Wireless Access

The documentation I have found so far shows instructions and screen shots that do not fully much the GUI I'm seeing on the controller. Maybe I haven't checked the right places so far? We're using an Aruba 650 controller on the 6.3 branch.

 

My goal is to place a RAP in a remote office and let users connecting to the RAP through wifi access resources at the main office. As far as I understand, split tunnel makes the clients in the remote office use the DHCP-server in the main office and sends data for the main office to the main office (not NAT'ed) and sends data for the internet directly to the internet (NAT'ed). Is this correct?

 

And will computers in the main office be able to ping systems in the remote office as well?

Correct on all counts.  Users in the main office will be able to ping clients on APs in the remote office, because they will have routable ip addresses, assigned from the datacenter.

 

Thank you. Should the most up-to-date info be in the knowledge base? Or do you have a URL to a guide I should use? If I run into something that looks different in my setup, shall I let you know in this thread?

It has not changed in years.  You would need to make sure:

 

- The access point is configured as a remote AP (required for split tunneling)

- The Virtual AP is configured as Split-Tunnel

- The user role assigned should look like this:

 

any any service dhcp permit

any network corpnetwork any permit

any any any route src-nat

 

The first rule permits dhcp which is essential

The second rule detects any traffic going back to the corporate network and permits it back through the tunnel

The third rule is a catch all for anything that is not destined to corporate and source-nats it out of the ip address of the RAP.

 

 

Thank you. I will try again tomorrow and let you know if I need further help :)

yay, I got it to work :) Thanks for the help.

 

There's a CRUCIAL mistake in the Understanding Split Tunneling guide (http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/Remote_AP/Split_Tunneling.htm). It says at step 13e: Under Action, select ANY and check src-nat. This is not correct! It should be ROUTE and check src-nat. It lead me to chosing the action 'src-nat' (wich asked me to define a nat pool), wich is not correct either.

 

8e: says to enter the public IP of the controller. But it should be the IP of the network(s) you're trying to tunnel.

 

Some guides are saying I need to add an allow-all firewall-policy to the user-role, but doesn't seem neccessary.

 

Making the Port Wired AP profile 'trusted' wasn't needed either. (wasn't in a guide, but I remember it being needed when I was doing a different config).

 

What I don't understand yet is the Defining Corporate DNS Servers part. What does it do exactly? My DHCP hands out a corporate DNS-server in the range that is tunneled and it works. Why would I add DNS Server names in the Corporate DNS part? It it meant to be used when your DNS server is not in the range that gets tunneled?

eriknl2,

 

Thank you.  We ill get that fixed.

Eriknl2,

 

I got work that the link is fixed.  Please check the link...

Yes. Seems fixed. Thank you.

Other question: when I reboot a machine connected to a split tunnel rap, it doesn't seem to connect. Only if I pull the network cable for a while and plug it back in, then it starts working again. Sometimes. Not always.

What am I doing wrong? Windows says DHCP times out. I don't see the machine getting a user-role or anything.

 

Machine is running windows 8.1. Connected with wire to RAP2, same thing happens with RAP3.

 

Edit: if I disable mac authentication and set the Initial Role to the split-tunnel user-role, then it works. So it must be a problem with mac authentication I guess?

 

Normally, I have initial role set to denyall. And I have MAC Authentication Default Role set to the split-tunnel user-role. Also, in the internal database, I have set the role for the mac address to the split-tunnel user-role. Should I use something else instead of denyall? Like guest? Im also using denyall on the normal (not split) tunnels and that seems to work fine.

So the basic question is: what initial role is needed for mac authentication to work with split tunnel mode?

Wired or wireless? Each would require a different strategy.

Wired please :)

Also: it seems the user gets deleted every X minutes of network inactivity? and recreated when activity starts again. Is that normal?

Wired, all you would have to allow "any any service dhcp".  What kind of wired devices would you want to put on that port and what is the intended workflow?

 

Have to changed any of the timers from the defaults?  It should not delete itself, unless the link goes down, really.

I have the allow "any any service dhcp" in the firewall policy that gets applied to the user role. But if I understand correctly, it is also needed for the initial mac authentication role?

I didn't change any timers. The access-point connection does not seem to drop (it's been online for couple of hours according to monitoring page.). But on the clients-page, I see the clients dissappearing/re-appearing every now and then and their counter starting from 0 minutes.

There is however also a client that's been up for hours, on a different location. So maybe it's somethjing specific to the router on the location.

 

Yes.  Put any any service dhcp in your initial role.   You need the port to be untrusted and have a AAA profile that has the initial role that has at least "any any service dhcp" attached.  The question is, what do you plan to do with devices that do not pass mac authentication?

Thank you. That's clear.

" What kind of wired devices would you want to put on that port and what is the intended workflow?"

They're workstations (of wich I noted the mac addresses) that need to be able to connect to a server at our HQ. Other network activity should go directly through their own internet connection on their location.

"The question is, what do you plan to do with devices that do not pass mac authentication?"
Deny access to our HQ network. They should connect those devices directly to their own router instead of the Aruba.

Connected split-tunnel-clients keep dissappearing/appearing on the clients-page on the controller when the clients are inactive. Examples:

 

local events:
2016-01-06 11:38:52 User with MAC address 12:34:56:78:12:34 and IP address 10.0.0.10 from (BSSID 00:00:00:00:00:00,AP RAP123TEST) and/or interface 0/2 has changed: Change type is 3
2016-01-06 11:38:52 User 10.0.0.10 with MAC address 12:34:56:78:12:34 is deauthenticated
2016-01-06 11:38:52 User 10.0.0.10 with MAC address 12:34:56:78:12:34 was deauthenticated
2016-01-06 11:38:52 User 10.0.0.10 with MAC address 12:34:56:78:12:34 is deleted
2016-01-06 11:38:52 User with MAC address 12:34:56:78:12:34 IP address 10.0.0.10 was deleted
2016-01-06 11:38:52 User with MAC address 12:34:56:78:12:34 and IP address 10.0.0.10 from (BSSID 00:00:00:00:00:00,AP RAP123TEST) and/or interface 0/2 has changed: Change type is 2

 

2016-01-06 11:43:56 User 10.0.0.10 with MAC address 12:34:56:78:12:34 is created
2016-01-06 11:43:56 User with MAC address 12:34:56:78:12:34 and IP address 10.0.0.10 was created
2016-01-06 11:43:56 User with MAC address 12:34:56:78:12:34 and IP address 10.0.0.10 from (BSSID 00:00:00:00:00:00,AP RAP123TEST) and/or interface 4294967032/0 has changed: Change type is 3
2016-01-06 11:43:56 User with MAC address 12:34:56:78:12:34 and IP address 10.0.0.10 from (BSSID 00:00:00:00:00:00,AP RAP123TEST) and/or interface 0/2 has changed: Change type is 1
2016-01-06 11:43:56 User with MAC address 12:34:56:78:12:34 and IP address 10.0.0.10 from (BSSID 00:00:00:00:00:00,AP RAP123TEST) and/or interface 0/2 has changed: Change type is 3

 

process logs show nothing.

 

If I keep pinging 10.0.0.10 from HQ, it doesn't go down anymore. So there seems to be some time-out going on somewhere. If I look under 'Access points' on the controller, it says the access point has been up for multiple days. So I don't think the RAP is losing its connection to the controller at HQ.

 

What could be causing this? How could I analyse it further?

 

User Idle Timeout checkbox in the AAA-profile is disabled.

Are these clients wired?  if they don't pass any traffic, they will be removed from the user table.  What kind of devices are they?

they are wired Thin Client workstations, using Embedded Windows 8.

Is it possible to see/change this timeout that removes them from the user table?

 

Or do you know of some hosts that Windows 8 keeps talking to every X seconds, so that I can route that to HQ, to make sure there's traffic? They are domain joined computers and the domain controller and DNS server ip's are already routed to HQ. But apparently, that's not enough.

Are these devices connected directly to the RAP3WN, or is there a switch betweeen the devices and the RAP3WN ethernet ports?

 

You can change the user idle-timeout in the AAA profile that is attached to that port (http://www.arubanetworks.com/techdocs/ArubaOS_6.4.4.x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_profile.htm?Highlight=user idle-timeout) , but you should try to plug in a non-Windows 8 embedded device and see if it exhibits the same issue.  The question is, do the Windows 8 devices need to be in split-tunnel mode, or can they just be in bridged mode?

 

The workstations are directly connected to the RAP3 (2 workstations per RAP3), no switch. The User Idle Timeout checkbox is disabled in the AAA profile. Manual says: "If this is disabled, the global settings are used." Where do I find the global settings? :D

The Windows 8 devices (I think) need split tunnel, because their internet traffic shouldn't be routed through HQ.

Okay.  The global setting is in Configuration> Security> Authentication> Advanced> User Idle Timeout.  You don't want to manipulate the global setting, because it affects ALL clients!  You only want your clients on the RAP interface to have a long idle timeout.  If you manipulate the global setting, it will artifically inflate the number of users on your controller.

 

Is the RAP connected directly to the internet, or does it get a private WAN address?

Okay.  The global setting is in Configuration> Security> Authentication> Advanced> User Idle Timeout.  You don't want to manipulate the global setting, because it affects ALL clients!  You only want your clients on the RAP interface to have a long idle timeout.  If you manipulate the global setting, it will artifically inflate the number of users on your controller.

 

Is the RAP connected directly to the internet, or does it get a private WAN address?

Thank you. The global is set to 5 minutes, so it explains the behavior we saw perfectly.

I changed the AAA-profile specific for the split tunnel profile to 2 hours now, should be fine now I think.

The RAP is behind a NAT router, so it receives a private WAN address. (so there's actually a double NAT for the workstations to the internet, but it seems to work fine)

Thanks Colin Joseph for all your help by the way. You are very knowledgeable and explain things well.

Regards,
Erk