Kevets,
You would only have to setup your controller to accept remote AP traffic and put the mac address of the IAP into the RAP whitelist on the controller and assign it to an ap-group:
setup the RAP pool:
config t
ip local pool "rap-pool" 172.16.1.150 172.16.1.200
- Add the RAP to the controller’s whitelist since it is using certificates for authentication:
Configuration-> WIRELESS->AP Installation->RAP Whitelist. Add the wired mac address of your AP, name it and assign it an ap-group.
On the IAP, go to Maintenence and Convert. Put in the public or private address of your controller to convert:
While you are doing the convert, on the controller, type "show datapath session table <source ip address of your RAP" to see if traffic is flowing. If you don't see any sessions, you need to check to make sure your firewall is (1) Doing a static 1:1 nat from your outside public address to the internal private address of your controller and (2) Allowing UDP 4500 inbounds to that device.
If you do see the traffic flowing, type "show crypto ipsec sa peer <public ip address of your rap>" to see if it does have an SA, or security association. If it does, it should upgrade the code on your IAP and you can take it from there.