Wireless Access

Reply
Regular Contributor II
Posts: 207
Registered: ‎09-28-2010

RAP5 Split tunnel - non-802.1x

I'm currently in the process of setting up split tunneling on our RAP5 devices.

 

The guide has been very helpful, but I'm not sure if I need to do anything different because we are not using 802.1x autentication on our RAP devices.  We only deploy a few of these devices and they were setup to use WPA2-PSK.

 

I guess my question is when I get to creating the RAP user policy.  Since I'm not using 802.1x, I'm not sure if I skip this part, or if I need to do something different?

 

I see the later part where I need to change the forward mode of the Virtual AP from Tunnel to Split-Tunnel.

 

We do have some RAP role policies on the controller, but they are not assigned anywhere, and I don't think they actually have anything in them (look like default settings).   I missed a decent portion of the initial network config, so I think they started setting it up for 802.1x and decided to go with WPA2-PSK.

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: RAP5 Split tunnel - non-802.1x

Yes...this is supported.  In the AAA profile for the VAP, the INITIAL ROLE must be set to the role where the split tunnel logic is happening.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Regular Contributor II
Posts: 207
Registered: ‎09-28-2010

Re: RAP5 Split tunnel - non-802.1x

Okay, so my INITIAL ROLE is set to "authenticated."  It's actually grayed out.  I didn't put in the internal network until today.

 

Do I need to go in and create a RAP User policy

 

From there I just need to go back into the VAP_Prof and set Forward Mode to split-tunnel?

 

 

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: RAP5 Split tunnel - non-802.1x

So...your RAP initial role should have something like the following (per the VRD)

 

ip access-list session split-tunnel
user alias corp-internal-net any permit
alias corp-internal-net user any permit
any any any route src-nat

 

The above policy would come AFTER common protocols like allowing ping and dhcp.  The alias referenced should be your internal nets like 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/20.

 

DO NOT change or alter the "authenticated" role.  I would create a new role and policy for this AAA profile.

 

 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Regular Contributor II
Posts: 207
Registered: ‎09-28-2010

Re: RAP5 Split tunnel - non-802.1x

Thanks.

 

Okay, so I have my internal netdestination setup (10.0.0.0/8; 192.168.2.0/24; 172.18.0.0/16), and my access-list showing what you provided.

 

I created a RAP_Split_Tunnel User role and assigned that as the intial role of my RAP4-aaa_prof.

 

Now do I change the forward mode of the vap_prof to split-tunnel?

 

I also recall seeing something about possibly having to turn on Remote-AP Local Network Access under the AP system profile.  Do I need to do that?

 

I might be able to push my exec off one more day, but he'd like to have it working soon (like yesterday!). 

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: RAP5 Split tunnel - non-802.1x

Yes..just the VAP setting to split-tunnel.  In your RAP split tunnel role, what are the policies in there?  Do you have a permit statement for DHCP before the route source-NAT statement?

 

You shouldn't need to alter anything in the AP sys prof.  Have you provisioned the RAP yet?  What is the hardware model?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: RAP5 Split tunnel - non-802.1x

 

 

The only thing you need to define in the AP system profile is the corporate DNS servers

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: RAP5 Split tunnel - non-802.1x

More info on that DNS domain field:

 

In many enterprises, DNS resolution of certain hosts depends on the location of the client. For example, when a computer is connected to the internal corporate network, the IP address of the mail server is resolved to an internal (private) IP address. If the computer is connected to the Internet, the same hostname (FQDN) is resolved to a public IP address. A RAP normally receives the IP address of the local DNS server from the ISP router or the local DHCP server when the AP boots up. However, in most cases, the internal corporate network has DNS servers. Therefore, the corporate DNS server is given to clients that are associated to split-tunnel SSIDs because these clients obtain IP addresses from a DHCP server on the corporate network. A RAP can intercept DNS queries from SSIDs and wired ports in split-tunnel mode and redirect these queries based on the domain. The corporate DNS domain feature available in the AP system-profile provides this functionality. When the corporate DNS domain field contains no entries, all the DNS queries of a split-tunnel user are forwarded to the controller. However, when a domain is specified in this field, all the DNS queries except for that domain are redirected to the local DNS of the RAP (obtained from the ISP). In the example network, the corporate DNS domain feature is configured to tunnel all DNS queries to the corporate DNS server if the domain name ends with “arubanetworks.com”. All other DNS queries are forwarded to the local DNS server.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Regular Contributor II
Posts: 207
Registered: ‎09-28-2010

Re: RAP5 Split tunnel - non-802.1x

I don't have anything in place for DHCP, only the commands that you gave me:

 

Priority  Source      Destination  Service  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------      -----------  -------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user        myinternal   any      permit                                  Low                                                           4
2         myinternal  user         any      permit                                  Low                                                           4
3         any         any          any      route src-nat                           Low                                                           4

 

 

In the case of split tunneling, will the user get DHCP from the RAP (our internal RAP-VLAN (172.18.2xx.x), or from their internal DHCP?  The exec has his own broadband router.

 

Our existing RAPs (RAP2....this is our first test of the RAP5) don't allow split-tunneling, so once they connect the RAP gets an IP from our RAP pool, and the PC gets an IP from our RAP-VLAN.

 

I guess now I need to do something different....thus my confusion in getting this set up.

 

 

I really appreciate the help.

 

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: RAP5 Split tunnel - non-802.1x

OK. There should be an already default policy called dhcp-acl. Add that BEFORE your policy already in the role.
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: