Frequent Contributor II

RAP Split Tunnel with Clearpass



I’m setting up a RAP to extend our corporate ssid to a remote site.

I’ve gotten the RAP to connect, and the corporate ssid shows up and remote users can connect, and authenticate to Active Directory via Clearpass.



Now I’d like to configure a split tunnel at the remote site.


The current Clearpass policies check IF user is in the corporate group AND the computer is an AD domain member THEN they are assigned to the corporate role.


To configure a split tunnel, I’m assuming that I’d want to add a  rule in Clearpass that applies a different policy for RAP users, something like:


IF computer is a domain member, AND user is in the corporate group, AND AP group is Remote-AP, THEN apply a “corp-remote” role. The corp-remote role would have a permit action for corporate internal networks and a “route src-nat” action for all other addresses.


Does that seem like the best way to do this, or are there other best practices?




Guru Elite

Re: RAP Split Tunnel with Clearpass

I usually do a separate service to handle RAP authentication to make it easier to make changes without effecting the campus. 

Sent from Nine

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: RAP Split Tunnel with Clearpass

Hi Tim:

Thanks, that's a great idea.

My polices were going to become very messy otherwise.



Search Airheads
Showing results for 
Search instead for 
Did you mean: