Wireless Access

I have a RAP-155.

I have a 7210 controller with an internal ip address (in this case, 10.1.1.38)

I have a fortigate firewall that has a VIP forward of an external IP (say, w.x.y.z) to 10.1.1.38

If I web browse to w.x.y.z, I can login to the contoller.

Now, I just got my first RAP. I fire it up, connect to instant, go through the conversion process. If I just say the contoller is w.x.y.z then it says VPN failed and it says to save the log in the popup. There is no log in a popup.

I then tried https://w.x.y.z:4343 and it comes back "status unavailable"

Do I need to give an interface on the 7210 the public IP and not forward from my firewall?

 

Thanks!

Are you allowing UDP 4500 through your firewall?

No, I hadn't been - just All TCP. I just set it to allow ALL UDP as well.

Conversion... same error "VPN setup failed, please save the log in the popup window" and I don't see a popup or log anywhere

I misread. You're trying to convert an IAP/RAP to a Campus AP? You should point it to the inside address then. CAPs don't use an IPSec tunnel.

Thanks. But then, when I take it home or some other offiste location, it won't be able to find 10.1.1.38, so I'm confused how that would work

 

Oh - I guess I mispoke, I want to convert the RAP from Instant to "Remote AP managed by Mobility controller"

 

Sorry for the confusion 

Oh ok.

 

Take a look at the RAP VRD which will show you how to configure the controller side.

http://community.arubanetworks.com/t5/Validated-Reference-Design/Remote-AP-Networks/ta-p/155140

Thanks Tim.

 

Sigh - 213 pages. I should have figured it wouldn't be easy!

Kevets,

 

You would only have to setup your controller to accept remote AP traffic and put the mac address of the IAP into the RAP whitelist on the controller and assign it to an ap-group:

 

setup the RAP pool:

 

 

config t
ip local pool "rap-pool" 172.16.1.150 172.16.1.200

 

• Add the RAP to the controller’s whitelist since it is using certificates for authentication:

Configuration-> WIRELESS->AP Installation->RAP Whitelist.  Add the wired mac address of your AP, name it and assign it an ap-group.

 

On the IAP, go to Maintenence and Convert.  Put in the public or private address of your controller to convert:

While you are doing the convert, on the controller, type "show datapath session table <source ip address of your RAP" to see if traffic is flowing.  If you don't see any sessions, you need to check to make sure your firewall is (1) Doing a static 1:1 nat from your outside public address to the internal private address of your controller and (2) Allowing UDP 4500 inbounds to that device.

 

If you do see the traffic flowing, type "show crypto ipsec sa peer <public ip address of your rap>" to see if it does have an SA, or security association.  If it does, it should upgrade the code on your IAP and you can take it from there.

 

 

 

 

Ah, thanks Colin! I'll give that a go later today.

So, I tried this:

the ip local pool rap-pool in the controller with a write mem

adding the MAC of my test RAP into the whitelist.

 

Same results, whether I use the public (NATted) or the internal IP of the controller.

I am confused about the recommended monitoring command - I don't know what the RAP's IP address is.

 

I am wondering if I need to do something further for VPN configuration on the 7210?

here are the VPN Settings (attached image)

Controller config is pretty straightforward - as explaiked by colin.

Make sure you have it whitelisted. Then from the inside try to provision it as a Rap towards the inside ip of your controller.

If that works - reprovision to the public facing IP.

UDP 4500 / Nat-T.

Also note that the internal-IP that you forward to should be in the same subnet as your controllers default gw is..

Thanks for the help so far. I tried again today, with no success.

 

I have the RAP's MAC whitelisted. It's in AP Installation/whitelist/remote AP. It is set to cert type = switch-cert and state is approved-ready-for-cert.

 

One thing I know not to do is to set control plane security to enabled! I just knocked out 90 AP's with that little experiment.

 

I tried to convert to both the internal address as well as the external. 

I currently have my AP connected to my internal LAN. It has been given a DHCP address of 10.1.0.112. My controller is at 10.1.1.38

I will try the earlier monitoring commands in this thread, now that I know the internal IP of the RAP

OK, doing a convert using 10.1.1.38 as my controller and 10.1.0.112 as my "Master" IP, then doing the commands:

show datapath session table 10.1.0.112 shows no data flowing

 

show crypto ipsec sa peer 10.1.0.112 shows no active IPSec SA.

 

here internally, I am going through a miniswitch to a switch port shared by this PC. So I'll next try putting it on its own port.