Wireless Access

I'm having some trouble creating the config for a RAP. Its for an exec and the SSID is one already in our environment.

 

Does anyone have a clear config guide for this? I've followed the wizard with no luck, and see some user guide stuff, but it seems all over the place or its older 6.0 stuff and doesn't apply...

 

I've configured the group with the profiles, VPN addreses and keys, and whitelisted the aps.

It hasn't changed much from the current VRD except you can use Activate now.

 

Where are you getting hung up? Are you seeing the IPSec traffic on the controller?

 Not on the controller, I can see it coming across the NAT device but no return.

 

Thats one place I didn't check... I'll take a look.

OK. You can run show datapath session table | include 4500.

 

Also, check the security logs (show log security 50)

I'm seeing an IKE Xauth failure for the username/password. Now I can't find where that was! (facepalm)

 

 

Hm. You shouldn't need XAUTH. Can you post a screenshot of your VPN configuration screen from the controller?

Xauth failure would be if you accidentally provisioned the rap with username and password instead of certificate.

I unchecked it. I'll purge it and reconfigure accordingly. 

 

Do I need to generate a certificate for the RAP anywhere?

Noap

As long as you're using modern RAPs, the certificates are built-in.

Its a 205.

 

I have to get a RAP3 working, but I switched to the 205 for troubleshooting purposes...

 

Both the 205 and RAP-3 have TPM chips so they will have a factory certificate.

I dont have a 4500 session coming across anymore.

hi playinpearls

cert rap bring up should require the following few steps only. no vpn profiles, no PSKs etc.

 

Controller

>> define l2tp ip pool

>> whitelist the ap

 

AP

>> purge ap (or reset via button, making sure it doesnt revert to IAP if it was instant before)

>> check you working DHCP (type dhcp at apboot, wait, then ping the master ip - make sure it's all fine)

>> either let it discover and connect to controller, reprovision as rap, or from apboot

   setenv remote_ap 1

   setenv master  <controller ip>

   save

   boot

 

that should be it, if it's still stuck after this, you can go into the ap shell and take a look in the file /tmp/rapper.txt and /tmp/sapd_debug_log.txt, these may give you a hint as to any problem. But ultimately, setting it as RAP above and the master IP should be enough to get it talking to the controller.

 

regards

-jeff

thanks Jeff, thats what I was looking for.

 

It turns out that we had the RAP natting through a firewall that wasn't the gateway of the controller, so it was failing at making a complete circle. The controller was sending replies through a different firewall.