Wireless Access

Reply
Occasional Contributor I

Configuring WLAN Profile with Split-Tunnel

Greetings,

I'm trying to configure a network profile with forward-mode split tunnel. Here's the configuration I'm using:

******************************************************************************

wlan ssid-profile <profile_name>
wlan ssid-profile <profile_name> no hide-ssid
wlan ssid-profile <profile_name> essid <name>
wlan ssid-profile <profile_name> wpa-passphrase <password>
wlan ssid-profile <profile_name> opmode wpa-psk-aes
aaa authentication dot1x <profile_name>
aaa authentication dot1x <profile_name> no termination enable
aaa authentication dot1x ST05_static no machine-authentication enable
aaa authentication dot1x <profile_name> max-authentication-failures 0
aaa authentication dot1x <profile_name> timer reauth-period 86400
aaa profile <profile_name>
aaa profile <profile_name> initial-role authenticated
aaa profile <profile_name> mac-default-role guest
aaa profile <profile_name> authentication-dot1x <profile_name>
aaa profile <profile_name> dot1x-default-role guest
wlan virtual-ap <profile_name>
wlan virtual-ap <profile_name> aaa-profile <profile_name>
wlan virtual-ap <profile_name> vlan <vlan>
wlan virtual-ap <profile_name> ssid-profile <profile_name>
wlan virtual-ap <profile_name> forward-mode split-tunnel
ap-group default
ap-group default virtual-ap <profile_name>
write memory

******************************************************************************

The above configuration worked for tunnel and decrypt-tunnel; however, I do not see the SSID going active and appear on the network for split-tunnel. Am I missing something? Does it also work with TKIP (WPA, WPA2)?

Thank you for your support.

Guru Elite

Re: Configuring WLAN Profile with Split-Tunnel

The split tunnel forwarding mode only works for Remote APs.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Configuring WLAN Profile with Split-Tunnel

Yes I forgot to mention that I am using CAPs. Thank you for the reply.

 

If I may also ask:

1) Does WEP Dynamic and TKIP encryption types work with forward-mode Tunnel? If so, would you know what do I have to configure to make it work?

 

2) On bridge mode, I am able to make it work (SSID appears, client can connect) only if I'm using vlan 1 (wlan virtual-ap <profile_name> vlan 1). If I'm using some personal vlan (Ex: VLAN 111), I can see the SSID but client fails to authenticate. Would you happen to know what might be causing this?

Highlighted
Guru Elite

Re: Configuring WLAN Profile with Split-Tunnel

1.  I think you can only configure dynamic wep and TKIP on the commandline in the SSID profile, because they are insecure.

 

2.  When using bridge mode, by default any other VLAN except 1 will have the client traffic tagged with that VLAN.  Which means unless your AP is on a trunk port and the client  tagged VLAN  is allowed, your switch will probably just drop that traffic.  Having a Virtual AP vlan of 1 will send the client traffic out the ethernet of the AP untagged in bridge mode.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Configuring WLAN Profile with Split-Tunnel

1. That is correct. For those encryption types, I'm configuring them on CLI just like wpa-psk-aes. I can make them work with decrypt-tunnel, but I cannot figure out why tunnel doesn't work. In fact, decrypt-tunnel works for all encryption types including TKIP and the WEPs.

 

2. Yes, that makes sense. Is that true only for Bridge mode? Because for decrypt-tunnel and tunnel, I have to use my personal VLAN to make it work. Putting VLAN 1 for those modes gives me the same error as putting a different VLAN for bridge.

 

3. One final question: To validate encryption types I use the command 'show dot1x supplicant-info list-all' on the controller. But for bridge mode, those commands prompts nothing. Is that because in this mode AP takes care of everything? Are there any alternatives? I have tried 'show ap remote debug' but I didn't see dot1x.

Guru Elite

Re: Configuring WLAN Profile with Split-Tunnel

2.  That only works for bridge mode.  Anything with a tunnel puts client traffic on the VLAN specified by the controller.

 

3.  I honestly do not know.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Configuring WLAN Profile with Split-Tunnel

Ok thanks for everything

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: