Question: Why are RAP 2 or RAP 5 unable to use zero touch provisioning to connect to A3000 and M3 controllers that run RN-3.1.5 to RN-3.1.12?
Product and Software: This article applies to RAP 2 or RAP 5 in A3000 and M3 controllers that run RN-3.1.5 and later.
ProblemSometimes the RAP2/5 cannot be provisioned using zero touch provisioning against A3000 and M3 controllers that run RN-3.1.5 to RN-3.1.12.
Remote AP VPN User Role Example
ip access-list session rap_acl
any any svc-papi permit
any any svc-gre permit
any alias controller svc-tftp permit
any alias controller svc-ftp permit
aaa authentication vpn
Solution / Workaround
Add a rule to the the example rap_acl to permit udp 8209.
netservice svc-sec-papi udp 8209
any any svc-ntp permit
any any svc-syslog permit
any any svc-sec-papi permit
A RAP2/RAP5 that has booted up with ArubaOS 5.0 can set up its IPsec to the RN controller and get an inner IP. However, it communicates with the controller using secure PAPI (udp 8209). If such a port is blocked by the VPN user role, the RAP5/2 continues to fail. Allow the RAP to communicate on this port so that the RAP can downgrade its code.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.