Wireless Access

Reply
Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

RAP-5WN not split tunneling

Hey all -

 

I"m at a loss here as to why this would be happening. I have a RAP-5WN in London and one in Austin, they are using the same profile, same configuration, in the same AP group, and one of them will route internet traffic out their local connection and the other one routes it back to the main controller.

 

I have taking the one not working out of the the ap group - rebooted it and then put it back and the same thing happens - all traffic routes thru the main controller - not using split tunneling at all

 

It's making me crazy - any thoughts would be appreciated.

 

Current version on the controller is 6.1.3.1

27 AP's  - all licensed.

 

Lirria

Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: RAP-5WN not split tunneling

Despite configuration of the RAPs and Virtual APs being in split-tunnel forward mode, the resulting user role and policies will dictate whether traffic is actually tunneled or routed locally.   Are the users in question on each RAP getting the same role and policies?  

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: RAP-5WN not split tunneling

Brilliant!

 

I hadn't noticed that the issue is only effecting one set of people - my Macintosh clients (the office reporting the issue is well, nothing but Macs). The issue had not been seen prior because all other Macs were located in the same office as the controller - so it all worked well.

 

Since we have a mixed office, and the Mac's aren't AD integrated we use mac authentication/user name with the local DB for them to access the network. And that is where I think the issue is - we set them to be as if they are in the same office as the controller - instead of using the split tunneling profile. I hadn't even thought of it as an issue.

 

I'll let you know if that is the solution.

 

Thank you!

 

Lirria

Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: RAP-5WN not split tunneling

OK - so that didn't work :smileysad: 

 

I think I can see what the issue is - just not sure how to fix it. A bit of detail is going to be required.

 

So we have a mixed computer environment. The PC's use Machine/user auth to obtain full wireless access - when I tried to do the same with the Mac's because they are not part of the domain, the machine auth didn't work - so we added their mac address to the local database, created a new essid and they connect to that. Which works great - until the Macs are no longer in the main office, then split tunneling does not work properly - on the PC's there is a separate profile that is applied to the remote aps - I'm just not sure how to put a second one on there.

 

thoughts?


Lirris

Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: RAP-5WN not split tunneling

So that didn't work. But I think I do know what is going on - I just have to figure out how to fix it.

 

RIght now I have 2 essid's  - one for PC's and one for Macs - I think that is my problem - I can not get the same split tunneling policy to apply to the macs and pcs on the remote aps (unless I'm missing something - I thought you could only have 1 profile - but I'm still trying to go thru the config now)

 

Most likely the issue in in my base configuration in that the Mac clients can't authenticate the same as the PCs so I'm looking at getting everybody to use the same essid so that I don't have to juggle multiple configurations.

 

Not sure if that makes sense or not but I'll let you know how it goes.

 

Lirria

 

Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: RAP-5WN not split tunneling

I am not sure I completely followed your last two posts, but some comments:

 

- You can have multiple SSIDs on a RAP; they can be in different forwarding modes if necessary (tunnel, split-tunnel, or bridge)

- The ACL for the connected users needs to support split-tunneling if that is the mode you are in (using the route src-nat action)...any ACLs with permit will be tunneled back to the controller regardless of the forwarding mode

- If you have "enfoce machine authentication" enabled on your PC SSID, then you may have issues with the Macs as you point out.  You can get around this by adding the MACs of the Mac systems to the internal datbase.  If you don't have "enforce machine authentication" enabled on the SSID, then you should be able to use both Macs and PCs on the same SSID.

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: RAP-5WN not split tunneling

Yeah sorry about that - it seemed to have sent the first post by accident so I retyped it and then magically both appeared. :smileysad:

 

So we do enforce machine authentication on the ssid, We already have the macs of the Mac's in the internal database, but when I attached to the "corp" ssid on a Mac I get sent to the guest network, not the authenticated one - so I think I need to have the L2 authentication fail through checked but am not sure.

 

Lirria

Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: RAP-5WN not split tunneling

So the final solution to this was to set up a new Virtual AP with the attributes that I needed for the Mac clients and then applied that to the RAP network - worked well - now they have their split tunnel when they are remote.

 

Thanks all!

 

Lirria

Search Airheads
Showing results for 
Search instead for 
Did you mean: