Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP-5WN not split tunneling

This thread has been viewed 1 times

  • 1.  RAP-5WN not split tunneling

    Posted Feb 05, 2013 02:00 PM

    Hey all -

     

    I"m at a loss here as to why this would be happening. I have a RAP-5WN in London and one in Austin, they are using the same profile, same configuration, in the same AP group, and one of them will route internet traffic out their local connection and the other one routes it back to the main controller.

     

    I have taking the one not working out of the the ap group - rebooted it and then put it back and the same thing happens - all traffic routes thru the main controller - not using split tunneling at all

     

    It's making me crazy - any thoughts would be appreciated.

     

    Current version on the controller is 6.1.3.1

    27 AP's  - all licensed.

     

    Lirria



  • 2.  RE: RAP-5WN not split tunneling

    Posted Feb 05, 2013 03:17 PM

    Despite configuration of the RAPs and Virtual APs being in split-tunnel forward mode, the resulting user role and policies will dictate whether traffic is actually tunneled or routed locally.   Are the users in question on each RAP getting the same role and policies?  

     

     



  • 3.  RE: RAP-5WN not split tunneling

    Posted Feb 05, 2013 04:16 PM

    Brilliant!

     

    I hadn't noticed that the issue is only effecting one set of people - my Macintosh clients (the office reporting the issue is well, nothing but Macs). The issue had not been seen prior because all other Macs were located in the same office as the controller - so it all worked well.

     

    Since we have a mixed office, and the Mac's aren't AD integrated we use mac authentication/user name with the local DB for them to access the network. And that is where I think the issue is - we set them to be as if they are in the same office as the controller - instead of using the split tunneling profile. I hadn't even thought of it as an issue.

     

    I'll let you know if that is the solution.

     

    Thank you!

     

    Lirria



  • 4.  RE: RAP-5WN not split tunneling

    Posted Feb 06, 2013 10:32 AM

    OK - so that didn't work :smileysad: 

     

    I think I can see what the issue is - just not sure how to fix it. A bit of detail is going to be required.

     

    So we have a mixed computer environment. The PC's use Machine/user auth to obtain full wireless access - when I tried to do the same with the Mac's because they are not part of the domain, the machine auth didn't work - so we added their mac address to the local database, created a new essid and they connect to that. Which works great - until the Macs are no longer in the main office, then split tunneling does not work properly - on the PC's there is a separate profile that is applied to the remote aps - I'm just not sure how to put a second one on there.

     

    thoughts?


    Lirris



  • 5.  RE: RAP-5WN not split tunneling

    Posted Feb 06, 2013 11:48 AM

    So that didn't work. But I think I do know what is going on - I just have to figure out how to fix it.

     

    RIght now I have 2 essid's  - one for PC's and one for Macs - I think that is my problem - I can not get the same split tunneling policy to apply to the macs and pcs on the remote aps (unless I'm missing something - I thought you could only have 1 profile - but I'm still trying to go thru the config now)

     

    Most likely the issue in in my base configuration in that the Mac clients can't authenticate the same as the PCs so I'm looking at getting everybody to use the same essid so that I don't have to juggle multiple configurations.

     

    Not sure if that makes sense or not but I'll let you know how it goes.

     

    Lirria

     



  • 6.  RE: RAP-5WN not split tunneling

    Posted Feb 06, 2013 12:03 PM

    I am not sure I completely followed your last two posts, but some comments:

     

    - You can have multiple SSIDs on a RAP; they can be in different forwarding modes if necessary (tunnel, split-tunnel, or bridge)

    - The ACL for the connected users needs to support split-tunneling if that is the mode you are in (using the route src-nat action)...any ACLs with permit will be tunneled back to the controller regardless of the forwarding mode

    - If you have "enfoce machine authentication" enabled on your PC SSID, then you may have issues with the Macs as you point out.  You can get around this by adding the MACs of the Mac systems to the internal datbase.  If you don't have "enforce machine authentication" enabled on the SSID, then you should be able to use both Macs and PCs on the same SSID.

     



  • 7.  RE: RAP-5WN not split tunneling

    Posted Feb 06, 2013 12:19 PM

    Yeah sorry about that - it seemed to have sent the first post by accident so I retyped it and then magically both appeared. :smileysad:

     

    So we do enforce machine authentication on the ssid, We already have the macs of the Mac's in the internal database, but when I attached to the "corp" ssid on a Mac I get sent to the guest network, not the authenticated one - so I think I need to have the L2 authentication fail through checked but am not sure.

     

    Lirria



  • 8.  RE: RAP-5WN not split tunneling
    Best Answer

    Posted Feb 25, 2013 06:54 PM

    So the final solution to this was to set up a new Virtual AP with the attributes that I needed for the Mac clients and then applied that to the RAP network - worked well - now they have their split tunnel when they are remote.

     

    Thanks all!

     

    Lirria