Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎09-03-2014

VLAN derivation on split tunnel RAP

We're currently in the process of consolidating our SSIDs into one.  This has been achieved for the vast majority of locations where CAPs are employed in bridge mode, using ClearPass to return user role and VLAN attributes.

 

However, the VLAN derivation via the VSA returned by ClearPass does not work where RAPs have been employed in split tunnel mode.  Although the user role is updated correctly, clients stay on the initial VLAN.  I've tried assigning the VLAN to the user role too, but the VLAN still doesn't change.

 

I have read that split tunnel RAPs do not support VLAN derivation - can anyone confirm this?

Guru Elite
Posts: 20,017
Registered: ‎03-29-2007

Re: VLAN derivation on split tunnel RAP

Correct. Split tunnel raps do not support Vlan derivation.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 17
Registered: ‎09-03-2014

Re: VLAN derivation on split tunnel RAP

Thanks for the reply.

 

Is there any other way to change the initial VLAN assignment in this example?

Guru Elite
Posts: 20,017
Registered: ‎03-29-2007

Re: VLAN derivation on split tunnel RAP

Unfortunately, there is not. Split tunnel only makes sense when the location does not have a dedicated wan connection back to your location besides the ipsec tunnel. If it does have a connection, it is more efficient to use bridge mode. Of the locations where there is no other connection, it is assumed there is probably only one Vlan.

What is your setup?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 17
Registered: ‎09-03-2014

Re: VLAN derivation on split tunnel RAP

These are for locations where there is no dedicated link or VPN tunnel, i.e. home users. Two VLANs have been configured on the controller; one for corporate devices and one for BYOD devices.  The VLAN assigned is based on logic present in ClearPass.  The default initial VLAN assigned is the BYOD VLAN.  The problem is that we cannot assign the other VLAN if the client is detected to be a corporate device.

Guru Elite
Posts: 20,017
Registered: ‎03-29-2007

Re: VLAN derivation on split tunnel RAP

Got it. That is a very unique use case where a byod device is allowed remotely. Does the byod devices require any resources from the headend, or basically all internet?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 17
Registered: ‎09-03-2014

Re: VLAN derivation on split tunnel RAP

Some internal resources, mainly http(s) based, but not entirely.

Search Airheads
Showing results for 
Search instead for 
Did you mean: