Wireless Access

Occasional Contributor I

Forward mode queries


I am trying to understand the forward modes [tunnel, bridge, split tunnel and decrypt tunnel] and I have few questions

1.I understand that CPsec should be enabled and APs are required to be whitelisted when you want to configure a Campus AP in bridge mode

But why is CPSec required to configure a Campus AP in bridge mode?

2. By disabling CPsec in a Campus AP will allow us to do the forward mode configuration [tunnel mode]. Am I correct?

3. Captive portal cannot be done in bridge mode because its L3 authentication. Am I correct?

4. Why does a Campus AP doesn't support split tunnel when a RAP does?

5. What is the use of decrypt tunnel? Normally controller will change the wireless packet to wired packet and vice versa during a normal setup but in decrypt tunnel, the AP does the conversion [wireless to wired]. Am I correct or is it wrong? If I am correct then I don't understand the real use of decrypt tunnel. AP is just doing the controller's job so what is real use of decrypt tunnel?

6. Consider that am using a RAP and I am configuring Captive portal with split tunnel.

a. My captive portal's initial role has the following acls

any any svc-dhcp permit

any any svc-dns permit

any any svc-http dst-nat 8080

any any svc-https dst-nat 8081

and for the default role [post auth role] I usually permit everything but when I looked for split tunnel the acls were a bit different 

b. So I gave the below acl under captive portal's post auth role

any any svc-dhcp permit

user alias network any permit

any any route src-nat


# netdestination network

    # network

    # exit


My master controller's IP is

The first acl under post auth role is any any svc-dhcp permit.  Initial role already permits dhcp service then What is the real use of this acl which permits dhcp service in the post-auth role?


Thank you in advance




Guru Elite

Re: Forward mode queries

1.  Bridge mode typically needs to pass the credentials and ACLs (the PSK) to the AP securely.  CPSEC makes that possible.  

2.  Yes.

3.  Correct.

4.   That is the way it is.

5.  Tunnel decryps the client traffic back at the controller.  Decrypt tunnel decrypts that traffic at the AP.  The traffic needs to be sent over another secure tunnel to the controller.  Decrypt Tunnel also had the advantage of being able to pass jumbo frames without configuring your switches between the AP and the controller for Jumbo.

6. a. "Permit" on a split tunneled SSID tunnels traffic back to the controller.  Route src-nat bridges the traffic local to the AP and then source-nats it out the ip address of the AP.  IN the captive portal ACL, you would permit anything that you would need to pass to or through the controller.  Everything else you can just route src-nat.

b.  A client might need to renew a dhcp lease after authentication.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: