Wireless Access

Greetings,

I'm trying to configure a network profile with forward-mode split tunnel. Here's the configuration I'm using:

******************************************************************************

wlan ssid-profile <profile_name>
wlan ssid-profile <profile_name> no hide-ssid
wlan ssid-profile <profile_name> essid <name>
wlan ssid-profile <profile_name> wpa-passphrase <password>
wlan ssid-profile <profile_name> opmode wpa-psk-aes
aaa authentication dot1x <profile_name>
aaa authentication dot1x <profile_name> no termination enable
aaa authentication dot1x ST05_static no machine-authentication enable
aaa authentication dot1x <profile_name> max-authentication-failures 0
aaa authentication dot1x <profile_name> timer reauth-period 86400
aaa profile <profile_name>
aaa profile <profile_name> initial-role authenticated
aaa profile <profile_name> mac-default-role guest
aaa profile <profile_name> authentication-dot1x <profile_name>
aaa profile <profile_name> dot1x-default-role guest
wlan virtual-ap <profile_name>
wlan virtual-ap <profile_name> aaa-profile <profile_name>
wlan virtual-ap <profile_name> vlan <vlan>
wlan virtual-ap <profile_name> ssid-profile <profile_name>
wlan virtual-ap <profile_name> forward-mode split-tunnel
ap-group default
ap-group default virtual-ap <profile_name>
write memory

******************************************************************************

The above configuration worked for tunnel and decrypt-tunnel; however, I do not see the SSID going active and appear on the network for split-tunnel. Am I missing something? Does it also work with TKIP (WPA, WPA2)?

Thank you for your support.

The split tunnel forwarding mode only works for Remote APs.

Yes I forgot to mention that I am using CAPs. Thank you for the reply.

If I may also ask:

1) Does WEP Dynamic and TKIP encryption types work with forward-mode Tunnel? If so, would you know what do I have to configure to make it work?

2) On bridge mode, I am able to make it work (SSID appears, client can connect) only if I'm using vlan 1 (wlan virtual-ap <profile_name> vlan 1). If I'm using some personal vlan (Ex: VLAN 111), I can see the SSID but client fails to authenticate. Would you happen to know what might be causing this?

1.  I think you can only configure dynamic wep and TKIP on the commandline in the SSID profile, because they are insecure.

2.  When using bridge mode, by default any other VLAN except 1 will have the client traffic tagged with that VLAN.  Which means unless your AP is on a trunk port and the client  tagged VLAN  is allowed, your switch will probably just drop that traffic.  Having a Virtual AP vlan of 1 will send the client traffic out the ethernet of the AP untagged in bridge mode.

1. That is correct. For those encryption types, I'm configuring them on CLI just like wpa-psk-aes. I can make them work with decrypt-tunnel, but I cannot figure out why tunnel doesn't work. In fact, decrypt-tunnel works for all encryption types including TKIP and the WEPs.

2. Yes, that makes sense. Is that true only for Bridge mode? Because for decrypt-tunnel and tunnel, I have to use my personal VLAN to make it work. Putting VLAN 1 for those modes gives me the same error as putting a different VLAN for bridge.

3. One final question: To validate encryption types I use the command 'show dot1x supplicant-info list-all' on the controller. But for bridge mode, those commands prompts nothing. Is that because in this mode AP takes care of everything? Are there any alternatives? I have tried 'show ap remote debug' but I didn't see dot1x.

2.  That only works for bridge mode.  Anything with a tunnel puts client traffic on the VLAN specified by the controller.

3.  I honestly do not know.

Ok thanks for everything