Remote Networking

Reply
New Contributor
Posts: 3
Registered: ‎07-19-2011

SafeConnect and Split Tunnel Remote AP

Hi, Mike. I'm in the exact same boat. We have a 3600 controller and 45 or so campus AP's that do authentication with Safe*Connect NAC. We have rented some off-campus houses to put resident students in and I need to provide service via cable modems. I have some RAP5WN units, some AP-105's and some IAP-105's and have not been able to create an acceptable config. By acceptable, I mean a setup that requires authentication and does not keep people in tunnel forward mode. I can get authentication to work only in tunnel mode, but that's painfully slow with cable modems. I have an open case with Aruba tech support but they seem to be struggling with it. It looks like you have a solution, but I'm a little fuzzy on how it works. Are the students required to authenticate and do they then get split tunnel service? Actually, there is nothing our students would need that they can't get via the public Internet so I only need the controller for auth purposes. TIA for any pointers you or others might offer! :D

Cheers!
Charlie
Guru Elite
Posts: 21,499
Registered: ‎03-29-2007

Re: SafeConnect and Split Tunnel Remote AP


Hi, Mike. I'm in the exact same boat. We have a 3600 controller and 45 or so campus AP's that do authentication with Safe*Connect NAC. We have rented some off-campus houses to put resident students in and I need to provide service via cable modems. I have some RAP5WN units, some AP-105's and some IAP-105's and have not been able to create an acceptable config. By acceptable, I mean a setup that requires authentication and does not keep people in tunnel forward mode. I can get authentication to work only in tunnel mode, but that's painfully slow with cable modems. I have an open case with Aruba tech support but they seem to be struggling with it. It looks like you have a solution, but I'm a little fuzzy on how it works. Are the students required to authenticate and do they then get split tunnel service? Actually, there is nothing our students would need that they can't get via the public Internet so I only need the controller for auth purposes. TIA for any pointers you or others might offer! :D

Cheers!
Charlie




What type of authentication do your students do to get onto your network? Are they using encryption?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎07-19-2011

Re: SafeConnect and Split Tunnel Remote AP




We use Safe*Connect NAC that does both authentication and policy enforcement on our campus AP's. The students also have Active Directory accounts, which is what Safe*Connect uses to authenticate them. I'm up for anything that works at this point. Safe*Connect would be nice, because it makes sure they have AV installed and Windows updates turned on but, again, I'm happy to see anything work. We are not using encryption at all (open SSID's).

Thanks!

Charlie

Guru Elite
Posts: 21,499
Registered: ‎03-29-2007

Re: SafeConnect and Split Tunnel Remote AP

What method is Safeconnect using to change the user's role? If we know that, we can make it happen...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎07-19-2011

Re: SafeConnect and Split Tunnel Remote AP




Hello again Colin! Safe*Connect appears to function as a RADIUS server, passing role assignments back and forth with the Aruba controller. I have attached some screen shots that I think are relevant.

Thanks!
Charlie

Guru Elite
Posts: 21,499
Registered: ‎03-29-2007

Re: SafeConnect and Split Tunnel Remote AP


Hello again Colin! Safe*Connect appears to function as a RADIUS server, passing role assignments back and forth with the Aruba controller. I have attached some screen shots that I think are relevant.

Thanks!
Charlie




We are missing a few pieces. What you can do, is turn on debugging, connect a client, show the debug log for that client and paste it into here.

config t
logging level debug user

Connect a client and go through the SafeConnect motions

When it is done and logged in, type:

show log user all | include

That will tell us what the client goes through to get connected. Depending on how the SafeConnect device puts clients into a different role, you might NOT be able to do things how you want.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 371
Registered: ‎01-14-2010

Re: SafeConnect and Split Tunnel Remote AP

Hi Charlie,

The one thing that we had to do was have our RAP5s terminate on one controller and our RAP125s terminate on another controller. Aruba TAC explained that this seems to be a limitation of doing IPsec within IPsec.

We've had our RAP behind a RAP deployed for the summer and our off-campus housing students have enjoyed it. We currently have an open SSID without a guest login and a WPA2/802.1X SSID being broadcast without issue.

In terms of speed, are you doing Aruba's AAA FastConnect? I'm not sure if / how that would work with SafeConnect...

I take it that you are trying to broadcast your campus SSIDs to this location?

-Mike
Search Airheads
Showing results for 
Search instead for 
Did you mean: