Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Forward mode queries

  • 1.  Forward mode queries

    Posted Apr 08, 2018 02:47 PM


    I am trying to understand the forward modes [tunnel, bridge, split tunnel and decrypt tunnel] and I have few questions

    1.I understand that CPsec should be enabled and APs are required to be whitelisted when you want to configure a Campus AP in bridge mode

    But why is CPSec required to configure a Campus AP in bridge mode?

    2. By disabling CPsec in a Campus AP will allow us to do the forward mode configuration [tunnel mode]. Am I correct?

    3. Captive portal cannot be done in bridge mode because its L3 authentication. Am I correct?

    4. Why does a Campus AP doesn't support split tunnel when a RAP does?

    5. What is the use of decrypt tunnel? Normally controller will change the wireless packet to wired packet and vice versa during a normal setup but in decrypt tunnel, the AP does the conversion [wireless to wired]. Am I correct or is it wrong? If I am correct then I don't understand the real use of decrypt tunnel. AP is just doing the controller's job so what is real use of decrypt tunnel?

    6. Consider that am using a RAP and I am configuring Captive portal with split tunnel.

    a. My captive portal's initial role has the following acls

    any any svc-dhcp permit

    any any svc-dns permit

    any any svc-http dst-nat 8080

    any any svc-https dst-nat 8081

    and for the default role [post auth role] I usually permit everything but when I looked for split tunnel the acls were a bit different 

    b. So I gave the below acl under captive portal's post auth role

    any any svc-dhcp permit

    user alias network any permit

    any any route src-nat


    # netdestination network

        # network

        # exit


    My master controller's IP is

    The first acl under post auth role is any any svc-dhcp permit.  Initial role already permits dhcp service then What is the real use of this acl which permits dhcp service in the post-auth role?


    Thank you in advance




  • 2.  RE: Forward mode queries

    Posted Apr 08, 2018 05:27 PM

    1.  Bridge mode typically needs to pass the credentials and ACLs (the PSK) to the AP securely.  CPSEC makes that possible.  

    2.  Yes.

    3.  Correct.

    4.   That is the way it is.

    5.  Tunnel decryps the client traffic back at the controller.  Decrypt tunnel decrypts that traffic at the AP.  The traffic needs to be sent over another secure tunnel to the controller.  Decrypt Tunnel also had the advantage of being able to pass jumbo frames without configuring your switches between the AP and the controller for Jumbo.

    6. a. "Permit" on a split tunneled SSID tunnels traffic back to the controller.  Route src-nat bridges the traffic local to the AP and then source-nats it out the ip address of the AP.  IN the captive portal ACL, you would permit anything that you would need to pass to or through the controller.  Everything else you can just route src-nat.

    b.  A client might need to renew a dhcp lease after authentication.



  • 3.  RE: Forward mode queries

    Posted May 17, 2018 09:32 AM
    Hi Colin,

    For the first question I understand you mean the controller needs to pass the credentials and ACLs to the AP securely. By enabling CPSec that is possible since the PAPI messages between the controller and the AP are inside an IPSec tunnel. Did you mean that?
    If the credentials (PSK) are also passed to the AP I understand all the authentication process occurs in the AP in bridge mode, am I correct?


  • 4.  RE: Forward mode queries

    Posted May 17, 2018 09:49 AM


  • 5.  RE: Forward mode queries

    Posted May 17, 2018 09:58 AM
    Thanks Colin,

    Last question about this. When the authentication is 802.1x in bridge mode, how is the flow of the authentication traffic? Does the AP send the credentials to the RADIUS server? How does the AP know the IP and shared secret of the RADIUS server? Or in this case the client sends the credentials to the AP, this in turn to the controller, and the controller to the authentication server?


  • 6.  RE: Forward mode queries

    Posted May 17, 2018 10:01 AM

    The AP sends it to the controller, and the controller sends it to the radius server.  


    Aruba suggests that a deployment be Instant APs if the whole deployment requires the traffic to be bridged.

  • 7.  RE: Forward mode queries

    Posted May 17, 2018 10:21 AM
    Hi Colin,

    Then, in bridge mode what happens if the APs lose connectivity with the controller?

    - Auth PSK: authentication occurs in the AP. Current clients remain up and new clients are accepted.

    - Auth 802.1x: authentication occurs in the controller/server. Current clients remain up and new clients aren't accepted.

    Is in that way?