You are here: RAP NG > VPN Configuration
Previous TopicNext Topic

VPN Configuration

The following VPN configuration steps on the controller, enable IAPs to terminate their VPN connection on the controller:

Creating an IAP Whitelist

Controller Whitelist DB

IAP whitelist is the list of approved AP’s that can be provisioned on your controller. To create an IAP whitelist:

1. Navigate to Configuration > AP Installation (under Wireless) and then click the RAP Whitelist tab on the right side.
2. Click the New button and provide the following details:
a. AP MAC Address — Mandatory parameter. Enter the MAC address of the AP.
b. Username — Enter a username that will be used when the AP is provisioned.
c. AP Group — Select a group to add the AP.
d. AP Name — Enter a name for the AP. If an AP name is not entered, the MAC address will be used instead.
e. Description — Enter a text description for the AP.
f. IP-Address — Enter an IP address for the AP.
3. Click the Add button to add the instant AP to the whitelist.

The ap-group parameter is not used for any configuration, but needs to be configured. The parameter can be any valid string. If an external whitelist is being used, the MAC address of the AP needs to be saved in the Radius server as a lower case entry without any delimiter.

External Whitelist DB

The external whitelist functionality enables you to configure the RADIUS server to use an external whitelist for authentication of MAC addresses of RAPs.

If you are using Windows 2003 server, perform the following steps to configure external whitelist on it. There are equivalent steps available for Windows Server 2008 and other RADIUS servers.

1. Add the MAC addresses for all the RAPs in the Active Directory of the Radius server:
a. Open the Active Directory and Computers window, add a new user and specify the MAC address (without the colon delimiter) of the RAP for the user name and password.
b. Right-click the user that you have just created and click Properties.
c. In the Dial-in tab, select Allow access in the Remote Access Permission section and click OK.
d. Repeat Step a through Step b for all RAPs.
2. Define the remote access policy in the Internet Authentication Service:
a. In the Internet Authentication Service window, select Remote Access Policies.
b. Launch the wizard to configure a new remote access policy.
c. Define filters and select grant remote access permission in the Permissions window.
d. Right-click the policy that you have just created and select Properties.
e. In the Settings tab, select the policy condition, and Edit Profile....
f. In the Advanced tab, select Vendor Specific, and click Add to add new vendor specific attributes.
g. Add new vendor specific attributes and click OK.
h. In the IP tab, provide the IP for the RAP and click OK.

VPN Local Pool Configuration

To configure the VPN Local Pool:

1. Navigate to the Configuration > Advanced Services > VPN Services > IPSec page.
2. Select (check) Enable L2TP.
3. Make sure that only PAP (Password Authentication Protocol) is selected for Authentication Protocols.
4. To configure the L2TP IP pool, click Add in the Address Pools section. Configure the L2TP pool from which the APs will be assigned addresses, then click Done.
/>

 

The size of the pool should correspond to the maximum number of APs that the controller is licensed to manage.

5. To configure an Internet Security Association and Key Management Protocol (ISAKMP) encrypted subnet and preshared key, click Add in the IKE Shared Secrets section and configure the preshared key. Click Done to return to the IPSec page.
6. Click Apply.

VPN Profile Configuration

The VPN profile configuration defines the server used to authenticate the IAP (internal or an external server) and the role for IAP user. This role is used to define src-nat rule to Radius server to get Dynamic Radius proxy working.

1. Navigate to the Configuration > Security > Authentication > L3 Authentication page.
2. In the Profiles list, select the VPN Authentication Profile> default-iap.
3. For Default Role, enter the user role you created previously (for example, InstantAP).
4. Click Apply.
5. In the Profile list, under VPN Authentication Profile, select Server Group.
6. Select the server group from the drop-down menu.
7. Click Apply.

For more information on VPN profile configuration, see VPN Configuration.

Radius Proxy for VPN Connected IAPs

The Radius proxy for VPN connected IAPs functionality defines the server used to authenticate the IAP (internal or an external server) and the role for IAP user. This role is used to define src-nat rule to Radius server to get Dynamic Radius proxy working.

1. Navigate to the Configuration > Security > Access Control > User Roles page. Click Add to create the sysadmin role.
2. For Role Name, enter sysadmin.
3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall policy. Click Done.
4. Click Apply.

For more information on VPN profile configuration, see VPN Configuration.