Controllerless Networks

Hi,

 

I'm trying to configure a RAP3 in an IAP-VPN configuration but I'm having trouble getting my client to get an ip address once the VPN is up.

 

I have setup the VPN which establishes fine.

I have created a route of 0.0.0.0 0.0.0.0  gateway = public IP of my controller

I have created a DHCP scope as centralized L3 with VLAN = 100

 

My WLAN is authentication = Open, IP address assigned from network, vlan = 100.  No access restrictions.

 

When my client tries to connect to the SSID being broadcasted, it is unable to obtain an IP address.

 

NoteL I have a number of RAPs (running in RAP mode) terminating on the same controller, they land on the same VLAN (100) and they work fine.

 

Any help would be appreciated

 

Thanks

Can you please post your config in a reply?  If you are on the controller, issue the show iap table command.

Hi,

 

Please find the RAP and controller configs attached. Also, see below output form show iap table, I've highlighted my RAP

 

(uktcnwc3) #show iap table

Branch Key                                             Index     Status     Inner IP        MAC Address             Subnet
----------                                             -----     ------     --------        -----------             ------
5522637801d5a0352a5f9aa56fdce2d66c3ee361316ad2884c     10        UP         2.2.2.157       d8:c7:c8:c7:46:3b       
9b528851018450611e02bcccba3eca514876d233200a301666     7         DOWN       0.0.0.0         00:0b:86:83:0b:64       
7bf4d682015921198f9fb2c2d9694f66c85acd9405733b2557     4         UP         2.2.2.93        6c:f3:7f:ce:3c:e8       
298ea6dd01054e3fbc8c93eeac0e88ebbf934e3c15745d3e36     6         DOWN       0.0.0.0         24:de:c6:c3:44:21       
5fdb1d480136333d703517e078adafaa62ac8d86c330466688     1         DOWN       0.0.0.0         00:0b:86:83:0f:06       
a7496c14010ead593f6c26fa6b48206f58bf83e92b2252d9bf     8         UP         2.2.2.100       6c:f3:7f:ce:3c:78       
b5e7b8b30119cc2be065c727598e52e705c40f2d656a291be7     0         UP         2.2.2.178       00:0b:86:82:89:80       
ae5fd86e019a12628350283089fcfdbde6b337a626dc9ec94d     3         UP         2.2.2.91        6c:f3:7f:ce:39:fa       
eeeaf6e501837241da77e757b4dc38a76b261418b48e0963e0     5         DOWN       0.0.0.0         6c:f3:7f:ce:3c:14       
87c37e2b014a75b349d27a5f68f54b98e62efcec6a0823fb4c     2         DOWN       0.0.0.0         d8:c7:c8:ce:73:92       

Doesn't seem to want to attach my controller config, so pasting it in here,

 

(xxxxnwc3) #show run
Building Configuration...
 
version 6.2
enable secret "******"
enable bypass
telnet cli
hostname "xxxxnwc3"
clock summer-time CDT recurring last sunday march 02:00 last sunday october 02:00 -5

clock timezone CST -6
location "Building1.floor1"
controller config 8
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list eth validuserethacl
  permit any
!
netservice svc-pcoip2-tcp tcp 4172
netservice svc-netbios-dgm udp 138
netservice svc-snmp-trap udp 162
netservice svc-https tcp 443
netservice svc-dhcp udp 67 68 alg dhcp
netservice svc-citrix tcp 2598
netservice svc-syslog udp 514
netservice svc-l2tp udp 1701
netservice svc-ike udp 500
netservice svc-smb-tcp tcp 445
netservice svc-ica tcp 1494
netservice svc-pptp tcp 1723
netservice svc-sccp tcp 2000 alg sccp
netservice svc-telnet tcp 23
netservice svc-lpd tcp 515
netservice svc-netbios-ssn tcp 139
netservice svc-sip-tcp tcp 5060
netservice svc-kerberos udp 88
netservice svc-tftp udp 69 alg tftp
netservice svc-pcoip-udp udp 50002
netservice svc-pcoip-tcp tcp 50002
netservice svc-http-proxy3 tcp 8888
netservice svc-noe udp 32512 alg noe
netservice svc-cfgm-tcp tcp 8211
netservice svc-adp udp 8200
netservice svc-pop3 tcp 110
netservice svc-dns udp 53 alg dns
netservice svc-rtsp tcp 554 alg rtsp
netservice svc-msrpc-tcp tcp 135 139
netservice svc-http tcp 80
netservice vnc tcp 5900 5905
netservice svc-h323-udp udp 1718 1719
netservice svc-h323-tcp tcp 1720
netservice svc-vocera udp 5002 alg vocera
netservice svc-http-proxy2 tcp 8080
netservice svc-sip-udp udp 5060
netservice svc-nterm tcp 1026 1028
netservice svc-noe-oxo udp 5000 alg noe
netservice svc-natt udp 4500
netservice svc-ftp tcp 21 alg ftp
netservice svc-microsoft-ds tcp 445
netservice svc-svp 119 alg svp                    
netservice svc-smtp tcp 25
netservice svc-gre 47
netservice web tcp list "80 443"
netservice svc-netbios-ns udp 137
netservice svc-sips tcp 5061 alg sips
netservice svc-smb-udp udp 445
netservice svc-ipp-tcp tcp 631
netservice svc-esp 50
netservice svc-pcoip2-udp udp 4172
netservice svc-v6-dhcp udp 546 547
netservice svc-snmp udp 161
netservice svc-bootp udp 67 69
netservice svc-msrpc-udp udp 135 139
netservice svc-ntp udp 123
netservice svc-icmp 1
netservice svc-ipp-udp udp 631
netservice svc-ssh tcp 22
netservice svc-v6-icmp 58
netservice svc-http-proxy1 tcp 3128
netservice svc-vmware-rdp tcp 3389
netdestination HOME192_168
  network 192.168.0.0 255.255.0.0
!
netdestination CORP-NETS
  network 10.0.0.0 255.0.0.0
  network 10.1.0.0 255.255.0.0
  network 205.203.64.0 255.255.224.0
  network 172.16.0.0 255.240.0.0
!
ip access-list session icmp-acl
  any any svc-icmp  permit
!
!
!
ip access-list session allowall
  any any any  permit
  ipv6  any any any  permit
!
!
ip access-list session w19733-split-tunnel
  any any svc-dhcp  permit
  any any svc-dns  permit
  any   alias CORP-NETS any  permit
  any   alias HOME192_168 any  route src-nat
!

!
ip access-list session iaprole
  any host 172.18.96.226 any  src-nat
!
ip access-list session v6-http-acl
  ipv6  any any svc-http  permit
!
ip access-list session http-acl
  any any svc-http  permit
!
ip access-list session dhcp-acl
  any any svc-dhcp  permit
ip access-list session ap-uplink-acl
  any any udp 68  permit
  any any svc-icmp  permit
  any host 224.0.0.251 udp 5353  permit
!
!
!
ip access-list session ap-acl
  any any svc-gre  permit
  any any svc-syslog  permit
  any user svc-snmp  permit
  user any svc-snmp-trap  permit
  user any svc-ntp  permit
  user any svc-ftp  permit
!
ip access-list session v6-ap-acl
  ipv6  any any svc-gre  permit
  ipv6  any any svc-syslog  permit
  ipv6  any user svc-snmp  permit
  ipv6  user any svc-snmp-trap  permit
  ipv6  user any svc-ntp  permit
  ipv6  user any svc-ftp  permit
!
ip access-list session v6-logon-control
  ipv6  user any udp 68  deny
  ipv6  any any svc-v6-icmp  permit
  ipv6  any any svc-v6-dhcp  permit
  ipv6  any any svc-dns  permit
!
ip access-list session h323-acl
  any any svc-h323-tcp  permit queue high
  any any svc-h323-udp  permit queue high
!                                                 
aaa derivation-rules user test
!
vpn-dialer default-dialer
  ike authentication PRE-SHARE ******
!
user-role ap-role
 access-list session control
 access-list session ap-acl
 access-list session v6-control
 access-list session v6-ap-acl
!
user-role denyall
!
!
user-role default-vpn-role
 access-list session allowall
 access-list session v6-allowall
!
!
!
user-role default-via-role
 access-list session allowall
!
!
user-role iaprole
 access-list session iaprole
!
user-role stateful-dot1x
!
user-role authenticated
 access-list session allowall
 access-list session v6-allowall
!
!
user-role logon
 access-list session logon-control
 access-list session captiveportal
 access-list session vpnlogon
 access-list session v6-logon-control
 access-list session captiveportal6
!
!

controller-ip vlan 96
interface mgmt                                    
        shutdown
!

!
vlan 6 "Enterprise_VPN"
vlan 96 "Enterprise_MGMT"
vlan 100 "RAP_User_VLAN"
vlan 500
vlan 999
vlan 1200
vlan 1201
vlan 1202

no spanning-tree

interface gigabitethernet 1/0
        description "GE1/0"
        trusted
        trusted vlan 1-4094
        switchport mode trunk
        switchport trunk native vlan 999
        switchport trunk allowed vlan 96,100,500,999,1200-1202
!

interface gigabitethernet 1/1
        description "GE1/1"
        shutdown
        trusted vlan 1-4094
!

interface gigabitethernet 1/2
        description "GE1/2"
        trusted
        trusted vlan 1-4094                       
        switchport mode trunk
        switchport trunk native vlan 999
        switchport trunk allowed vlan 6,999
!

interface gigabitethernet 1/3
        description "GE1/3"
        shutdown
        trusted vlan 1-4094
        switchport access vlan 1203
!

interface vlan 96
        ip address 172.18.96.106 255.255.252.0
!

interface vlan 1
        shutdown
!

interface vlan 6
        ip address 213.62.87.102 255.255.255.224
!

interface vlan 100
        ip address 172.18.100.240 255.255.254.0
        ip helper-address 172.18.96.226
!

master-redundancy
  master-vrrp 96
  peer-ip-address 172.18.96.107 ipsec 95f55f5a6f3f4c952fe4aef4b07746a7d8928663746e2935
!
vrrp 66
  priority 120
  ip address 213.62.87.104
  vlan 6
  preempt delay 1
  no shutdown
!
vrrp 96
  priority 120
  ip address 172.18.96.108
  vlan 96
  no shutdown
!
ip default-gateway 213.62.87.97
ip route 205.203.64.0 255.255.224.0 172.18.96.254
ip route 10.1.0.0 255.255.0.0 172.18.96.254
ip route 10.0.0.0 255.0.0.0 172.18.96.254
ip route 172.16.0.0 255.240.0.0 172.18.96.254
uplink disable


!

crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
  set transform-set "default-transform" "default-aes"
!

crypto isakmp eap-passthrough eap-tls
crypto isakmp eap-passthrough eap-peap
crypto isakmp eap-passthrough eap-mschapv2

ip local pool "RAP-Inner-IP-Pool" 1.1.1.1 1.1.1.254
ip local pool "iap-vpn-pool" 2.2.2.1 2.2.2.254
vpdn group l2tp
!

 
 

!



mgmt-user admin root 8853a8fb01c9c550921b62f464f6ca84e3e92234ef667aeb0a



ip domain lookup
ip domain-name xxx.com
!
ip name-server 172.18.96.226
!
country GB
aaa authentication mac "default"
!
aaa authentication dot1x "default"
   no validate-pmkid
!
aaa authentication dot1x "global-802.1x auth profile"
!
aaa authentication-server radius "xxxxndc0"
   host "172.18.96.226"
   key be5605ea8ab56270c06269c07517db341b2f8a0de2b5fdbd
!
aaa authentication-server radius "ustwndc3"
   host "10.1.32.205"
   key 166e2a04393ae689e86bf1e95958fb3b1e52de76c4b25b28
!
aaa authentication-server tacacs "ustccsec2"
   host "10.1.96.150"
   key f7949e746c34b577885d0dd3ee9b4e969a88c2733c593a49
!
aaa authentication-server tacacs "ustwa010"
   host "10.1.32.146"
   key feb2b0030329a715ff744ddec0294f0ea4d04c13de703c1f
!
!
aaa server-group "default"
 auth-server Internal
 set role condition role value-of
!
aaa profile "default"
!
!

aaa authentication vpn "default"
   no cert-cn-lookup
!
aaa authentication vpn "default-iap"
   no cert-cn-lookup
!
aaa authentication vpn "default-rap"
!
aaa authentication mgmt
   server-group "xxx-tacacs-server-group"
   enable
!
aaa password-policy mgmt
!
control-plane-security
!
!
ap system-profile "default"
!
ap system-profile "emea-rap-ap-sys-profile"
   lms-ip 213.62.87.104
   bkup-lms-ip 217.33.23.200
   number_ipsec_retries 20
!
ap regulatory-domain-profile "default"
   country-code GB
   valid-11g-channel 1
   valid-11g-channel 6
   valid-11g-channel 11
   valid-11a-channel 36
   valid-11a-channel 40
   valid-11a-channel 44
   valid-11a-channel 48
   valid-11a-channel 52
   valid-11a-channel 56
   valid-11a-channel 60
   valid-11a-channel 64
   valid-11a-channel 100
   valid-11a-channel 104
   valid-11a-channel 108
   valid-11a-channel 112
   valid-11a-channel 116
   valid-11a-channel 120
   valid-11a-channel 124
   valid-11a-channel 128
   valid-11a-channel 132
   valid-11a-channel 136
   valid-11a-channel 140
   valid-11g-40mhz-channel-pair 1-5
   valid-11g-40mhz-channel-pair 7-11
   valid-11a-40mhz-channel-pair 36-40
   valid-11a-40mhz-channel-pair 44-48
   valid-11a-40mhz-channel-pair 52-56
   valid-11a-40mhz-channel-pair 60-64
   valid-11a-40mhz-channel-pair 100-104
   valid-11a-40mhz-channel-pair 108-112
   valid-11a-40mhz-channel-pair 116-120
   valid-11a-40mhz-channel-pair 124-128
   valid-11a-40mhz-channel-pair 132-136
!
ap wired-ap-profile "default"
ap enet-link-profile "default"
!
ap mesh-ht-ssid-profile "default"
!
ap lldp med-network-policy-profile "default"
!
ap mesh-cluster-profile "default"
!
ap lldp profile "default"
!
ap mesh-radio-profile "default"
!
!
ap wired-port-profile "default"
!
ids general-profile "default"
!
ids rate-thresholds-profile "default"
!
ids signature-profile "default"
!
ids impersonation-profile "default"
!
ids unauthorized-device-profile "default"
!
ids signature-matching-profile "default"
   signature "Deauth-Broadcast"
   signature "Disassoc-Broadcast"
!
ids dos-profile "default"
!
ids profile "default"
!
rf arm-profile "arm-maintain"
   assignment maintain
   no scanning
!
rf arm-profile "arm-scan"
!
rf arm-profile "default"
   no scanning
!
rf optimization-profile "default"
!
rf event-thresholds-profile "default"
!
rf am-scan-profile "default"
!
rf dot11a-radio-profile "802.11a-xxx-radio-profile"
   tx-power 127
   slb-mode radio
!
rf dot11a-radio-profile "default"
!
!
rf dot11a-radio-profile "rp-maintain-a"           
   arm-profile "arm-maintain"
!
rf dot11a-radio-profile "rp-monitor-a"
   mode am-mode
!
rf dot11a-radio-profile "rp-scan-a"
   arm-profile "arm-scan"
!
rf dot11g-radio-profile "default"
!
!
!
rf dot11g-radio-profile "rp-maintain-g"
   arm-profile "arm-maintain"
!
rf dot11g-radio-profile "rp-monitor-g"
   mode am-mode
!
rf dot11g-radio-profile "rp-scan-g"
   arm-profile "arm-scan"
!
wlan handover-trigger-profile "default"
!
wlan rrm-ie-profile "default"
!
wlan bcn-rpt-req-profile "default"
!
wlan tsm-req-profile "default"
!
wlan voip-cac-profile "default"
!
wlan ht-ssid-profile "default"
!
wlan ht-ssid-profile "guest-htssid_prof"
!
!
wlan edca-parameters-profile station "default"
!
wlan edca-parameters-profile ap "default"
!
wlan dot11k-profile "default"
!
wlan ssid-profile "default"
!
wlan virtual-ap "default"
!
!
ap provisioning-profile "default"
!
!
rf arm-rf-domain-profile
   arm-rf-domain-key "c90d9172fa3158ef0f0618f6b8b5a8cc"
!
ap spectrum local-override                        
!
!

process monitor log
end

In your session access list "iaprole", you have a source NAT policy but no permit ip any any.

Hi,

 

I've added the permit rule now but still not working.

 

A couple of things to mention

 

If I issue a "show user-table" on the controller, I see this:

 

(uktcnwc3) #show user-table

Users
-----
    IP               MAC            Name              Role              Age(d:h:m)  Auth    VPN link      AP name      Roaming   Essid/Bssid/Phy                         Profile                            Forward mode  Type
----------      ------------       ------             ----              ----------  ----    --------      -------      -------   ---------------                         -------                            ------------  ----

2.2.2.191       00:00:00:00:00:00  00:0b:86:82:89:80  default-vpn-role  00:00:02    VPN     81.129.3.192  N/A                                                                                               tunnel   

 

 

Also, when following the configuration guide, it says to add the following:

 

host) (VPN Authentication Profile "default-iap") #server-group default
(host) (VPN Authentication Profile "default-iap") #default-role iaprole

 

On my controller, I don't have the option for "defualt-role iaprole".  These are my options

 

(uktcnwc3) (VPN Authentication Profile "default-iap") #?
cert-cn-lookup          Check certificate common name against AAA server.  
                        Default is enabled.
clone                   Copy data from another VPN Authentication Profile
max-authentication-fa.. Maximum auth failures before user is blacklisted.
                        Range: 1-10. Default: 0.
no                      Delete Command
server-group            Name of server group

 

I'm running 6.1.3.8, but I thought that version of code supported this type of functionality.

 

Thanks for your help.

You need the PEF-V license to change that role.

Can you try replacing the0.0.0.0 route with one for the corporate network?

Sent from my iPhone

No luck,

 

I removed the 0.0.0.0 and replaced with

 

172.16.0.0 255.240.0.0 213.62.87.104

 

My DHCP server is 172.18.96.226

 

still not getting an IP address.

Can you configure a static IP on the client and test?  It must be something I'm missing here...if that doesn't work, please consider opening a support case.

Hi,

 

Thanks for the taking the time to help me, I did try the static IP but that didn't help either.  Looks like I'll go down the TAC route.

 

Thanks again.