What are the various things to be kept in mind for RAP to come up successfully on a controller. ?

By Arunkumar posted Jul 10, 2014 04:45 PM

  1. Routing: We must make sure that we have symmetric route for the controller. Thus if the AP traffic from internet is coming in from a Firewall / router, the return traffic should also exit out the same interface.
  2. AP-database: By default, the Controller will check the RAP in the localuser-db. Thus always check that Configuration> security> authentication>l3 authentication> vpn authentication proftile> default-rap,  the server group is "default". Also make sure the Internal server iis mapped in the same.
  3. AP database must have the AP wired mac and AP group that we want it in. It’s advisable not to give the ip address and let DHCP take care of it.
  4. Local Pool: Local pool is needed for the inner IP. We must make the inner pool which is not already available in the routing table for the controller. We must make sutre that IP are available in the local pool:
  5. Make sure that the server group is "default"  in the default ap VPN auth profile. Else we can run into the error "RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED"

 #show aaa authentication  vpn "default-rap"

VPN Authentication Profile "default-rap" (Predefined (changed))
Parameter                                                                        Value
---------                                                                               -----
Server Group                                                                  default
Max Authentication failures                                               0
Check certificate common name against AAA server     Enabled

                    6. Confirm that the "Check certificate common name against AAA server" is enabled in above. Else the controller will not check the CN name of the cert presented by the RAP (which contains the RAP's wired mac address). If this is disabled, the RAP will come up in default group without it's entry being present in the local-userdb-ap.

                    7. A local controller checks the whitelist DB from the master controller. Confirm that the mac address if present in the master controller. If the master-local connectivity is lost, the APs will no longer come up. To make an AP use the whitelist DB of the local controller, please execute the command:

# aaa authentication-server internal use-local-switch

8. We must make sure that the IP addresses are available in the 
local pool:

#show vpdn l2tp local pool
IP addresses used in pool rap_pool
1 IPs used - 253 IPs free - 254 IPs configured
IP pool allocations / de-allocations - L2TP: 0/0  IKE: 53/2

9. Confirm that the LMS-IP in the AP-group is not pushing the AP to another controller. If we do map the IP addresses, we must make sure, that the destination controller has the local-user-db for the AP with the relevant AP-group.
# ap system-profile < name of the profile >
# no lms-ip.

10. AP will fall in the ap-role when it connects to the controller. Make sure ftp, tftp is allowed in that role, else the AP will not be able to upgrade itself to the Controller's version. Make sure that the ap-role contains the following ACLs:

1         control     session
2         ap-acl      session
3         v6-control  session
4         v6-ap-acl   session