Controllerless Networks

 View Only
last person joined: 15 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

IAP-VPN Layer-3 Distributed

This thread has been viewed 20 times

  • 1.  IAP-VPN Layer-3 Distributed

    Posted Mar 22, 2021 02:53 PM
    In an IAP-VPN setup I'm a little confused on the role of Dynamic Radius Proxy. I'm finding conflicting information in Aruba documentation. My understanding is that in a single IAP deployment, with DRP on, the outer/local IP of the AP will be used when authenticating with Clearpass. However, that does not appear to be the case. 

    In my training material is also says to enable DRP and the master IAP IP address should be the one hitting CPPM, but I'm not seeing that behavior. 

    Pulled from an old EMEA presentation:
    Only when DRP is enabled, the radius packets of clients are sourced with master IAP's inner IP.

Solution: Enabled DRP. "..." Also recommend enabling source NAT for all radius traffic under "default-vpn-role" "..."​


    Pulled from an Aruba VRD:

    With DRP enabled, the NASIP attribute in RADIUS packets destined for the RADIUS server in the datacenter contain the inner IP address of the IPsec tunnel. DRP is not required for single IAP deployments. However, if DRP is enabled in such a deployment then the NASIP attribute in RADIUS packets destined for the RADIUS server in the datacenter will contain the local IP address of the IAP rather than the inner IP address of the IPsec tunnel.


    So, my question is: what is the right answer in a single IAP branch deployment?



    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------


  • 2.  RE: IAP-VPN Layer-3 Distributed

    MVP GURU
    Posted Mar 22, 2021 05:02 PM
    DRP should use the Virtual Controller Address so that it does not change when the VC goes down and another takes over as VC.

    ------------------------------
    Dustin Burns
    ------------------------------

    Original Message


  • 3.  RE: IAP-VPN Layer-3 Distributed

    Posted Mar 22, 2021 07:11 PM
    True. However, I'm referring to Inner/Outer tunnel IPs in a IAP-VPN deployment

    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------

    Original Message


  • 4.  RE: IAP-VPN Layer-3 Distributed
    Best Answer

    Posted Mar 23, 2021 11:30 AM

    It appears the correct answer is:

    The Inner IP of all of the IAP-VPN tunnel endpoints needs to be added as a device in CPPM unless CPPM is local to the IAP. Or, you source NAT everything with the terminating controller.

    I believe the language in the VRD is incorrect. Specifically, the line(s) about the local IP address of the IAP.

    DRP is not required for single IAP deployments. However, if DRP is
enabled in such a deployment then the NASIP attribute in RADIUS packets destined for the 
RADIUS server in the datacenter will contain the local IP address of the IAP rather than the inner IP 
address of the IPsec tunnel. As a best practice, Aruba recommends enabling DRP in single IAP 
deployments with RADIUS servers that use the NAS IP attribute as a filter for authentication.


    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------

    Original Message