Aruba Employee
Aruba Employee

When we provision the RAP using by zero touch provisioning, we sometimes get an error after provisioning :


The RAP will not come up on the controller after that. There will be no ISAKMP SA or IPsec SA for that RAP. We will not be able to see any 4500 traffic for that RAP

This Article will help you in solving the problem.




a. Any MIPS Aruba( 600, 3000, M3 and 7200 series) controller running 5.x and above.

b. Any Aruba AP provisioned as a RAP using cert-based authentication.


a. When a RAP configured for zero-touch provisioning connects to a controller, it presents a certificate to the Aruba controller ( TPM based certificate) as apart of the IKE authentication.

b. The certificate presented by the RAP has a common name which is equal to the wired MAC address of the RAP.

c. Controller will check this Common name against its localuserdb-ap. This database is the RAP white-list which decides which RAPs can come up on the controller.

d. Aruba supports cert-based authentication if the server group is internal. If it is an external server, then the authentication will fail.

e. External server is only supported when we are using PSK based authentication for Remote APs.



To verify using cli:

 #show aaa authentication  vpn "default-rap"

VPN Authentication Profile "default-rap" (Predefined (changed))
Parameter                                         Value
---------                                         -----
Server Group                                      default
Max Authentication failures                       0
Check certificate common name against AAA server  Enabled

Make sure that the server group is default / internal.

aaa authentication vpn "default-rap"
  server-group "internal"

aaa authentication vpn "default-rap"
server-group "default"


Using GUI:



rtaImage (1).png





Version history
Revision #:
1 of 1
Last update:
‎07-02-2014 02:38 PM
Updated by:
Search Airheads
Showing results for 
Search instead for 
Did you mean: