Wireless Access

Reply
Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Looking for up-to-date guide to set-up a RAP (3WN) in split tunnel mode

[ Edited ]

The documentation I have found so far shows instructions and screen shots that do not fully much the GUI I'm seeing on the controller. Maybe I haven't checked the right places so far? We're using an Aruba 650 controller on the 6.3 branch.

 

My goal is to place a RAP in a remote office and let users connecting to the RAP through wifi access resources at the main office. As far as I understand, split tunnel makes the clients in the remote office use the DHCP-server in the main office and sends data for the main office to the main office (not NAT'ed) and sends data for the internet directly to the internet (NAT'ed). Is this correct?

 

And will computers in the main office be able to ping systems in the remote office as well?

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Looking for up-to-date guide to set-up a RAP (3WN) in split tunnel mode

Correct on all counts.  Users in the main office will be able to ping clients on APs in the remote office, because they will have routable ip addresses, assigned from the datacenter.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: Looking for up-to-date guide to set-up a RAP (3WN) in split tunnel mode

[ Edited ]

Thank you. Should the most up-to-date info be in the knowledge base? Or do you have a URL to a guide I should use? If I run into something that looks different in my setup, shall I let you know in this thread?

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Looking for up-to-date guide to set-up a RAP (3WN) in split tunnel mode

It has not changed in years.  You would need to make sure:

 

- The access point is configured as a remote AP (required for split tunneling)

- The Virtual AP is configured as Split-Tunnel

- The user role assigned should look like this:

 

any any service dhcp permit

any network corpnetwork any permit

any any any route src-nat

 

The first rule permits dhcp which is essential

The second rule detects any traffic going back to the corporate network and permits it back through the tunnel

The third rule is a catch all for anything that is not destined to corporate and source-nats it out of the ip address of the RAP.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: Looking for up-to-date guide to set-up a RAP (3WN) in split tunnel mode

Thank you. I will try again tomorrow and let you know if I need further help :)
Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: Looking for up-to-date guide to set-up a RAP (3WN) in split tunnel mode

[ Edited ]

yay, I got it to work :) Thanks for the help.

 

There's a CRUCIAL mistake in the Understanding Split Tunneling guide (http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/Remote_AP/Split_Tunneling.htm). It says at step 13e: Under Action, select ANY and check src-nat. This is not correct! It should be ROUTE and check src-nat. It lead me to chosing the action 'src-nat' (wich asked me to define a nat pool), wich is not correct either.

 

8e: says to enter the public IP of the controller. But it should be the IP of the network(s) you're trying to tunnel.

 

Some guides are saying I need to add an allow-all firewall-policy to the user-role, but doesn't seem neccessary.

 

Making the Port Wired AP profile 'trusted' wasn't needed either. (wasn't in a guide, but I remember it being needed when I was doing a different config).

 

What I don't understand yet is the Defining Corporate DNS Servers part. What does it do exactly? My DHCP hands out a corporate DNS-server in the range that is tunneled and it works. Why would I add DNS Server names in the Corporate DNS part? It it meant to be used when your DNS server is not in the range that gets tunneled?

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Looking for up-to-date guide to set-up a RAP (3WN) in split tunnel mode

eriknl2,

 

Thank you.  We ill get that fixed.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Looking for up-to-date guide to set-up a RAP (3WN) in split tunnel mode

Eriknl2,

 

I got work that the link is fixed.  Please check the link...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: Looking for up-to-date guide to set-up a RAP (3WN) in split tunnel mode

[ Edited ]

Yes. Seems fixed. Thank you.

Other question: when I reboot a machine connected to a split tunnel rap, it doesn't seem to connect. Only if I pull the network cable for a while and plug it back in, then it starts working again. Sometimes. Not always.

What am I doing wrong? Windows says DHCP times out. I don't see the machine getting a user-role or anything.

 

Machine is running windows 8.1. Connected with wire to RAP2, same thing happens with RAP3.

 

Edit: if I disable mac authentication and set the Initial Role to the split-tunnel user-role, then it works. So it must be a problem with mac authentication I guess?

 

Normally, I have initial role set to denyall. And I have MAC Authentication Default Role set to the split-tunnel user-role. Also, in the internal database, I have set the role for the mac address to the split-tunnel user-role. Should I use something else instead of denyall? Like guest? Im also using denyall on the normal (not split) tunnels and that seems to work fine.

Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: Looking for up-to-date guide to set-up a RAP (3WN) in split tunnel mode

So the basic question is: what initial role is needed for mac authentication to work with split tunnel mode?
Search Airheads
Showing results for 
Search instead for 
Did you mean: