#show aaa authentication vpn "default-rap"VPN Authentication Profile "default-rap" (Predefined (changed))---------------------------------------------------------------Parameter Value--------- -----Server Group defaultMax Authentication failures 0Check certificate common name against AAA server Enabled 6. Confirm that the "Check certificate common name against AAA server" is enabled in above. Else the controller will not check the CN name of the cert presented by the RAP (which contains the RAP's wired mac address). If this is disabled, the RAP will come up in default group without it's entry being present in the local-userdb-ap. 7. A local controller checks the whitelist DB from the master controller. Confirm that the mac address if present in the master controller. If the master-local connectivity is lost, the APs will no longer come up. To make an AP use the whitelist DB of the local controller, please execute the command:# aaa authentication-server internal use-local-switch8. We must make sure that the IP addresses are available in the local pool:#show vpdn l2tp local poolIP addresses used in pool rap_pool 192.168.1.3 Total:-1 IPs used - 253 IPs free - 254 IPs configuredIP pool allocations / de-allocations - L2TP: 0/0 IKE: 53/29. Confirm that the LMS-IP in the AP-group is not pushing the AP to another controller. If we do map the IP addresses, we must make sure, that the destination controller has the local-user-db for the AP with the relevant AP-group.# ap system-profile < name of the profile ># no lms-ip.10. AP will fall in the ap-role when it connects to the controller. Make sure ftp, tftp is allowed in that role, else the AP will not be able to upgrade itself to the Controller's version. Make sure that the ap-role contains the following ACLs:1 control session2 ap-acl session3 v6-control session4 v6-ap-acl session
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.