This SEEMS the best place to put this, but if necessary, please feel free to move it.
The Setup:
In my environment I have a 3400 controller in production and a ClearPass appliance in production. The 3400 has sub-interfaces in the primary(server/appliance) vlan(7), the management vlan(11), and each separate vlan that SSIDs and the APs(24-29) themselves reside on. the ClearPass appliance resides on a separate vlan (23). The ClearPass appliance is used for RADIUS authentication, and is reachable from a wireless device, or any wired device, other than our guest SSID, which is ACL'ed off.
I also have a 7205 controller which is being configured to eventually be the production controller. I have a second ClearPass appliance that is doing RADIUS and 'other NAC stuff' for the 7205 APs. The connections fall into the exact same vlans as the production controller/ClearPass/APs/SSIDs.
The Problem:
Devices connected to the 7205 cannot reach the ClearPass appliance. Example: A laptop is placed on an SSID on the 3400 and recieves an IP of a.b.c.6, and can ping ClearPass. the same laptop disconnects, and reconnects to an SSID on the 7205, recieving an IP of a.b.c.10. The device can no longer ping the ClearPass device. I have - I believe - ruled out a role-acl issue by putting an allowall acl on the role on the 7205.
I added an ip helper-address on the SSID interface of my core to point to the IP address of the ClearPass appliance, and now pings go through properly. However, it is my understanding that this is effectively allowing broadcasts to go through the layer 3 interface into the helper-address.
The Question:
Why does the 7205 require a helper-address, when the 3400 does not? The only difference I can see is that the 3400 is in bridged mode, and the 7205 (required for captive-portal and posturing I am told) is in tunnel mode.
Thanks,
Russell