Controllerless Networks

We recently upgraded to 7210 controllers running ArubaOS 6.5.4.12 and are looking to use Aruba Activate to convert IAPs to RAPs now that our controllers can support them.

However, when creating a Provisioning rule on Aruba Activate I get an error stating "Error:  Add failed with message[put]"

The IAPs have communication to the Controller.  However the controller is not showing in Activate.  Would the Controller need to be added to Activate to configure such a rule?

The controller does not need to be in Activate. Did you add the MAC addresses of the IAPs to the remote whitelist on the controller?

The IAPs are not in the whitelist and not even in the Parent folder I am targeting with the rule.  However I am not getting the Provisioning rule to create, so whitelisting should not be the issue.

I have used the internal IP/MAC of our Controller, as this has not been given access to the Internet.  Again, the IAPs should be able to communicate on this IP

So, just to review, the following is the process.

A factory reset or new IAP/UAP boots. It attempts to connect to Activate. It should have automatically been added to Activate, or you had to manually add it to Activate. In Activate you create a folder, and in the folder you create a rule. The rule should be a provisioning Rule, type should be IAP to RAP (Controller). An AP group should be defined, and either a DNS or IP address needs to be entered in the Controller field. The IAPs need to be able to reach this address. If this is an internal test, the address could be a local IP with the Remote APs connected on the same network, if the Remote APs are elsewhere in the world, they need to be able to reach the address and have their connection forwarded to the controller. Controller-MAC is optional.

After the IAPs communicate with Activate, all activate is doing is telling them they need to talk to this controller to download their L2TP/IPsec Remote AP configuration. So the IAPs attemp to do so. When the IAPs attempt to connect to the controller, the controller does not know who the IAPs are, so the IAPs need to be added to the Remote AP whitelist so that the controller knows to trust them and to send the configuration to the IAPs.

Once the configuration is downloaded to the IAPs, they will reboot as Remote APs. This L2TP/IPsec VPN configuration tells the AP the IP address or DNS address of the controller where the Remote AP will be terminating it's VPN connection.

So the IAP talks to Activate, which tells it to talk to a controller to get it's VPN configuration. The IAP then talks to the controller to download it's VPN configuration, which could tell it that the VPN server is a different controller. Finally, the IAP, which is now operationg as a Remote AP will talk to the VPN controller to establish it's VPN/Remote AP connection.

I hope this helps a little with understanding the process.

Hi David,

Thank you for the response and I understand the process of how a rule should provision a new IAP.  However, when creating the rule I get the error message as described in my original post.  Which I have attached, with the configuration of the rule.

Kind Regards

I have found the error in my rule, and it was due to length of Name.