Hi Barry,
An important thing that you have to consider when deploying a RAP, which is whether all data has to be tunneled to the HQ or just the corporate data. If you only require corporate data to be tunneled back then you should be using RAPs in split tunnel mode. If you want all the traffic to be tunneled back to HQ then you should use tunneled mode. This will require changes to the VAP profile, but you wont need a new 802.1X profile if you decide to use the same authentication servers.
If your using split tunnel mode, then the user role for the authenticated users should be modified to tunnel corporate traffic and scr-nat other internet traffic to the internet or to local subnet at the remote site. In this case the AAA profile will change as the user role for authenticated remote users is different than that for campus users, however your 802.1X profile can remain the same.
A sample user role for split-tunnel user will be as follows
!
netdestination internal-network
network 10.0.0.0 255.0.0.0
!
ip access-list session remote-employee
alias internal-network alias internal-network any permit
user any any route src-nat
!
ip access-list session sip-acl
any any svc-sip-udp permit queue high
any any svc-sip-tcp permit queue high
!
ip access-list session common
user any udp 68 deny
any any svc-dhcp permit
any any svc-icmp permit
user alias dns-servers svc-dns permit
!
user-role remote-employee
access-list session common-dhcp
access-list session sip-session-allow
access-list session remote-employee
!
the "route scar-Nat" action will dynamically scr-nat the user traffic based on the destination.
The configuration on tunnel and split-tunnel forwarding mode is available in the VAP profile.
If your using tunnel mode for remote users too then you can use the same user role (unless you want different access rights for remote users), AAA profile and VAP rpofile that you used for campus. Remember that you have to setup the VPN server module in the controller and add the RAPs to the RAP whitelist for RAP deploments.
For the RAPs that just require wired access, you have to configure the wired port profile with a wired ap profile and a AAA profile. You can then create a sepearte AP group or use AP specific settings to remove or add SSIDs & wired access to a RAP or a group of RAPs in an AP group.
For home users you should also consider configuring a backup SSID in bridge mode as this will help them get past the captive portal when they connect to the hotels.
Make sure that the LMS IP in the AP system profile used in the ap group for RAPs is a public address. If a NAT device is used for natting the traffic on the public IP back to the controller then all the firewalls leading up to the controller should permit UDP 4500.
Regards,
Sathya
