04-06-2012 09:52 AM
I'm trying to provisoin a zero touch RAP-5 and RAP 2 on my 3600 controller running 18.104.22.168 software
When I look in the 6.1 manual for RAPs it goes through setting up up vpn authentication using the internal database and setting up a user role for the RAP... etc ....etc ....etc.
I thought all I really had to do is put the RAP MAC address in the RAP whitelist and make sure there is an address pool for raps in the VPN IPSEC tab?
Is there a section in the manual that covers what you need for zero touch RAP configuration? Seems like there are several steps in the manual that are not actually needed when doing this.
I must be missing something though because the RAP isn't connecting. I see that it hit the controller because when i entered the outside ip address into the rap provisioning screen i now see 1 IPSEC down on my controller. But it isn't staying up after initial connection.
04-06-2012 10:35 AM
I actualy got the rap up. (I was missing a license for it)
but if there is a section that covers zero touch rap configuration for the controller please let me know where it is. Like I stated before looks like you really don't need to enter a lot of what the manual says.
I"m using ArubaOS_6.1UG.pdf and referencing Chapter 7
04-06-2012 11:35 AM - edited 04-06-2012 11:37 AM
What you are doing is right and nothing more is required assuming that you have configured a VPN address pool for the RAPs in the VPN services tab of the WebUI. Configuring VPN auth profile and role was required in the older code base but now if you are using zero touch provisioing all you have to do is add the RAPs mac in the whitelist and make sure that the default-rap profile under the VPN authentication profile has the internal database selected as the authentication server. By default, the internal server is used in the default-rap profile and this will work fine. however, if you change this to an external server then zero-touch provisioning will fail becasue the RAP whitelist is maintained in the internalDB. By deafult the RAPs will be assigned the ap-role even if you change the role to something else in the deafult-rap VPN authentiction profile i.e the inner IP of the RAP will be assigned the ap-role and the outer ip will be assigned the logon role. You can't change this. On CLI "show user-table verbose" will show the default user role applied to the inner and outer ip of the RAPs IPsec tunnel.