Wireless Access

Hi forum,

I am having a bit odd a mental block

I have a master controller with some tunnels to a DMZ controller. I want to terminate raps on the DMZ controller.

Anyone point me in the right direction for this kind of implementation?

Never been able to deploy raps I am missing something fundamental


Thanks

That is a major design question.  We will need tons of more information about your infrastructure.  If you have never setup a RAP controller, you might want to do that independently to understand all the parts involved, before terminating it on a DMZ controller....

OK - I have got a aruba 620 for lab and using a AP-105 as a RAP

 

I just want to start basic then layer on extra features later.

 

Note: I have not done this before!

 

I got 2 vlans, both trusted.  an inside and and outside if you like.

 

I run the wizard for RAP and provision, and I browse into the RAP and it shows disconnected from the controller

 

I check datapath tables, I see some udp/4500 traffic, not much.

 

I see via the console plugged into the 105 - I know it sees the master ip configured right - and the IP address the AP gets is on the same subnet.

 

The AP never comes up, I even disable control plane security to let any AP register?!

 

Dont know how to debug this!

 

Stumped, completely.   I can only guess I am missing a massive fundamental thing here.  Any suggestions welcome!   

 

 

Nik,

 

Did you:

 

- Create an IPSEC pool?

- What is the output of "show crypto ipsec sa" when the AP is trying to connect

- Make sure that the LMS-IP of the AP system profile in that AP group has no ip address?

 

 

- Control Plane Security has nothing to do with it.

Thanks for the pointers cj. I'll post up a configuration when I get into the office. I have done what you've said, which is reassuring so I guess I am having a bit of an idiot moment! Bear with me and thanks again!

One quick question: for the inner pool of addresses. Just to make sure I have not misunderstood the documentation: should this address block be part of a subnet which is part of a vlan which is configured as an ip interface on the controller?

The inner pool can be any range.  I normally choose 8.8.8.1 - 8.8.8.20 so I do not get confused.

 

Cool I'll set up a lab at work and at home and I'll get this working if it kills me :)

 

Nik,

 

Does your controller have a public ip address, as a management address, or are you using a firewall to do a 1:1 NAT to a public address?

 

my original lab everything was private and the AP was directly connected (i was worried ADP may have confused my config) as I do not have PoE on my home network.

 

I appreciate this was a nonsense of a setup, but I just wanted to prove things in priciple.

 

At work I'll set up this:  controller, inside private, usual 172.16.0.0/24 and outside public ip space

with a AP that'll get another subnet IP, again public.  I'll introduce NAT later.

 

BTW - do I need a IP on the Vlan interface for the IP pool in IPSEC?  Or is the inner pool a bit of a "formality"?

 

Thanks! :)

At minimum, you need:

 

- an IPSEC Pool

- The wired mac address of the access point in the RAP whitelist and assigned to an ap-group

- A "reachable" ip address on the controller

 

--------------

Just to get it working, the controller only needs a management ip address (any ip address, as long as it is reachable by your AP.  It can be on the same subnet).  Put the mac address of the AP into the RAP whitelist and assign it to the default ap-group if you want.  Make sure there is no LMS-IP in the AP system profile of that AP group, to start.  Create an IPsec pool of a wacky range like 7.7.7.1-7.7.7.20.

 

Do NOT USE the RAP wizard... Boot up your AP and make sure it finds the controller as a regular campus AP.  After you do that, use Configuration> Wireless> AP installation and find that AP.  Put the checkbox next to it and click on provision.   Make sure the radio button to the right of Remote AP is "Yes" and Remote AP method is "Certificate":

 

 

In the Master Controller IP Address/DNS name field, put the ip address of the controller and click on provision:

 

It should come back up later and just work.  

ok cool - thanks a mill for all the info trying this now

cj you are the man!!

 

We'll get some serious value out of this!  Thanks a million!  :) 

really like the idea of using certificate based auth as well.