AAA, NAC, Guest Access & BYOD

How do I configure split-tunnel mode in a Remote AP (AP-70) for wired clients?

Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.2 and 3.3.

 

Split-tunnel forwarding mode is a feature for Remote AP (RAP) that allows the administrator to define an ACL where corporate traffic and DNS requests are sent back to the corporate network over a secure tunnel, and all other traffic is source NATed using AP Enet0 IP address and sent to the local LAN.

 

Split-tunnel Functionality

 

Corporate traffic is tunneled to the controller:

  •  GRE encapsulated to preserve VLAN tags
  •  Encrypted using IPSec (RAP and controller)

Other traffic is locally routed: Local traffic is source NATed (to enet0 address) and forwarded on wired interface according to user role and session ACL.

 

Pre-requisites

  •     ArubaOS 3.2 or higher  ·    
  • RAP license  ·    
  • AP70 or AP12x (AP12x needs ArubaOS 3.3 or higher) 
  •  RAP is configured and up  ·    
  • No other aaa wired profile in use (you can have only one aaa wired profile).

Configuration Steps

 

These steps are explained using CLI and GUI, and you can refer to User Guide for more details.

1) Define the corporate IP networks.

 

netdestination corp-network 
  network 10.0.0.0 255.0.0.0

 

 

GUI:

 

Configuration > Stateful Firewall > Destination > Add

 

2) Define the access list.

 

 

ip access-list session Corporate-split
  any any svc-dhcp permit
  user alias corp-network any permit
  user any any route src-nat

 

Alternate, More Permissive, Access List

 

ip access-list session Corporate-split
any any svc-dhcp permit
alias corp-network alias corp-network any permit
user any any route src-nat

 

The firewall action "permit" sends the traffic to the tunnel, but "src-nat" will NAT it and send it locally on enet0.

 

 

GUI:

 

Configuration > Access Control > Policies > Add

 

3) Create a user role.

 

 

user-role Corporate-split 
session-acl Corporate-split

 

 

GUI:

 

Configuration > Access Control > User Roles > Add

 

 

4) Define the AAA profile.

 

aaa profile wired-employee-laptop 
initial-role Corporate-split

 

 

GUI:

 

Configuration > All Profiles > Wireless LAN > AAA Profile -> Add

 

 

5) Configure the aaa wired authentication profile.

 

aaa authentication wired 
profile wired-employee-laptop

 

 

GUI:

 

Configuration > Wired Access > Wired Access AAA Profile > AAA Profile > Choose the profile from the drop-down menu.

 

 

Note: In ArubaOS 3.1, 3.2, and 3.3, only one "aaa authentication wired" profile is configured for the entire domain (Master and Locals, so it can be configured only on Master). The AAA profile should be specified there and under that we set the initial role with split-tunnel ACL.

 

 

6) Define wired-ap-profile.

 

 

ap wired-ap-profile employee-laptop 
     wired-ap-enable 
     forward-mode split-tunnel 
     switchport access vlan xx

 

 

GUI:

 

Configuration > All Profiles > AP > Wired AP Profile > ADD

 

 

Then

 

 

Configuration > AP Configuration > AP group and click Edit > AP > Wired AP Profile > Choose the profile from drop menu.

 

 

Or

 

 

Configuration > AP Configuration > AP group and click Edit > AP > Wired AP Profile >Choose NEW from the drop-down menu.

 

 

 

 

 

 

Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 03:51 PM
Updated by:
 
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.