Controllerless Networks

last person joined: an hour ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

IAP-VPN Layer-3 Distributed

Jump to Best Answer
This thread has been viewed 17 times
  • 1.  IAP-VPN Layer-3 Distributed

    Posted 30 days ago
    In an IAP-VPN setup I'm a little confused on the role of Dynamic Radius Proxy. I'm finding conflicting information in Aruba documentation. My understanding is that in a single IAP deployment, with DRP on, the outer/local IP of the AP will be used when authenticating with Clearpass. However, that does not appear to be the case. 

    In my training material is also says to enable DRP and the master IAP IP address should be the one hitting CPPM, but I'm not seeing that behavior. 

    Pulled from an old EMEA presentation:
    Only when DRP is enabled, the radius packets of clients are sourced with master IAP's inner IP.
    
    Solution: Enabled DRP. "..." Also recommend enabling source NAT for all radius traffic under "default-vpn-role" "..."​


    Pulled from an Aruba VRD:

    With DRP enabled, the NASIP attribute in RADIUS packets destined for the RADIUS server in the datacenter contain the inner IP address of the IPsec tunnel. DRP is not required for single IAP deployments. However, if DRP is enabled in such a deployment then the NASIP attribute in RADIUS packets destined for the RADIUS server in the datacenter will contain the local IP address of the IAP rather than the inner IP address of the IPsec tunnel.


    So, my question is: what is the right answer in a single IAP branch deployment?



    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------


  • 2.  RE: IAP-VPN Layer-3 Distributed

    Posted 29 days ago
    DRP should use the Virtual Controller Address so that it does not change when the VC goes down and another takes over as VC.

    ------------------------------
    Dustin Burns
    ------------------------------



  • 3.  RE: IAP-VPN Layer-3 Distributed

    Posted 29 days ago
    True. However, I'm referring to Inner/Outer tunnel IPs in a IAP-VPN deployment

    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------



  • 4.  RE: IAP-VPN Layer-3 Distributed
    Best Answer

    Posted 29 days ago

    It appears the correct answer is:

    The Inner IP of all of the IAP-VPN tunnel endpoints needs to be added as a device in CPPM unless CPPM is local to the IAP. Or, you source NAT everything with the terminating controller.

    I believe the language in the VRD is incorrect. Specifically, the line(s) about the local IP address of the IAP.

    DRP is not required for single IAP deployments. However, if DRP is
    enabled in such a deployment then the NASIP attribute in RADIUS packets destined for the 
    RADIUS server in the datacenter will contain the local IP address of the IAP rather than the inner IP 
    address of the IPsec tunnel. As a best practice, Aruba recommends enabling DRP in single IAP 
    deployments with RADIUS servers that use the NAS IP attribute as a filter for authentication.


    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------