How can we assign the inner IP address to a Remote AP (RAP) statically?

Aruba Employee
Aruba Employee

This article explains the method to statically assign the inner IP address to a RAP.


Usually, a RAP is assigned an inner IP address through the L2TP pool configured under VPN services on the controller. However, there may be a requirement to assign static inner IP addresses to the RAPs for better tracking and ease of use.

In general, during IKE negotiation, the ISAKMPd process queries AUTH module on the controller for the name of the AP-Group to which the RAP will belong to.  In addition to the AP-Group name, AUTH will also respond with the value of the IP-Address column if it is configured. For legacy RAPs, IKE queries local-userdb via AUTH and for RAPs with certificates, IKEd will query the whitelist via AUTH module.

If ISAKMPd receives an IP address value in the response from AUTH, it will use this value as the inner-IP-Address of the IPSEC tunnel.  Otherwise, it will allocate a dynamic IP-address from the local IP-pool.


Environment : This article applies to all controller models and APs and versions 5.0 or higher.



For legacy RAPs:

Through GUI:

  1. Navigate to Configuration> Authentication> Internal Database
  2. Click “Add user
  3. Add the RAP mac address and the inner IP address
  4. Click “Apply




Through CLI:


rtaImage (1).png



For RAP with certificate:

Through GUI:

  1. Navigate to Configuration> AP Installation> RAP Whitelist
  2. Add the RAP mac address and the inner IP address


rtaImage (2).png



Through CLI:


rtaImage (3).png



Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 09:44 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: