Below is a simplified version of how it goes:
1. Instant/Unified AP boots up and gets an ip address from the local LAN.
2. Before any type of local discovery like ADP/DNS or dhcp options occur, the AP attempts to reach the activate server. This also explains why if someone purchases an IAP on ebay and there is an activate rule, or the IAP is part of central, even factory resetting the AP means it will always point back to activate for instructions.
3. If there is a rule in activate for that device, that rule is processed, whether it be to convert to RAP, with a controller public ip address or point to airwave, the AP is redirected to the device specified. Accordingly, if that IAP has been added to central, the device opens a connection to central and follows the rules specified in central.
4. If the activate instruction is to convert to RAP, the Instant AP will attempt to convert to a RAP by contacting the controller's ip address and attempting to convert. The MD MUST already have the mac address of that IAP whitelisted for the Instant AP to connect and successfully convert to a RAP. The whitelist entries for RAPs (mac address, ap-name and ap-group) can be configured solely in the MM/MD infrastructure, or the mac address, ap-name and ap-group can be contained in clearpass and the MD will just point to clearpass for whitelist authentication. A Third option is where the names, mac addresses and ap-groups of devices are maintained in activate and ClearPass synchronizes those periodically, and the MD still "authenticates" IAPs that want to convert using the synchronized whitelist.
5. The IAP connects to the MD and obtains an "inner" ip address that does not have to be routable. It then upgrades its firmware and converts to a RAP.
5. The APs name and ap-group becomes whatever it is listed as in the RAP whitelist, whether the whitelist is in the MM, in ClearPass or ClearPass synchronized in activate.
6. The IAP reboots, is converted to a RAP and reconnects to the MD. Its name would be whatever it is in the whitelist, along with the ap-group specified.
This is the way the flow is supposed to occur:
1. Instant APs are purchased by a customer
2. Aruba knows which customer you are and the mac address of the Instant AP is added to activate automatically.
3. Out the box, the IAP is in a folder on activate with no rules, so booting it up checks activate, but skips activate and does regular local discovery.
4. The customer admin knows that an IAP will be shipped, so he searches for the mac address in activate, names the AP and puts it into the correct AP group. He also puts the AP in a folder that has a "convert to RAP" rule.
5. ClearPass periodically synchronizes the whitelist from activate along with the names and ap-groups of APs.
6. The Instant AP is shipped to end-user who plugs it in.
7. The instant AP contacts activate and activate sees that the folder the IAP is in has a convert-to-RAP rule
8. The Instant AP goes to the ip address of the MD it receives from the activate rule.
9. The MD looks up the IAPs mac address in ClearPass and allows it to connect. The firmware is upgraded, and the AP is named and put into the AP-group, based on what is in ClearPass
10. The AP reboots and becomes a RAP.
Theoretically, you can have all of your helpdesk manage all of your Instant APs that you want converted into RAPs in Activate. If there is any problem with a RAP at someone's house, the helpdesk can walk the end-user through, physical connections, the factory reset procedure and the RAP will obtain all of its correct information all over again.
I hope any of that helps.