Wireless Access

Dear all

One of our customers has got the following setup:

• WLAN controller located in the datacenter (OS v. 6.3.1.15)
• APs located at different branch offices
• APs wired to switch, no VLAN trunking
• One SSID for private WLAN data traffic (auth mode = PEAP)
• WLAN data traffic is locally switched (forward mode = bridge)

I would like to know if there is way to dynamically instruct the APs to tunnel WLAN traffic back to the controller based on a RADIUS attribute.

I noticed that if the default forward mode for the SSID is set to tunnel (within the Virtual AP basic configuration), I'm able to bridge the traffic locally by useing the RADIUS Server which sends back the native VLAN number as VSA attribute after authentication.

My question now is: Can this be done when the default forward mode is set to bridge? Can I override this configuration with a RADIUS attribute and tunnel the data traffic back to the controller?

Any help or brief instructions would be much appreciated.

Best regards,
Matt

This is possible if the APs are RAPs and the mode is split-tunnel.

You can set different roles based on this attribute.

If you want traffic to tunnel back to the controller, then it would be a 'permit' rule in the acl.  For traffic to break out locally, it would be a 'route src-nat' rule in the acl.

Hi Michael 

Thanks for the quick response, I will dig deeper into the split-tunneling setup.

Regards,

Matt

The split tunnel is the possible solution, but remember that the AP will NAT all trafic not tunneled using its local IP if you do. The clients wont be handled by the local network the same way as when using bridged mode on the SSID.