Wireless Access

I'm trying to setup a Remote AP-2WG for testing purpose, I have a 6000 controller with SC I and AOS 5.0.3.0, I cannot see the REmote AP for provisioning, my questions are:

 

1.- Is this AP supported with my hardware and software configuration?

2.- Is there some document to provision and initial configuration for this AP?

 

Thank you

Yes, your setup is supported.

 

Yes, there is documentation. Look at the 5.x User Guide in the documentation section of the support.arubanetworks.com site.

Your setup is supported, but there are two crucial things you need to know:

The rap will only find the controller on your local network if it is on the same layer 2 subnet as the controller.

The SC platform will not allow you to do certificate-based provisioning of raps. You will need to use the instructions For Ike pre shared key and use name/password config for that rap 2. Do not use the remote ap white list method.

 

Zero-Touch provisioning also will not work with the SC controller, you MUST use the ipsec preshared key username/password method to provision this AP from the controller.

The ArubaOs 5 user guide chapter 7 will tell you how to set it up.

AP-2WG is in the same subnet as my controller, I have configured manually the ip address for AP-2WG and also I have setup the LMS ip controller in the AP-2WG (using access by http:\\rapconsole.arubanetworks.com).

With this configuration I can't see the AP-2WG at controller ready for provisioning.

what can be wrong?

Did you add the RAP's MAC address to the RAP Whitelist?

You cannot use the white list with an SC controller.

---

@cjoseph wrote:
You cannot use the white list with an SC controller.

---

Sorry, my bad. Never tried it with an SC. I assumed that part of the config was the same.

You cannot use rap console to provision that rap with an sc controller. It will only work with an 3000 series , m3 or 600 series controller.

You must:

Setup an Ike pre shared key in the controller along with an ipsec pool.
Setup a user name and password in the controller in the local user database
Reset the rap2 by putting a paperclip in the hole on the underside and powering it up for 10 seconds
Put the rap2 on the same layer 2 sub net as the controller
When the rap comes up provision it and set remote ap, Ike pre shared key, user name and password. Put in the public ip address of the controller in the master controller ip address field and click on provision.

Hi cjoseph, Thank you very much for your suggestions, may be tomorrow I'll try it. Only one more question, after resetting the rap2 and provision it as a remote ap at controller the rap2 normally reboots, is it after this reboot when I can put the rap2 at remote location? Thanks

"after resetting the rap2 and provision it as a remote ap at controller the rap2 normally reboots, is it after this reboot when I can put the rap2 at remote location?"

Yes.

Only thing you need to make sure is, the provisioned 'master' IP address is reachable from the remote location.

One more question I have,

 

If the remote AP2WG doesn't support rapconsole and I must connect it to controller by layer 2 network,  there must be a DHCP server in the layer 2 network to assign an ip to RAP2WG?

If yes, must it be the 6000 controller or can it be other DHCP generic?

 

Thank you

Ok.  Let me explain. 

 

The RAP-2 when factory reset does not look for "aruba-master" like all other APs, so it has to find the controller using ADP, or a regular broadcast.  It does not matter who is the DHCP server, just as long as the controller's management ip address is on the same subnet of that RAP2.  This is ONLY for provisioning.

 

The RAP2 must contact the controller and you must provision is using the controller's GUI, because the SC controller is older and does not have crypto infrastructure in place to do zero-touch provsioning.

 

When the RAP2 contacts the controller, you go to Configuration> Wireless> AP Provisioning and provision that AP to the external IP that it needs to point to.  After you click on "Provision", you can take that AP home or wherever it needs to be.

 

If I had a 600, 3000-series or M3 controller, we could easily put the mac address of the AP into the RAP whitelist, and the use Zero Touch provisioning to point the AP to the controller from wherever it needs to be installed.  The reason why we have to boot up the RAP2 initially to a controller, is because Zero Touch provisioning is not supported by the older SC controllers, and you have to provision the RAP with the IKE preshared key, username and password.

 

You make it sound so easy. I've been trying to zero touch rap2wg/rap5ws for two days.

 

Is there a simple way to do this?

 

3600 controller.

I enter the IP Address of my firewall in the rapconsole webpage.

I see the Rap coming through my firewall as  ipsec-esp-udp connecting as a flow to my controller.

The rap reboots, the webpage hangs, and it never brings up the WLAN led....

 

Are there any debugging commands I can use to see what is happening?

 

Thanks

While your RAP is attempting to come up, SSH into the controller and execute the command below:

 

(rap-local) #show datapath session table | include 4500

 That will tell you if any UDP 4500 traffic is being seen by the controller.  For every "session" coming in, you should see two lines:  One for traffic coming into the controller and one leaving the controller back to the RAP.  If you do not see any of that traffic, you need to fix your  permiter firewall.

 

Next, type

 

(rap-local) #show show crypto ipsec sa

 

That will tell you if your AP is making a security association that is needed to communicate with the controller

 

If it is not, make sure you have the AP's mac address in the RAP whitelist, AND you have an ipsec pool configured.

 

Further, you can turn on debugging:

 

(rap-local)# configure terminal logging level debugging security process crypto 

 Then type "show log security 50" and examine the output.

I have opened up a case. Was on the phone with the tech for 4 hours Friday. We see the 2wg connecting to the controller, it downloads code, reboots, connects again and then disappears with both LAN LEDs lit, but no WLAN LED. 

 

Does it mean that RAP2WG  not necesarily needs to get an IP to contact the controller and then get provisioned?

 

I ask you that because last weed I did a quick test plugging the Remote AP int the same layer 2 as controller but without DHCP and the controller didn't show the RemoteAP for provisioning,  but  it did when I configured the controller as DHCP server.

Any way, tomorrow I will test it again

ok,

 

I have tested the remote AP, both with the DHCP server at controller and in any other PC, the controller shows up the AP-2WG, then I try to provision it configuring the preshared keys, the username and password for local authentication, the public ip used for controller and also I leave the remote AP ip assignment with DHCP (home office router assigns it), then I click provision, I put the remote AP back my home router, but I don't see this AP never more, I have a sniffer capture in my corporate firewall but I don't see any traffic for the controller ip public address.

what' s wrong?

At minimum you should see the traffic. The rap 2 can take a minimum of 2.5 minutes to come up and generate initial traffic, so leave it plugged in. You might want to publish a sanitised version of "show audit-trail" to see what was programmed into that ap.

I attach the audit-trail, note that ip 193.147.143.81 is the public ip for aruba controller and 192.168.12.160 is the ip assigned for Remote AP-2WG by DHCP.

 

Hope you can clarify something.

 

Thank you

I have put a sniffer between the AP-2WG and remote router ADSL and I realize that the remote AP-2WG gets its ip from remote router and then stay sending ADP Request forever

That probably means that you did not provision a master ip address for that AP.  It should not be discovering the controller, because the external ip adress should be hardcoded.  Reset it and make sure the external ip address is in the right position:

 

Sorry, but I put the public ip for controller as you shown to me and the result is the same, AP-2WG continues sending ADP packets.

Type "show audit-trail" and publish a redacted version of when you provisioned the RAP.

 

Hi again,

 

Provisioning has been March 8, at 13:41:56

 

 

 

I post the audit-trail also

 

Mar  8 13:39:28  webui[548]: USER:admin@192.168.100.4 COMMAND:<clear provisioning-ap-list > -- command executed successfully
Mar  8 13:39:28  webui[548]: USER:admin@192.168.100.4 COMMAND:<clear provisioning-params > -- command executed successfully
Mar  8 13:41:07  webui[548]: USER:admin@192.168.100.4 COMMAND:<clear provisioning-ap-list > -- command executed successfully
Mar  8 13:41:07  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap read-bootinfo ip-addr 192.168.12.160 > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap copy-provisioning-params ip-addr 192.168.12.160 > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap installation default > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap no ipaddr > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap no external-antenna > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap server-name "aruba-master" > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap master "193.147.143.81" > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap ap-group "AP-REMOTOS" > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap ap-name "00:24:6c:c2:46:5f" > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap no syslocation > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap mesh-role none > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap remote-ap > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap pap-user "ejemplo" > -- command executed successfully
Mar  8 13:41:58  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap pap-passwd  ******  > -- command executed successfully
Mar  8 13:41:59  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap ikepsk  ******  > -- command executed successfully
Mar  8 13:41:59  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap fqln "00:24:6c:c2:46:5f.Floor 1.Aitana-A11.Altea" > -- command executed successfully
Mar  8 13:41:59  webui[548]: USER:admin@192.168.100.4 COMMAND:<provision-ap reprovision ip-addr 192.168.12.160 > -- command executed successfully
Mar  8 13:41:59  webui[548]: USER:admin@192.168.100.4 COMMAND:<clear provisioning-ap-list > -- command executed successfully
Mar  8 13:41:59  webui[548]: USER:admin@192.168.100.4 COMMAND:<clear provisioning-params > -- command executed successfully

(aruba_master) #

 

I realize the same behaviour, I plug the AP-2WG into the remote site and then it gest ip and starts sending ADP packets.

Hi again,

 

Regarding the last post, Do you thing something is wrong?

Is the behaviour normal?

I have tried configuring the public ip both in textbox "Host switch ip address" and "Master switch ip address" and I get the same result

 

I have CPSec enabled in the controller, can it be the problem?

CPSEC is not related to this, unfortunately...

Please open a support case. That should work.