Yes, we can pass all traffic including authentication to the Controller for a Single Data Center (one Controller) or Multiple Data Centers with one Controller in each, that can be used for redundancy of the IAP VPN tunnel. You may select Distributed L3 or Centralized L2 mode of operation on the IAP. For a deployment with Master-Standby Controller setup, we need to perform local authentication (at IAP end).
Also, note that the RADIUS and Airwave traffic from the IAP will carry the VPN-pool IP address that was assigned by the Controller to the IAP. To understand the different IAP modes of operation, this might be useful read: https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/What-are-the-IAP-VPN-modes
To tunnel all traffic from IAP to the Controller, the routing profile on the IAP should look like:
routing-profile
route 0.0.0.0 0.0.0.0 <Controller-IP>
For the Master-Standby deployment, we need to add a routing profile exception for radius server and Airwave IPs, since the design requirement for this solution requires local radius authentication at IAP:
routing-profile
route <radius server ip> 255.255.255.255 0.0.0.0
route <Airwave IP> 255.255.255.255 0.0.0.0
Also, we now have an option on the IAP to configure enterprise domain to tunnel all DNS queries matching that domain, to the client’s original DNS server without proxying on IAP.
Example1: Tunnell all DNS queries to the Controller:
internal-domains
domain-name *
Example2: To configure an enterprise domain to tunnel only DNS queries matching that domain Controller.
internal-domains
domain-name corpdomain.com
Hope this helps.
Regards,
Riyaz
[Hit Kudos if you find the info useful]