete Command
pan-integration Require IP mapping at Palo Alto Networks firewalls
radius-accounting Configure server group for radius accounting
server-group Name of server group
user-idle-timeout User idle timeout value. Valid range is 30-15300
seconds in multiples of 30 seconds
Solved! Go to Solution.
08-29-2017 12:06 AM
Do you have the PEFV license installed on your controller?
If you want to firewall (or NAT) VPN traffic, you will need the PEFV (Policy Enforcement Firewall for VPN) license to be active.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).