Wireless Access

Reply
PVS
Occasional Contributor II

Forward mode queries

Hi,

I am trying to understand the forward modes [tunnel, bridge, split tunnel and decrypt tunnel] and I have few questions

1.I understand that CPsec should be enabled and APs are required to be whitelisted when you want to configure a Campus AP in bridge mode

But why is CPSec required to configure a Campus AP in bridge mode?

2. By disabling CPsec in a Campus AP will allow us to do the forward mode configuration [tunnel mode]. Am I correct?

3. Captive portal cannot be done in bridge mode because its L3 authentication. Am I correct?

4. Why does a Campus AP doesn't support split tunnel when a RAP does?

5. What is the use of decrypt tunnel? Normally controller will change the wireless packet to wired packet and vice versa during a normal setup but in decrypt tunnel, the AP does the conversion [wireless to wired]. Am I correct or is it wrong? If I am correct then I don't understand the real use of decrypt tunnel. AP is just doing the controller's job so what is real use of decrypt tunnel?

6. Consider that am using a RAP and I am configuring Captive portal with split tunnel.

a. My captive portal's initial role has the following acls

any any svc-dhcp permit

any any svc-dns permit

any any svc-http dst-nat 8080

any any svc-https dst-nat 8081

and for the default role [post auth role] I usually permit everything but when I looked for split tunnel the acls were a bit different 

b. So I gave the below acl under captive portal's post auth role

any any svc-dhcp permit

user alias network any permit

any any route src-nat

 

# netdestination network

    # network 10.0.0.0 255.255.255.0

    # exit

 

My master controller's IP is 10.0.0.10

The first acl under post auth role is any any svc-dhcp permit.  Initial role already permits dhcp service then What is the real use of this acl which permits dhcp service in the post-auth role?

 

Thank you in advance

Sandeep

 

 

Guru Elite

Re: Forward mode queries

1.  Bridge mode typically needs to pass the credentials and ACLs (the PSK) to the AP securely.  CPSEC makes that possible.  

2.  Yes.

3.  Correct.

4.   That is the way it is.

5.  Tunnel decryps the client traffic back at the controller.  Decrypt tunnel decrypts that traffic at the AP.  The traffic needs to be sent over another secure tunnel to the controller.  Decrypt Tunnel also had the advantage of being able to pass jumbo frames without configuring your switches between the AP and the controller for Jumbo.

6. a. "Permit" on a split tunneled SSID tunnels traffic back to the controller.  Route src-nat bridges the traffic local to the AP and then source-nats it out the ip address of the AP.  IN the captive portal ACL, you would permit anything that you would need to pass to or through the controller.  Everything else you can just route src-nat.

b.  A client might need to renew a dhcp lease after authentication.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos

Re: Forward mode queries

Hi Colin,

For the first question I understand you mean the controller needs to pass the credentials and ACLs to the AP securely. By enabling CPSec that is possible since the PAPI messages between the controller and the AP are inside an IPSec tunnel. Did you mean that?
If the credentials (PSK) are also passed to the AP I understand all the authentication process occurs in the AP in bridge mode, am I correct?

Regards,
Julián
Highlighted
Guru Elite

Re: Forward mode queries

Correct.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos

Re: Forward mode queries

Thanks Colin,

Last question about this. When the authentication is 802.1x in bridge mode, how is the flow of the authentication traffic? Does the AP send the credentials to the RADIUS server? How does the AP know the IP and shared secret of the RADIUS server? Or in this case the client sends the credentials to the AP, this in turn to the controller, and the controller to the authentication server?

Regards,
Julián
Guru Elite

Re: Forward mode queries

The AP sends it to the controller, and the controller sends it to the radius server.  

 

Aruba suggests that a deployment be Instant APs if the whole deployment requires the traffic to be bridged.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos

Re: Forward mode queries

Hi Colin,

Then, in bridge mode what happens if the APs lose connectivity with the controller?

- Auth PSK: authentication occurs in the AP. Current clients remain up and new clients are accepted.

- Auth 802.1x: authentication occurs in the controller/server. Current clients remain up and new clients aren't accepted.

Is in that way?

Regards,
Julián
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: