This article explains the method to statically assign the inner IP address to a RAP.
Usually, a RAP is assigned an inner IP address through the L2TP pool configured under VPN services on the controller. However, there may be a requirement to assign static inner IP addresses to the RAPs for better tracking and ease of use.
In general, during IKE negotiation, the ISAKMPd process queries AUTH module on the controller for the name of the AP-Group to which the RAP will belong to. In addition to the AP-Group name, AUTH will also respond with the value of the IP-Address column if it is configured. For legacy RAPs, IKE queries local-userdb via AUTH and for RAPs with certificates, IKEd will query the whitelist via AUTH module.
If ISAKMPd receives an IP address value in the response from AUTH, it will use this value as the inner-IP-Address of the IPSEC tunnel. Otherwise, it will allocate a dynamic IP-address from the local IP-pool.
Environment : This article applies to all controller models and APs and versions 5.0 or higher.
For legacy RAPs:
Through GUI:
- Navigate to Configuration> Authentication> Internal Database
- Click “Add user”
- Add the RAP mac address and the inner IP address
- Click “Apply”
Through CLI:
For RAP with certificate:
Through GUI:
- Navigate to Configuration> AP Installation> RAP Whitelist
- Add the RAP mac address and the inner IP address
Through CLI:
