Date post: | 08-Aug-2018 |
Category: |
Documents |
Upload: | samba-sidibe |
View: | 213 times |
Download: | 0 times |
of 25
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
1/25
Remote AP ConfigurationConfiguring the Secure Remote AP
Abstract
This document describes the configuration of Secure Remote AP. The SecureRemote AP feature allows an Aruba AP to be configured as an IPSec client andset up a VPN connection over an insecure network to an Aruba mobilitycontroller. This configuration allows enterprises to provide secure, centrallymanaged APs to their remote or traveling employees.
The document demonstrates a typical configuration with complete step-by-stepinstructions for configuring:
Secure Remote AP
Recommended ReadingThe following pre-requisite documentation is highly recommended before readingthis document:
Best Practices: Performance
Best Practices: WLAN Base Configuration
ArubaOS-2.5_v1.0_20050328 ArubaOS 2.5 2005-2006 Aruba Networks
B es
t Pr
act ic
es
B es
tPr
actic
es
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
2/25
Best Practices: Remote AP Configuration
Table of Contents
REMOTE AP CONFIGURATION.......................................................................1
Design Summary........................................................................................3
Design Guidelines.......................................................................................5Installation Procedure...............................................................................7
Aruba Controller Design Configuration.......................................................8Aruba Remote AP Design Configuration...................................................20
Troubleshooting.......................................................................................23
2 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
3/25
Best Practices: Remote AP Configuration
Design Summary
Overview This section describes the secure remote AP what it is, and how itworks - both from an AP perspective as well as a mobility controller
perspective.
Features andfunctionality
The remote AP (RAP) includes the following features and functionality:
The RAP can connect over an insecure network (such as the
Internet) back to an Aruba controller via IPSec and provide corporateESSIDs to a remote office or traveling employee
All ESSIDs and corporate policies apply to the Remote AP
The RAP works behind NATing routers and firewalls with no
additional configuration
Topology The following network diagram shows the basic topology for this networkreference design:
Figure 1 Remote AP Configuration Reference Topology
3 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
4/25
Best Practices: Remote AP Configuration
Design Summary continued
Required software The following software modules are required to configure this capability:
ArubaOS (standard with all mobility controllers)
1. Note: this design requires ArubaOS version 2.5.0 orhigher
Policy Enforcement Firewall module (user roles)
Remote AP License (licensed per concurrent AP connection. A
controller licensed for 16 Remote APs can support up to 16simultaneously connected Remote APs). Note, a remote AP countstowards the total number of APs that an Aruba mobility controllermanages.
Required hardware At least one Aruba mobility controller is required to manage and controlthe Remote APs. The Remote AP feature is currently supported on thefollowing AP models:
AP-60
AP-61
AP-70
Scaling notes The number of active Remote APs supported on a system must be lessthan or equal to the number of Remote AP licenses installed on thecontroller they are connected to. The total number of APs connected toa controller, including Remote APs, must be less than or equal to thetotal number of APs the system can support.
Further reading Please see theAruba User Guide documentation for more informationon installation, features and advanced or alternate configuration.
This document is based on modifications made to the reference networkdescribed in the Best Practices: WLAN Base Configuration document.1
1 Estimated time to complete this configuration by following this document:
4 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
5/25
Best Practices: Remote AP Configuration
Design Guidelines
Overview This section describes the guidelines used to build the reference remoteAP network.
Networkconfiguration
The IP addressing for the Aruba controller, ESSIDs and firewall policiesare taken from the Best Practices: WLAN Base Configuration document.
A publicly reachable/routable IP address has been added to the
base controller configuration this address is placed at the DMZ toallow the remote APs to connect to it via the Internet.
VLAN 30 has been added to provide an internal address to the
Remote AP once it successfully connects to the controller
The Remote AP is configured to use DHCP to gain an IP address.
Figure 2 Remote AP Configuration IP Topology
5 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
6/25
Best Practices: Remote AP Configuration
Design Guidelines continued
Systemmanagement
The Remote AP is represented in the Aruba management interfacessimilarly to a standard AP in terms of ESSID configuration. In the GUI,
Remote APs will show up with yes in the IPSec field under the APwhereas standard APs will not.
In the CLI, Remote APs are not listed by the show user-table command.Rather, they are special cases and are only listed by the show user-table verbose command.
It is a best practice to use different location code designations forRemote APs for ease of management.
WLANs and SSIDs The WLAN information in this document is taken from the BestPractices: WLAN Base Configuration document.
Remote APs can be configured with any desired SSID desired, and caneither mimic corporate defaults or have unique field SSIDs.
Controller DMZ IPconfiguration
The Remote APs need an Aruba mobility controller with a publiclyroutable IP address they can access. Best practice is to put an interfaceof the Aruba controller in the DMZ or to forward traffic from the corporatefirewall to the controller. If this approach is used, the firewall must passNAT-T traffic to the appropriate Aruba controller address. NAT-T isdefined as UDP port 4500.
ARM/RFmanagement
It is a best practice to configure ARM on the remote AP baseconfiguration. This will allow the AP to adjust its channel and/or powerlevel accordingly when deployed in environments where neighboring
APs are present.
AP deployment Remote AP parameters such IPSec settings, username, and passwordmust be configured through the Aruba controller GUI or CLI. Remote
APs cannot be configured fully through a console cable. This is becausethe VPN settings on the RAP are stored in a protected format on the AP- not in clear text.
6 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
7/25
Best Practices: Remote AP Configuration
Installation Procedure
Overview This section describes the overall steps involved in configuring a networkaccording to the reference network design described in the previous
section. These steps assume a network that has already been builtaccording to the reference design outlined in the Best Practices: WLANBase Configuration document.
Procedure steps Here are the steps required and the order to perform them:
Master mobility controller configuration1 Configure public DMZ address on controller
2 Configure remote AP VLAN
3 Configure Aruba VPN server
4 Configure remote AP firewall policies
5 Configure remote AP role6 Configure remote AP authentication server
Configure Secure Remote APs7 Provision IPSEC settings on remote APs
7 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
8/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration
Overview This section outlines the steps needed to configure the Aruba controllerto handle secure Remote APs.
The Remote AP configuration is built on the best practices WLAN baseconfiguration, and assumes that a base switch configuration alreadyexists. The use of the GUI is documented here, with CLI references asapplicable.
Configure controllerDMZ address
The Remote AP needs an address to connect to in order to establish aVPN tunnel to the mobility controller. In this example, an additionalVLAN and interface address is configured on the Aruba mobilitycontroller.
Here is the procedure to configure a new DMZ address on the controller:
1 On the top-level menu bar, click Configuration
2 Click the VLAN tab
3 Click the Add button
4 In the Add New VLAN screen, enter the following information:
VLAN ID 30
IP Address 216.31.249.230
Net Mask 255.255.255.0
5 Click the Apply button
6 On the top-level menu bar, click Save Configuration
Note: If it is not desirable to add a routable IP address to themobility controller, an external router or firewall address can be usedand the traffic forwarded to an existing interface on the controller.
8 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
9/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration continued
DMZ VLAN portassignment
Now that the VLAN is configured, we can assign a port to the DMZVLAN. This is the port on the Aruba mobility controller that is physically
connected to the DMZ. In our reference design, this is port 2/25.
1 On the top-level menu bar, click Configuration
2 Click the General tab
3 Click the Port tab
4 In the Port Selection section, click the checkbox thatcorresponds to slot 2/port 25
5 In the Configure Selected Ports section, enter the followinginformation:
Enter VLAN 30
6 Click the Apply button to save the port settings7 On the top-level menu bar, click Save Configuration
Test & ValidateVerify the public address is indeed reachable from the untrusted network,i.e. the Internet. Ensure the controller correctly responds to a ping of thenew public IP address 216.31.249.230.
Configure RemoteAP VLAN
Next we need to create a VLAN for the Remote APs. This VLAN willfurnish internal IP addresses for the APs only. It will not provide IPaddresses for the wireless clients.
Here is the procedure to configure a new VLAN:
1 On the top-level menu bar, click Configuration
2 Click the VLAN tab
3 Click the Add button
4 In the Add New VLAN screen, enter the following information:
VLAN ID 930
IP Address 172.16.30.1
Net Mask 255.255.255.0
5 Click the Apply button
6 On the top-level menu bar, click Save Configuration
9 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
10/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration continued
Checkpoint! We now have an operational master Aruba controller that is configuredwith:
A DMZ VLAN and IP address
Remote AP VLAN
10 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
11/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration continued
Configure VPNsettings
Since the secure Remote AP is a VPN client, the Aruba mobilitycontroller must have VPN server functionality configured to terminate the
secure Remote APs.
Here are the procedures to configure the VPN settings that will enablesecure Remote AP functionality.
Authenticationprotocols
First we need to configure the authentication protocols. In this referencedesign, we use L2TP and PAP. Here is the procedure:
1 On the top-level menu bar, click Configuration
2 On the left-hand option bar, underSecurity, click VPN Settings
3 Click the IPSec tab
4 Enter the following information:
Enable L2TP Click checkbox toenable
AuthenticationProtocols
PAP
Primary DNS Server 10.3.22.253
! Important: Ensure that the only authentication protocol selected forthe remote AP is PAP.
Configure IPinformation for APs
Next we need to configure the IP address pool and DNS information.This information will be used to give each remote AP a valid IP addressand DNS server. Here is the procedure:
1 On the top-level menu bar, click Configuration
2 On the left-hand option bar, underSecurity, click VPN Settings
3 Click the IPSec tab
4 Enter the following information:
Primary DNS Server 10.3.22.253
5 In the Address Pools section, click the Add button
6 In the Add Address Pool screen, enter the following information:
Pool Name RemoteAP-Pool
Start Address 172.16.30.102
End Address 172.16.30.25
7 Click the Done button to return to the VPN settings screen
2 These addresses correspond to the 16 remote APs our controller is licensed to manage. Adjustthe size of the address pool as needed for more or fewer remote AP licenses.
11 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
12/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration continued
IKE shared secret Part of the IPSec process requires the VPN client (the remote AP) topresent a shared secret. Here is the procedure to configure an IKE
shared secret for the remote APs:
1 On the top-level menu bar, click Configuration
2 On the left-hand option bar, underSecurity, click VPN Settings
3 Click the IPSec tab
4 In the IKE Shared Secrets section, click the Add button
5 In the Add IKE Secret screen, enter the following information:
IKE Shared Secret secret
Verify IKE SharedSecret
secret
6 Click the Done button to return to the VPN settings screen
IKE policy Finally, an IKE policy governing these VPN clients must be defined. Hereis the procedure:
1 On the top-level menu bar, click Configuration
2 On the left-hand option bar, underSecurity, click VPN Settings
3 Click the IPSec tab
4 In the IKE Policies section, click the Add button
5 In the Add Policy screen, enter the following information:
Priority 1Encryption 3DES
Hash Algorithm SHA
Authentication PRE-SHARE
Diffie Hellman Group GROUP 2
Life Time Accept the default
Note: These settings reflect the default IKE policies set on thecontroller. The default settings are all that is needed to configure theSecure Remote AP feature.
6 Click the Done button to return to the VPN settings screen
Save the VPNconfiguration
7 Click the IPSEC tab
8 Click the Apply button to save the VPN settings
9 On the top-level menu bar, click Save Configuration
12 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
13/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration continued
Checkpoint! We now have an operational master Aruba controller that is configuredwith:
DMZ VLAN and IP address
Remote AP VLAN
Configured VPN server
13 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
14/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration continued
Configuring firewallpolicies
Now that the VPN settings have been configured, it is time to look at thesecurity aspects of the remote APs. Once a remote AP has
authenticated via the VPN server and established an IPSec connection,we need to ensure the AP is only allowed to access those networkresources required for its operation. This will ensure that, even if the username, password and IKE shared secret of the remote AP is known, thisknowledge does not, of itself, allow unrestricted network access.
Remote AP networkaccess rights
We will do this by first configuring firewall policies for the remote APsthemselves. This policy is applied upon completion of IPSec and willgrant the following access:
AP control traffic via the Aruba PAPI protocol (UDP port 8211)
802.11 traffic inside GRE tunnels
L2TP traffic from the remote AP to the Aruba mobility controller
TFTP traffic from the remote AP to the Aruba mobility controller
FTP traffic from the remote AP to the Aruba mobility controller
Remote AP firewallpolicy
Here is the procedure to create the firewall policy called RemoteAP-Access:
1 On the top-level menu bar, click Configuration
2 On the left-hand option menu, underSecurity click Policies
3 Click the Add button
4 In the Add New Policy screen, enter the following information:
Policy Name RemoteAP-Access
5 Under the Rulessection, click the Add button to enter a newrule
6 In the policy statement, create a rule that will allow L2TP traffic.Create the policy by entering the following information:
Source Any
Destination Any
Service svc-l2tp (udp 1701)
Action Permit
7 Click the Add button to add this rule to the policy
8 Click the Add button to create another rule
14 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
15/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration continued
9 In the policy statement, create a rule that will allow GRE traffic.Create the policy by entering the following information:
Source Any
Destination Any
Service svc-gre (gre 0)
Action Permit
10 Click the Add button to add this rule to the policy
11 Click the Add button to create another rule
12 In the policy statement, create a rule that will allow PAPI controltraffic for the APs. Create the policy by entering the followinginformation:
Source Any
Destination Any
Service svc-papi (udp 8211)
Action Permit
13 Click the Add button to add this rule to the policy
14 Click the Add button to create another rule
15 In the policy statement, create a rule that will allow the APsTFTP access to the controller. Create the policy by entering thefollowing information:
Source Any
Destination AliasAlias mswitch
Service svc-tftp (udp 69)
Action Permit
16 Click the Add button to add this rule to the policy
17 Click the Add button to create another rule
18 In the policy statement, create a rule that will allow the APsTFTP access to the controller. Create the policy by entering thefollowing information:
Source Any
Destination Alias
Alias mswitchService svc-ftp (tcp 21)
Action Permit
19 Click the Add button to add this rule to the policy
20 Click the Apply button
21 On the top-level menu bar, click Save Configuration
15 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
16/25
Best Practices: Remote AP Configuration
Checkpoint! We now have an operational master Aruba controller that isconfigured with:
DMZ VLAN and IP address
Remote AP VLAN
Configured VPN server
Remote AP firewall policy
16 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
17/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration continued
The remote AP role Now that the firewall policy has been created, we can create a role forthe remote APs. When a remote AP connects to the Aruba mobility
controller, it will be placed into a role. This role contains informationabout the access rights and privileges of that device. It will contain thefirewall policy we just created as well.
Configuring theremote AP role
Here is the procedure to create the user role called RemoteAP:
1 On the top-level menu bar, click Configuration
2 On the left-hand option menu, underSecurity click Roles
3 Click the Add button
4 In the Add Role screen, enter the following information:
Role Name RemoteAP
5 Under the Firewall Policiessection, click the Add button toassociate a policy with this role
6 Select the radio button next to Choose from Configured Policies
7 Select the following firewall policies from the drop-down box:
Firewall Policy Order
RemoteAP-Access 1
8 Click the Done button after each policy selection
9 Click the Apply button
10 On the top-level menu bar, click Save Configuration
Checkpoint! We now have an operational master Aruba controller that is configuredwith:
DMZ VLAN and IP address
Remote AP VLAN
Configured VPN server
Remote AP firewall policy
Remote AP role
17 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
18/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration continued
Remote APauthentication server
The last piece of configuration (outside of the APs themselves) is theauthentication server that will validate the user name and password for
each remote AP. This server can be of any type for example, a Radiusserver, Active Direction, and so on. In this reference design, we will usethe internal authentication server of the Aruba mobility controller.
Configure theremote APauthenticationserver
The internal authentication (AAA) server is enabled by default on eachmobility controller. Therefore, we only need to create the user name andpassword for each remote AP. These credentials will then by presentedby the remote AP to the VPN server when they attempt to establish anIPSec connection.
Here is the procedure to configure the VPN server on the Aruba mobilitycontroller to use the internal DB for authentication:
1 On the top-level menu bar, click Configuration
2 On the left-hand option menu, underSecurity clickAuthentication Methods
3 Click the VPN tab
4 In the VPN screen, enter the following information:
AuthenticationEnabled
Click the checkboxto enable
Default Role RemoteAP
5 Under the Authentication Servers section, click the Addbutton
6 Select the Internal server from the drop-down box
7 Click the Add button to use this server for VPN clientauthentication
8 Click the Apply button
9 On the top-level menu bar, click Save Configuration
18 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
19/25
Best Practices: Remote AP Configuration
Aruba Controller Design Configuration continued
Creating remote APaccounts
Here is the procedure to configure guest accounts on the internal DB:
1 On the top-level menu bar, click Configuration
2 On the left-hand option menu, underSecurity click AAAServers
3 Click the Internal DB tab
4 Under the Users section, click the Add User button
5 In the Add User screen, enter the following information:
User Name RAP01
Password GoAruba
6 Click the Apply button
Checkpoint! We now have an operational master Aruba controller that is configuredwith:
DMZ VLAN and IP address
Remote AP VLAN
Configured VPN server
Remote AP firewall policy
Remote AP role
Configure the VPN AAA server
Create remote AP accounts
19 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
20/25
Best Practices: Remote AP Configuration
Aruba Remote AP Design Configuration
Overview The final step in Remote AP configuration is to put the VPN settings onthe AP itself. These settings will tell the remote AP that to use IPSec to
connect to the mobility controller. The settings provides the user name,password and IKE shared secret to use as part of establishing the IPSecconnection.
This process is similar to provisioning a standard Aruba AP as outlined inthe Best Practices: WLAN Base Configuration document, with theaddition of the IPSec information.
Provisioning theremote APs
Here is the procedure to provision a remote AP Aruba access point3:
1 Connect the Aruba AP either directly to the Aruba mobilitycontroller (if it has a line card with fast Ethernet ports) or to
another network device and ensure it comes up correctly4
2 On the top-level menu bar, click Maintenance
3 On the left-hand option menu, underWLAN click Program AP
4 Select the AP by clicking on the radio button next to it
5 Click the Provision button
6 In the AP Parameters section of the AP provisioning screen,enter the following information:
Building 250
Floor 1
Location 15
7 In the IPSec Parameters section of the AP provisioningscreen, enter the following information:
IKE PSK secret
Confirm IKE PSK secret
User Name RAP01
Password GoAruba
confirm Password GoAruba
Warning: The IKE PSK and policy used in this document is for illustrative purposes only; astronger PSK is recommended for production networks.
3 This procedure is supported for all Aruba AP models except the AP-52.4 For information on how to configure an Aruba AP please refer to the Best Practices: WLANBase Configuration document or theArubaUser Guide.5 It is good best practice to use a location ID for remote APs that does not overlap with a locationID that is used for permanently installed APs.
20 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
21/25
Best Practices: Remote AP Configuration
Aruba Remote AP Design Configuration continued
8 In the Master Discovery section of the AP provisioningscreen, enter the following information:
Host Switch IP Address 216.31.249.230
Master Switch IPAddress
216.31.249.230
9 In the IP Settings section of the AP provisioning screen, enterthe following information:
Obtain IP AddressUsing DHCP
Click the radiobutton enable
10 Click the Apply and Reboot button at the bottom of the screento load the new configuration to the AP
Test & ValidateVerify the AP comes back up correctly and is no longer shown as anunprovisioned AP. It should now show up in the Network Summaryscreen as a provisioned, IPSec AP.
Here is the procedure to validate the remote AP has been correctlyprovisioned:
1 Connect to the Aruba mobility controller
2 On the top-level menu bar, click Monitoring
3 In the Network Summary screen, check WLAN NetworkStatus and ensure at least one AP is listed under the IPSEC Upcolumn
If the remote AP is not listed, please follow the steps outlined in theTroubleshooting section of this document.
21 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
22/25
Best Practices: Remote AP Configuration
Aruba Remote AP Design Configuration continued
Checkpoint! We now have an operational master Aruba controller that is configuredwith:
DMZ VLAN and IP address
Remote AP VLAN
Configured VPN server
Remote AP firewall policy
Remote AP role
Configure the VPN AAA server
Create remote AP accounts
Connected remote APs
22 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
23/25
Best Practices: Remote AP Configuration
Troubleshooting
Overview This section describes common configuration issues and troubleshootingtips for remote APs.
Common problems
The following is a list of common behaviors or symptoms that may occurwith remote AP configuration:
Remote AP does not connect does not show up underIPSEC Up in
the WLAN Network Status section of the management GUI
Remote AP does notconnect
A very common symptom is when the remote AP is configured, but isunable to establish an IPSec connection to the Aruba mobility controller.If the AP does not fully connect, the best way to troubleshoot thisproblem is to observe the boot messages of the AP. This is done byattaching to the serial port of the AP.
For more information on how to connect to the serial port of an ArubaAP, please see the Troubleshooting section of the Best Practices: WLANBase Configuration document or theAruba User Guide.
Observe the AP boot sequence, here is a typical example:
Aruba Wireless Networks 6x_70ArubaOS Version 2.4.1.17 (build 11469 / label #11469)Built by p4build@speedy on 2005-10-07 at 19:47:40 PDT (gcc version3.4.1)Calibrating delay loop... 179.20 BogoMIPS
Memory: 25568k/32768k available (1506k kernel code, 7200k reserved,2444k data,188k init, 0k highmem)physmap flash device: 400000 at 1fc00000AMD Flash AM29LV320D (Top) (User Locked)phys_mapped_flash: Found 1 x16 devices at 0x0 in 8-bit bankNET4: Linux TCP/IP 1.0 for NET4.0IP Protocols: ICMP, UDP, TCPbond0: Atheros AR2313: 00:0b:86:c2:7a:00, irq 4Getting an IP address...bond0: Configuring MAC for full duplex192.168.1.22 255.255.255.0 192.168.1.1Running ADP...Done. Master is 24.128.183.241
Setting up IPSec SA to 24.128.183.241...
Note how the SA portion of IPSec hangs and does not return a success.This can be caused by the following:
1 Missing remote AP licenses on the mobility controller
2 IKE policy mismatch
3 User name or password mismatch
4 Insufficient network access
23 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
24/25
Best Practices: Remote AP Configuration
Troubleshooting continued
AP configurationchecklist
Here is a checklist to use to troubleshoot these problems:
Issue Resolution
Missing remote APlicenses on controller
Check if RAP is licensed on the controller:
CLI
show license command
GUI
1 Connect to the Aruba mobility controller
2 On the top-level menu bar, click Maintenance
3 On the left-hand option bar, click License Management
IKE policy mismatch Check the VPN settings on the controller:
GUI
4 Connect to the Aruba mobility controller
5 On the top-level menu bar, click Configuration
6 On the left-hand option menu, underSecurity click VPNSettings
User name/passwordmismatch
Check or reset the user name and password on the Aruba AP andthe authentication server (Internal DB) account
Insufficient access Check the role for the remote APs (RemoteAP-Access). Make surethere are sufficient privileges for the APs to connect.
GUI
1 Connect to the Aruba mobility controller
2 On the top-level menu bar, click Configuration
3 On the left-hand option menu, underSecurity clickAuthentication Methods
4 Check the default role for successful VPN clients
There are occasions when a Remote AP will take longer than 2-3minutes to reboot, depending on its current revision of softwareversus what the controller software revision is.
24 2005-2006 Aruba Networks
8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0
25/25
Best Practices: Remote AP Configuration
Troubleshooting continued
NoteThere are occasions when a Remote AP will take longer than 2-3minutes to reboot, depending on its current revision of software versuswhat the controller software revision is.