Wireless Access

HI,

I'm after some help setting up a AP105 as a RAP.

I work for a small networking company and we have recently opened up a second office with 2 staff working out of it so rather than using a traditional VPN we want to use a RAP to allow for guest WIFI in the office.

From what I understand the best setup for the staff SSID would be a split tunnel, allowing all corporate traffic to be sent back through the IPSEC tunnel and anything else to be sent out through the local internet connection in the office, and then I could setup a bridged SSID for guest access?

We have an old 800 controller in the office but the guy who set it up originally did it a bit backward and now every time I try and add the PEF license (from my understanding needed for RAP's) it decides everyone is unauthorized and kicks them off the wireless. To get around this during the testing phase I am using our 620 controller from our demo kit, I have applied the PEFNG and PEFV (again from my understanding both needed) to the controller and when I'm testing it at night I am disconnecting out 800 and patching in the 620 to our network. I have forwarded UDP4500 to the controllers address but I can't get the RAP to connect.

I'm using a 105 so as I understand it I don't have to add it in to the RAP whitelist because it doesn't support cert based authorization (I'm mainly saying this because it won't let me add the 105's MAC to the whitelist). I have configured the controller using a guide I was given but I still can't get a connection.

Any help you could give me would be greatly appreciated.

Thanks,

Mike.

Hi,

Let's start give u some details | and try to assist you. :smileyhappy:

*Splittunnel mode  - it's a good option when deploying an RAP in order to give the clients the ability to go out locally for different services  = src-nat in the fw rules.

*bridge  mode - it's a good option when deploying a RAP and you would like to give clients access to local resources in the branch location without passing the traffic trough the controller at all . (if it's for guest network...you will not be able to do captive portal on bridge mode - because it's l3 auth..And in bridge mode all client traffic doesn't arriving to the tunnel or the controller itself at all)

 *use just the PEFNG you don't need PEFV installed also in order to enable RAP support* (if using AOS 5.X or above)

The rap whitelist is only for RAP units (RAP2/3/5/108/109) - if you would like to use cert auth to the ap..u can > u need to enable control plane security ,and allow this AP-105 to connect to the controller.

The other method is user+pass+secret. (all u need to know is screenshots and explained in rest of the post)

 :smileyindifferent: Lets see if u configured everything right on your controller?

configuration>vpn services.

did u created an address pool for the raps?

Did u created a secret?

configuration>AAA>internal db

did u created a user for the rap unit with an ap-role?

configuration>ap installation

when u provisioned the rap unit in front of the controller - did u entered the external IP of the controller (the vlan IP address of the controller)

did u mark the ap to be a Remote ap ,and also entered the secret + user + password?

please do print screens of your vpn services page | internal db page | ap providing page of the specific rap you are trying to connect.

*don't forget to press apply on any needed page on the GUI + save configuration in the end.

here is the two ports that should be open/forwarded:

update me if it's helped .

HI,

Thanks for getting back to me so quickly.

In terms of configuration I have set up a VLAN for devices attached to the RAP (in this case VLAN 21) but have not assigned an IP range to it. I have set a user role and firewall role for the clients connecting to the RAP and a AP system  profile with the LMS IP as the public IP of our office. I have then applied all of these to a new AP group I created for the RAP's. I have UDP4500 pointed to the controllers IP and when testing at home have allowed IPSEC traffic through my firewall.

The only thing I hadn't done was turn on the control plane security (which I have now done) but when I configured the AP originally I did it using the secret, User & Password.

My VPN service is configured as below. As I understand it the RAP Pool can be anything?

I used the autogenerate for the username and password on the provisioning page which enters it in to the internal DB automatically. I have just re-provisioned the AP using the below setting. Excuse the multiple pictures, I'm using a netbook to configure the controller so the screen size is limited.

Control Plane Security is not for RAPs.  It is mainly to allow Campus APs to do bridging on wired and wireless.

Here is what is supported:

If you have a 620 with AP105s, certificate-based RAP provisioning is supported.  No need for IKE Preshared and username and password.  This is because the 600 series, 3000 series and M3 support certificate-based RAP provisioning, and so does the AP105.

If you have an 800 with ANY type of AP, only IKE preshared and username and password is supported.  This is because the 800 does not support any certificate-based provisioning.

Based on your screenshots, if that is a 620 and you have 105s, do certificate-based RAP provisioning.

I am testing on a 620 but will be implementing on a 800. Basically when our 800 was set up originally the guy who did it screwed up all of the user roles and permissions, every time I add a PEF licence to our 800 controller it blocks all of the clients on the wireless, I've tried to figure out what he did but I can't see anything that flags up and major issues, if it comes to it I'll simply wipe the controller and restart from scratch so our internal clients don't have any problems and we can use the RAP's aswell but i will need to do this on a weekend when the office is shut and I'd rather not give up part of my weekend until i know the raps will work the way we want them to (bassically trying to replace out current cr*p VPN).

To get around this while testing I'm using a 620 out of our demo kit to do the initial trials with the RAP's, so although I could use cert based provisioning I'm trying to do it as it will need to be done on our 800 hence the IKE secret and username/password. I'm using the attached as a reference for my config but can't seem to get a connection.

Attachment(s)

Mod12MBC-Remote AP-6.1-v1.0.pdf   4.61 MB 1 version

HI,

I've just tried this again with the control plane security enabled but I'm still not getting anywhere. I'm completely stumped now and not sure what to try. I have attached a CLI capture for my controllers configuration, I'm hoping something jumps out as an obvious problem but not having any experience with RAP's I'm not sure what to look out for. again any help you can give on his would be great as I'm getting griled by my director over this now.

Thanks,
Mike.

Hi Michaelb,

When you provisioned the AP I can see that you selected uplink VLAN 21. Can you try reprovisioning the AP and instead leave the leave the setting as "Obtain IP Address using DHCP" assuming that the AP is going to be patched into an access port and will have access to DHCP.

I haven't looked at the rest of the config but this "jumped out". :smileyhappy:

Cheers

James

PS Your external IP is visible in the config you posted.

So the first thing that needs to be established is, can the IPSec tunnel be setup.  It looks like you have port 4500 pointed back to the controller's IP so I assume that the controller is behind the DMZ with a route policy stating this.  You will also need to point UDP port 500 back to the controller as this is the ISAKMP traffic which constitutes phase 1 of the IPSec negotiation.  NAT-T is required in the DMZ firewall to properly encapsulate the IPSec requests.