Wireless Access

I'm currently in the process of setting up split tunneling on our RAP5 devices.

 

The guide has been very helpful, but I'm not sure if I need to do anything different because we are not using 802.1x autentication on our RAP devices.  We only deploy a few of these devices and they were setup to use WPA2-PSK.

 

I guess my question is when I get to creating the RAP user policy.  Since I'm not using 802.1x, I'm not sure if I skip this part, or if I need to do something different?

 

I see the later part where I need to change the forward mode of the Virtual AP from Tunnel to Split-Tunnel.

 

We do have some RAP role policies on the controller, but they are not assigned anywhere, and I don't think they actually have anything in them (look like default settings).   I missed a decent portion of the initial network config, so I think they started setting it up for 802.1x and decided to go with WPA2-PSK.

Yes...this is supported.  In the AAA profile for the VAP, the INITIAL ROLE must be set to the role where the split tunnel logic is happening.

Okay, so my INITIAL ROLE is set to "authenticated."  It's actually grayed out.  I didn't put in the internal network until today.

 

Do I need to go in and create a RAP User policy

 

From there I just need to go back into the VAP_Prof and set Forward Mode to split-tunnel?

 

 

So...your RAP initial role should have something like the following (per the VRD)

 

ip access-list session split-tunnel
user alias corp-internal-net any permit
alias corp-internal-net user any permit
any any any route src-nat

 

The above policy would come AFTER common protocols like allowing ping and dhcp.  The alias referenced should be your internal nets like 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/20.

 

DO NOT change or alter the "authenticated" role.  I would create a new role and policy for this AAA profile.

 

 

Thanks.

 

Okay, so I have my internal netdestination setup (10.0.0.0/8; 192.168.2.0/24; 172.18.0.0/16), and my access-list showing what you provided.

 

I created a RAP_Split_Tunnel User role and assigned that as the intial role of my RAP4-aaa_prof.

 

Now do I change the forward mode of the vap_prof to split-tunnel?

 

I also recall seeing something about possibly having to turn on Remote-AP Local Network Access under the AP system profile.  Do I need to do that?

 

I might be able to push my exec off one more day, but he'd like to have it working soon (like yesterday!). 

Yes..just the VAP setting to split-tunnel.  In your RAP split tunnel role, what are the policies in there?  Do you have a permit statement for DHCP before the route source-NAT statement?

 

You shouldn't need to alter anything in the AP sys prof.  Have you provisioned the RAP yet?  What is the hardware model?

 

 

The only thing you need to define in the AP system profile is the corporate DNS servers

More info on that DNS domain field:

 

In many enterprises, DNS resolution of certain hosts depends on the location of the client. For example, when a computer is connected to the internal corporate network, the IP address of the mail server is resolved to an internal (private) IP address. If the computer is connected to the Internet, the same hostname (FQDN) is resolved to a public IP address. A RAP normally receives the IP address of the local DNS server from the ISP router or the local DHCP server when the AP boots up. However, in most cases, the internal corporate network has DNS servers. Therefore, the corporate DNS server is given to clients that are associated to split-tunnel SSIDs because these clients obtain IP addresses from a DHCP server on the corporate network. A RAP can intercept DNS queries from SSIDs and wired ports in split-tunnel mode and redirect these queries based on the domain. The corporate DNS domain feature available in the AP system-profile provides this functionality. When the corporate DNS domain field contains no entries, all the DNS queries of a split-tunnel user are forwarded to the controller. However, when a domain is specified in this field, all the DNS queries except for that domain are redirected to the local DNS of the RAP (obtained from the ISP). In the example network, the corporate DNS domain feature is configured to tunnel all DNS queries to the corporate DNS server if the domain name ends with “arubanetworks.com”. All other DNS queries are forwarded to the local DNS server.

I don't have anything in place for DHCP, only the commands that you gave me:

 

Priority  Source      Destination  Service  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------      -----------  -------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user        myinternal   any      permit                                  Low                                                           4
2         myinternal  user         any      permit                                  Low                                                           4
3         any         any          any      route src-nat                           Low                                                           4

 

 

In the case of split tunneling, will the user get DHCP from the RAP (our internal RAP-VLAN (172.18.2xx.x), or from their internal DHCP?  The exec has his own broadband router.

 

Our existing RAPs (RAP2....this is our first test of the RAP5) don't allow split-tunneling, so once they connect the RAP gets an IP from our RAP pool, and the PC gets an IP from our RAP-VLAN.

 

I guess now I need to do something different....thus my confusion in getting this set up.

 

 

I really appreciate the help.

 

OK. There should be an already default policy called dhcp-acl. Add that BEFORE your policy already in the role.

Thanks.  I must have something screwed up somewhere. 

 

RAP and the wired ports are working, but all traffic is still going through corp network.

 

Since all that was originally requested was a RAP5 with the ports enabled, all the ethernet port configurations are set to my corp VLAN (202).

 

Not sure if I need to change those - maybe back to VLAN 1?

 

Guess not, tried that and wired PC is not able to get any IP (from corp or home network).   Switched it back to 202 and at least able to get IP from corp....but all traffic still being routed out corp.

Your wired port must also be set to split tunnel. The port must be untrusted and aaa profile applied.

OK.  So..in the AP group for the rap in the configuration options, you have a header labeled "AP".  Expand it.  You will see ethernet port configurations.  Enet0 is the WAN port and you cannot change it.  Enet 1-4 correspond to the LAN ports on the RAP5. Within each port, you will create the following profiles

 

1. Ethernet port configuration profile. Call this something meaningful about that port and ALL ports with this title will be applied to ALL RAPs in this group.  So, if you modify port 1, all port 1s on the other RAPs within this group will inherit this config.

 

Under the Ethernet port config profile, there are two others to be concerned with.  They are applied to and carried with the port config profile.  This brings us to....(scroll down)

 

 

...our second profile of concern

 

2. Wired AP profile.  Here you must create a new profile (DO NOT edit the default one or you may break other wired ports elsewhere). In this profile, a few things

 

• uncheck "trusted"
• set mode to split-tunnel
• Choose VLAN id

 

3. Our last profile is the aaa profile.  Since the wired port is "untrusted" there MUST be a AAA profile applied since setting to untrusted means that the endpoint must go through some sort of authentication.  Since it's wired, and you may not was to authenticate, we can set the initial role to the same split tunnel role on the wired side.  

 

So, go ahead and create a new aaa profile and set the initial role to the split-tunnel role and apply it here.

 

Thank you very much!  That was the missing piece.

 

I had played around with assigning the ports to different VLANs - which is a very good solution for our data center guys that need to access that secure VLAN.

 

I knew as soon as this user requested a RAP with more ports that split tunneling would be the next step.  Sure enough the next day we got hit up with the "I have a super fast connection at home.  Is there a way that I can get to the network resources, but use my faster internet for everything else?"

 

I'm sure we wanted to respond with "sure, use your company laptop to do your network related activities, and use your personal PC to do your personal stuff," but not with this level of user.  ;)

 

Either way, I don't make the policy, just implement it.   The split tunneling will actually help me out later.  I've been pushing for it so that I dont' have to email or sneaker-net print jobs when working from home.

 

And now we are one step closer to having a good solution for our short term offices.   IIRC the RAP5 will also do DHCP, so I can use these for our smaller offices or temp locations instead of deploying a router and switch.  Of course I'll need to do some more reading on that (as well as implementing a 802.1x solution for those wireless users), but at least now I have a better understanding of the different profiles and how split tunneling works.

 

Again, many thanks for the help!