Security

Reply
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

RAP Split Tunnel with Clearpass

Hi:

 

I’m setting up a RAP to extend our corporate ssid to a remote site.

I’ve gotten the RAP to connect, and the corporate ssid shows up and remote users can connect, and authenticate to Active Directory via Clearpass.

Lovely!

 

Now I’d like to configure a split tunnel at the remote site.

 

The current Clearpass policies check IF user is in the corporate group AND the computer is an AD domain member THEN they are assigned to the corporate role.

 

To configure a split tunnel, I’m assuming that I’d want to add a  rule in Clearpass that applies a different policy for RAP users, something like:

 

IF computer is a domain member, AND user is in the corporate group, AND AP group is Remote-AP, THEN apply a “corp-remote” role. The corp-remote role would have a permit action for corporate internal networks and a “route src-nat” action for all other addresses.

 

Does that seem like the best way to do this, or are there other best practices?

 

Thanks.

Tony

Guru Elite
Posts: 8,204
Registered: ‎09-08-2010

Re: RAP Split Tunnel with Clearpass

I usually do a separate service to handle RAP authentication to make it easier to make changes without effecting the campus. 

Sent from Nine

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: RAP Split Tunnel with Clearpass

Hi Tim:

Thanks, that's a great idea.

My polices were going to become very messy otherwise.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: