Wireless Access

Not sure If I picked the correct board - sorry I'm very tired.

So here's my issue - I have a Virtual AP profile that is using clearpass certificates/user name for access to the network. It is set for split tunneling (it hadn't been, I just changed it this evening and it seems to have kept the settings) But when I test it, the IP address it's using for the internet is the one at the office, not on the rap's location.

I'm stumped as to why this isn't working and am looking for any thoughts on  the issue.

thank you!

Lirria

 Can you share the output of the user role?

show rights <NameofRole>

Did you change the rules at all when you changed to split-tunnel?    You need to change the action for non-tunneled traffic to "route src-nat" instead of "permit"

For example:

ip access-list session split-tunnel-policy

  user any svc-dhcp permit (allows DHCP from controller or corporate LAN)

  user any svc-dns permit  (allows DNS to tunnel to the corporate LAN)

  user alias corp-nets any permit (allows all traffic to corp-alias through tunnel)

  user any any route src-nat  (everything else is NAT'd out the RAPs IP)

user-role split-tunnel-role

  access-list session split-tunnel-policy

(Aruba3400) #show rights authenticated

Derived Role = 'authenticated'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 78/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

access-list List
----------------
Position  Name         Type     Location
--------  ----         ----     --------
1         ra-guard     session
2         allowall     session
3         v6-allowall  session

ra-guard
--------
Priority  Source  Destination  Service           Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------           ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          icmpv6 rtr-adv    deny                             Low                                                           6
allowall
--------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4
2         any     any          any      permit                           Low                                                           6
v6-allowall
-----------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           6

Expired Policies (due to time constraints) = 0

No - I never had to before - but I'll check - sorry I broke the rap I was using at home and am trying to fix it. (it's been a night to say the least)

Lirria

This is likely the problem.  You are still tunneling all traffic by using the allowall policy.  It has "permit" as the action, so all traffic will continue to tunnel, even though the VAP is in split-tunnel mode.   Any traffic you want to tunnel needs to keep the "permit" action, but any traffic you wan to split off needs the "route src-nat" action.    See the example referenced above.

For a more detailed explanation, have a look at the RAP VRD; this section explain the remote employee role:

http://www.arubanetworks.com/vrd/RAPVRD/Chap10.html#1035957

Hmm - ok - looks like there is way more involved. We had a contractor set this up and things are definately not as I anticipated (of course finding all this out months later :( )

So it looks like I need to setup some new user rules, new virtual AP group (this is because I use the same name for both local and RAP users - I've had to do it before sadly - just wiped it from my brain)

So I'll do some testing/work on it this evening and see if I can get all the rules/etc in place

thanks!

Lirria

Hi

It is a bit mor complicated yes.

When activating split-tunnel, you need to make a new role for split-tunnel.

In this role you need to specify what direction specific trafic is to take.

As Clembo said, you are running all traffic back tyo controller via the permit rule.

When using split-tunnel, permit tunnel traffic back to the controller and route source NAT will send traffic out locally.

All the info is in the user guide

Roar Fossen

Similar issue so I decided to post here.  If advised, I will create my own thread.

I followed the steps in Post 2 originally.  I set wired port 2 on the rap to be split tunnel, and it does work properly (have home ip for web traffic).  My issue is the Virtual AP.  When I connect wirelessly to the rap, it still tunnel all traffic.

I created "Rap-Split" Virtual AP with forward mode "split tunnel"

I created "Rap-Split-Tunnel" AAA profile with the three roles set to Rap-Split-Tunnel

The User Role "Rap-Split-Tunnel" has the three rules in post 2.

Any help you can provide is appreciated. :)

When you look at the user table, what role is the user in?  Then run "show rights <RoleName>".    Also run "show user ip <IPAddress>"

I just ran the commands to compare the working wired to wireless...  and didn't see anything obvious.  Role was  RAP-Split-Tunnel on both.  For fun I flipped back over to wifi and....  it is working again tonight all of a sudden.  It worked when I originally configured, but not the past two days (including earlier before posting).  Thanks for your help!