Hi,
I am trying to understand the forward modes [tunnel, bridge, split tunnel and decrypt tunnel] and I have few questions
1.I understand that CPsec should be enabled and APs are required to be whitelisted when you want to configure a Campus AP in bridge mode
But why is CPSec required to configure a Campus AP in bridge mode?
2. By disabling CPsec in a Campus AP will allow us to do the forward mode configuration [tunnel mode]. Am I correct?
3. Captive portal cannot be done in bridge mode because its L3 authentication. Am I correct?
4. Why does a Campus AP doesn't support split tunnel when a RAP does?
5. What is the use of decrypt tunnel? Normally controller will change the wireless packet to wired packet and vice versa during a normal setup but in decrypt tunnel, the AP does the conversion [wireless to wired]. Am I correct or is it wrong? If I am correct then I don't understand the real use of decrypt tunnel. AP is just doing the controller's job so what is real use of decrypt tunnel?
6. Consider that am using a RAP and I am configuring Captive portal with split tunnel.
a. My captive portal's initial role has the following acls
any any svc-dhcp permit
any any svc-dns permit
any any svc-http dst-nat 8080
any any svc-https dst-nat 8081
and for the default role [post auth role] I usually permit everything but when I looked for split tunnel the acls were a bit different
b. So I gave the below acl under captive portal's post auth role
any any svc-dhcp permit
user alias network any permit
any any route src-nat
# netdestination network
# network 10.0.0.0 255.255.255.0
# exit
My master controller's IP is 10.0.0.10
The first acl under post auth role is any any svc-dhcp permit. Initial role already permits dhcp service then What is the real use of this acl which permits dhcp service in the post-auth role?
Thank you in advance
Sandeep