Wireless Access

 View Only

  • 1.  RAP pool

    Posted Jun 09, 2020 05:37 AM

    I have a controller that  has an address pool configured for VIA VPN clients. I want to use a different pool for RAPs, is there a way to point the RAPs to a different, newly created group rather than the one for the VIA clients. I can't see where to link a VPDN pool to something - I'm assuming its just used by default - fine if you only have one pool but not if you want to separate them.



  • 2.  RE: RAP pool

    Posted Jun 09, 2020 05:44 AM

    Under your VPN Authentication you have the default role for each service.

     

    (Aruba7030) *[mynode] #  show aaa authentication vpn

VPN Authentication Profile List
-------------------------------
Name               References  Profile Status
----               ----------  --------------
default            0
default-cap        0           Predefined
default-hp-switch  0           Predefined
default-iap        0           Predefined
default-rap        0           Predefined

     
    Then you would assign the IP Pool in question to the User Role:

     

    (Aruba7030) *[mynode] (config) #user-role default-rap
(Aruba7030) ^*[mynode] (config-submode)#pool l2tp
STRING                  Pool name

     



  • 3.  RE: RAP pool

    Posted Jun 09, 2020 06:05 AM

    Hmm, the default-rap role doesn't exist (I am running 6.5) does it get used automatically if I create it?



  • 4.  RE: RAP pool

    Posted Jun 09, 2020 06:19 AM

    The default-cap and default-rap profiles were introduced in ArubaOS 5.0.

     

    Do you have a PEF license installed?



  • 5.  RE: RAP pool

    Posted Jun 09, 2020 06:24 AM

    Currently only the PEFV license for the VIA clients is installed but working on getting licenses, I may need to install temporary ones. I've looked on a licensed controller and the default rap role is not there either. It does show on the show aaa authentication vpn output. would the raps use the default vpn role which is a configured role.



  • 6.  RE: RAP pool

    Posted Jun 09, 2020 06:40 AM

    OK, I've found this in the RAP VRD -

    The role that is assigned to the RAP after it has established an IPsec connection and after is has successfully authenticated to the controller is dependent on CPsec. If CPsec is disabled on the controller, the RAP is assigned the ap-role (predefined role) for its internal IP address and the logon role to its default IP address (IP address that initiated the IPsec connection). If CPsec is enabled on the controller, it is assigned the sys-ap-role (predefined role) for its internal IP address and the logon role to its default IP address (IP address that initiated the IPsec connection). The default role that is assigned to RAPs is not configurable. VPN address pools can be appended to the ap-role but not to the sys-ap-role.

     

    So I will set the pool in the ap-role and see how it goes.



Related Content