Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

RAP Split Tunnel with Clearpass

This thread has been viewed 3 times

  • 1.  RAP Split Tunnel with Clearpass

    Posted Feb 14, 2016 10:58 AM

    Hi:

     

    I’m setting up a RAP to extend our corporate ssid to a remote site.

    I’ve gotten the RAP to connect, and the corporate ssid shows up and remote users can connect, and authenticate to Active Directory via Clearpass.

    Lovely!

     

    Now I’d like to configure a split tunnel at the remote site.

     

    The current Clearpass policies check IF user is in the corporate group AND the computer is an AD domain member THEN they are assigned to the corporate role.

     

    To configure a split tunnel, I’m assuming that I’d want to add a  rule in Clearpass that applies a different policy for RAP users, something like:

     

    IF computer is a domain member, AND user is in the corporate group, AND AP group is Remote-AP, THEN apply a “corp-remote” role. The corp-remote role would have a permit action for corporate internal networks and a “route src-nat” action for all other addresses.

     

    Does that seem like the best way to do this, or are there other best practices?

     

    Thanks.

    Tony



  • 2.  RE: RAP Split Tunnel with Clearpass
    Best Answer

    EMPLOYEE
    Posted Feb 14, 2016 11:02 AM
    I usually do a separate service to handle RAP authentication to make it easier to make changes without effecting the campus. 

    Sent from Nine


  • 3.  RE: RAP Split Tunnel with Clearpass

    Posted Feb 14, 2016 11:52 AM

    Hi Tim:

    Thanks, that's a great idea.

    My polices were going to become very messy otherwise.