@jcameron wrote:
When we had Aruba deploy the system they said all we needed was a default route back to our core switch and from there it is forwarded.
Jcameron,
Whatever is doing routing on that user subnet needs to be able to ping the DHCP server, NOT the controller. Only a captive portal WLAN requires that an ip address be on the controller's interface on that VLAN. If you are using 802.1x, and you are just bridging the user traffic to another layer 3 switch, the layer 3 switch has the ip address on that subnet, does the routing and has the ip helper-address command. That layer 3 switch needs to be able to ping the DHCP server, NOT the Aruba controller, because it is just bridging traffic.
If, on the other hand, the controller is the default gateway for your clients, the controller needs the ip address, helper address and should be able to ping the DHCP server. Your clients should also be permitting DHCP traffic with an "any any service dhcp" statement in the role.