Controllerless Networks

Reply
Contributor I
Posts: 25
Registered: ‎01-23-2015

AP-225 split tunneling showing with Invalid (I) Flag

I've setup AP profile for split tunneling and it's showing with Invalid (I) Flag on Controller, see config below. When I change forward-mode to 'tunnel' all is fine (except split tunneling doesnt work lol;) Please advice

 

wlan virtual-ap "Aruba-CP-Radius-vap_prof2"
aaa-profile "Aruba-CP-Radius-aaa_prof2"
ssid-profile "Aruba-CP-Radius-ssid_prof2"
vlan 176
forward-mode split-tunnel


aaa profile "Aruba-CP-Radius-aaa_prof2"
authentication-dot1x "CFN-Main-dot1x"
dot1x-default-role "split-usr"
dot1x-server-group "CFN-RADIUS-server-grp"

 

user-role split-usr
access-list session split-acl

 

ip access-list session split-acl
any any svc-dhcp permit
any alias Net_10.29.0.0-16 any permit
user any any src-nat

MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: AP-225 split tunneling showing with Invalid (I) Flag

[ Edited ]

Do you AP configured as RAP or CAP ? Does your AP connected from remote-site/other network ?
if it working as CAP , Split tunneling isnt possible

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: AP-225 split tunneling showing with Invalid (I) Flag

Split-tunnel is only possible if the AP is configured as a RAP.

 

Tunnel, bridge and decrypt-tunnel are available when operating as a campus AP.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: AP-225 split tunneling showing with Invalid (I) Flag

Is that a name VLAN ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 25
Registered: ‎01-23-2015

Re: AP-225 split tunneling showing with Invalid (I) Flag

Yes, it's CAP...so does it mean I have to change to RAP and then set IKE PSK ? Does RAP connect to controller public IP or  private IP (in my case it's IPsec tunnel from my home remote network to DC firewall - so AP to Controller communication is thru IPsec). I'm not sure what decrypt-tunnel is for

 

vlan 176 (id 176) is on controller side 

 

(Aruba-7210) #show vlan 176

VLAN CONFIGURATION
------------------
VLAN Description Ports AAA Profile
---- ----------- ----- -----------
176 VLAN0176 GE0/0/0 N/A

Search Airheads
Showing results for 
Search instead for 
Did you mean: