1043| Instant AP VPN Support AOS-W 6.5.3.x| User Guide
If you have a master-local setup, upgrade the master switch first, and then the Local switch.
n Ensure that the IAP-VPN branches are configured through the OmniVista or Central management
interfaces. If the IAP VPNbranches are not managed by OmniVista or Central, or if your network has IAPs
running Instant 3.4 or lower release versions, execute the following command to ensure that all branches
are in the trusted list:
iap trusted-branch-db allow-all
or
iap trusted-branch-db add mac-address <mac-address>
VPN Configuration
The following VPN configuration steps on the switch enable IAPs to terminate their VPN connection on the
switch:
Whitelist DB Configuration
Switch Whitelist DB
You can use the following CLI command to configure the whitelist DB if the switch is acting as the whitelist
entry:
(host) #whitelist-db rap add mac-address 00:11:22:33:44:55 ap-group test
The ap-group parameter is not used for any configuration, but needs to be configured. The parameter can be
any valid string. If an external whitelist is being used, the MAC address of the AP needs to be saved in the
Radius server as a lower case entry without any delimiter.
External Whitelist DB
The external whitelist functionality enables you to configure the RADIUS server to use an external whitelist for
authentication of MAC addresses of RAPs.
If you are using Windows 2003 server, perform the following steps to configure external whitelist on it. There
are equivalent steps available for Windows Server 2008 and other RADIUS servers.
1. Add the MAC addresses for all the RAPs in the Active Directory of the Radius server:
a. Open the Active Directory and Computers window, add a new user and specify the MAC address
(without the colon delimiter) of the RAP for the user name and password.
b. Right-click the user that you have just created and click Properties.
c. In the Dial-in tab, select Allow access in the Remote Access Permission section and click OK.
d. Repeat Step a through Step b for all RAPs.
2. Define the remote access policy in the Internet Authentication Service:
a. In the Internet Authentication Service window, select Remote Access Policies.
b. Launch the wizard to configure a new remote access policy.
c. Define filters and select grant remote access permission in the Permissions window.
d. Right-click the policy that you have just created and select Properties.
e. In the Settings tab, select the policy condition, and Edit Profile....
f. In the Advanced tab, select Vendor Specific, and click Add to add new vendor specific attributes.
g. Add new vendor specific attributes and click OK.
h. In the IP tab, provide the IP address of the RAP and click OK.
To Next Page
Loading...