In an IAP-VPN setup I'm a little confused on the role of Dynamic Radius Proxy. I'm finding conflicting information in Aruba documentation. My understanding is that in a single IAP deployment, with DRP on, the outer/local IP of the AP will be used when authenticating with Clearpass. However, that does not appear to be the case.
In my training material is also says to enable DRP and the master IAP IP address should be the one hitting CPPM, but I'm not seeing that behavior.
Pulled from an old EMEA presentation:
Only when DRP is enabled, the radius packets of clients are sourced with master IAP's inner IP.
Solution: Enabled DRP. "..." Also recommend enabling source NAT for all radius traffic under "default-vpn-role" "..."
Pulled from an Aruba VRD:
With DRP enabled, the NASIP attribute in RADIUS packets destined for the RADIUS server in the datacenter contain the inner IP address of the IPsec tunnel. DRP is not required for single IAP deployments. However, if DRP is enabled in such a deployment then the NASIP attribute in RADIUS packets destined for the RADIUS server in the datacenter will contain the local IP address of the IAP rather than the inner IP address of the IPsec tunnel.
So, my question is: what is the right answer in a single IAP branch deployment?
------------------------------
ACCX #1239 || ACEP || ACSP || CWNA || CWSP
------------------------------