hi Guys, Need some help..
We got two 7010 controllers configured as gateways for a Site to Site VPN (over internet) purpose between them, i.e. branch to HQ.
Using GRE tunnel interface (L3 GRE mode) , underlay mapped to ipsec crypto-local map. interface tunnel config set to "untrusted" as below;
interface tunnel 102
description "L3 GRE 102"
tunnel mode gre ip
ip address 1.1.1.12 255.255.255.255
tunnel source vlan 154
tunnel destination 10.1.0.6
tunnel keepalive
tunnel keepalive 5 2
When a inbound user traffic (e,g. from client 13.1.1.254) behind the the branch end 7010 controller , transverse the Site to Site VPN tunnel (GRE over IPSec tunnel) and enter the HQ controller via (logically) the tunnel interface (tunnel 102).
Which AAA profile is use by HQ Aruba controller for tunnel interface (L3 GRE) set to untrusted??
I can modify the policy (e.g. source NAT the traffic) on "logon" role accordingly but what to know how this "logon" role get assigned from which AAA profile ?
Checking (below) the client user ip 13.1.1.254, it got assign "logon" role with ROLE_DERIVATION_NONE..
.. *[mynode] (config) #show user ip 13.1.1.254
.....
Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags CPU ID
----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- -------
13.1.1.254 14.1.1.254 1 16 2048 0/0 0 0 1 tunnel 13 c 1 84 FSCI 5
13.1.1.254 14.1.1.254 1 15 2048 0/0 0 0 1 tunnel 13 c 1 84 FSCI 5
..
..
Name: , IP: 13.1.1.254, MAC: 00:00:00:00:00:00, Age: 00:00:00
Role: logon (how: ROLE_DERIVATION_NONE), ACL: 2/0
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: ROLE_DERIVATION_NONE
VLAN Derivation: Unknown
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
------------------------------
Yong Aik Seah
------------------------------