Security

Reply
New Contributor
Posts: 1
Registered: ‎01-03-2012

Split-Tunnel with CWP redirect to amigopod

Hi everyone

I have problems trying to do split-tunnel through wireless and wired configuration, using cwp.

Could someone guide me to do it?.

I'm using RAP02 to get user from air and wire, and show a cwp to authenticate it to amigopod radius, after auth we will use corp lan to get access directly internet and tunnel only for "aruba" trafic (control, management, amigopod)

Many thanks.

Ricardo Luis Cañavate Garcia - Senior Sales Engineer - BT Global Services Spain
Moderator
Posts: 150
Registered: ‎11-14-2011

Re: Split-Tunnel with CWP redirect to amigopod

Ricardo,

 

Here are a couple of tips from the soon to be released updated VBN VRD document that might help.

 

"Regardless of the forwarding mode, all the settings that are related to captive portal reside at the controller and are not pushed to the RAPs. So to present the guest users with the captive portal page, they have to connect to the controller. Hence in remote deployments, the guest network at branch offices cannot be deployed in bridge forwarding mode if captive portal authentication is required.

The guest network at branch offices is usually deployed in split-tunnel forwarding mode for captive portal authentication. In this case, user roles are used to achieve the same behavior as bridge forwarding mode while providing captive portal authentication. The initial role assigned to the guests allow them to reach the captive portal page through the controller. After the guests pass the captive portal authentication, the authenticated role that is assigned to them can be designed to behave like a bridge forwarding mode.

Caution!                When captive portal authentication is provided via split-tunnel forwarding mode, the controller must be the default gateway for the VLAN (subnet) used for guest users. Aruba recommends using the controller as the DHCP server for the guest VLAN. This guest VLAN, which is local to the controller, should be source-NATed by the controller."

 

Sample initial role that allows access to the Amigopod and default captiveportal policy.

 

user-role guest-branch-logon

 captive-portal "default"

 access-list session amigopod

 access-list session captiveportal

 access-list session guest-logon-access

!

 

 

Hope this helps

 

Cam.

Search Airheads
Showing results for 
Search instead for 
Did you mean: