I do have the rap in the whitelist with AP Group of Remote-AP-Group and have the ipsec address pool (called RAP), this is a subset of addresses 172.17.0.10- 20 on the same subnet as the controller 172.17.0.0/24 vlan 1
Not sure if this is helpful but just to give a summary of what I have:
Setup an Remote-AP-Group has a vap with vlan 17
The Internal DB has a user rapuser with ap-role
ap-role has vlan 1 with L2TP pool of RAP
However when I connect the rap to the controller directly it picks up 172.17.0.51, however the rap does not provision. Really not sure what I am missing here.
Ideally what I want to do is have multiple rap's on different remote sites with different subnets for staff and again a different subnet for guests.