Hi all.
I have searched for a long time but haven't found anything so I write my own question now.
We have deployed Tunneled-Node (Port-Based) on our 2920 and 2930 access switches. The tunnels terminate to a pair of Mobility Devices and the authentication goes through a pair of Clearpass servers.
Everything works perfect for wired clients. The switch port, connecting to a computer for example, sends an radius request to the Clearpass Cluster and then evaluates through the service section and return a Role to the Mobility Master that sends out the role to the switch port. This works perfectly!
Now to the access points (Campus AP).
Since the access points is "smart" it creates a seperate GRE-tunnel to the Mobility Device per connected wireless client, but I want the access point itself to authenticate but not create a tunnel for itself. If it does, the AP itself creates a tunnel and then tunnel the wireless clients within that tunnel so I get the "Tunnel-in-Tunnel" scenario, which is wrong in my opinion.
If I make a service in clearpass which authenticate the AP and return the user role "Aruba-AP" (Which essentially place the AP in a separate VLAN) the AP connects and work as it should, but a tunnel is now created...
(MD01) *#show tunneled-node state | include 10.208.0.102
10.208.0.102 9c:b6:54:c8:b0:4b 1/39 complete 10 1947 1
I have read an article about a function called "Port-Mode" that authenticate the first client to the port and then automatically passes the rest of the connected devices through, but I think that is what I would use if I have an Instant AP, not a Campus AP.
For ease of use for our technicians in the field, we want every access port to have tunneled-node enabled and not exclude access port for our Campus APs.
Is there a solution out there for this?