Wireless Access

Hello guys,

I am trying to understand the logic behind the "route src nat" in the RAP split tunnel configuration.

As I understand:

- Once the user has been authenticated and placed in the "Post authentication" role, his traffic is source natted by the AP.

My first question is : is it possible to just route the traffic locally without having to source nat it (I would like to have a local dhcp server and local router for the user VLAN for instance)?

I have a setup with a RAP connected to a remote controller and configured in split tunnel + src nat. the user traffic is tagged with VLAN100. I have configured a DHCP server and VLAN interface for VLAN100 on the controller for testing purposes, I set the default router to the VLAN interface IP address of the controller. Everything worked fine, the user got authenticated and could browse.

Then, I was wondering what if I changed the default router IP in the dhcp scope to a non reachable IP (as the traffic is src nated anyway, I did not see why would we need a default router in another subnet as the APs' one) = it does not work, the user was still authenticated but no Internet.

Does anyone knows how the traffic is flowing in this kind of setup.

Many thanks for your help

Regards,

Edit

Route-SRC Nat was designed specifically to provide web filtering to clients on a RAP by forwarding their traffic to a specific provider using this rule.

If you want clients to receive an ip address from a local subnet, you should make the forwarding mode to bridge(d).  They will receive an ip address and send traffic locally.

Thank you Colin,

In fact, I am in a situation where I want to do captive portal authentication using RAPs (for remote sites).

I have read that the only way to do it is via Split tunnel mode (tunnel captive portal, dns, dhcp) and route src nat the other traffic.

I understand that I should tunnel the traffic in Pre authentication stage, however I would like to be able to route it locally (send it to the local router for NAT and routing) once the user is authenticated and not SRC nat it by the AP.

Would that be possible?

I misspoke.  Route DST-NAT is what is used for filtering.  Route SRC-NAT should be use for Split Tunnel Captive Portal.

Please see the post here on how to configure split tunnel captive portal:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-825

Thank you Colin,

And as I understand, when using route src-nat, the IP address of the AP is used to source NAT the user traffic.

I noted that when route src-nat has been used for split tunnel mode.

The AP's IP (used for IPsec tunnel back to controller, let say vlan 50) will be used for src-nat which can be changed for "route" policy to just passing traffic using guest IP(guest vlan subnet, vlan 999).

And I found out via pcap that AP is actually pass the traffic to the AP's IP vlan 50 with the AP's subnet Gateway MAC replaced for dest. MAC

However, I have tried to configure the Wired AP profile to change the trunk configuration with no LUCK. And for my understanding it is related to only APs with eth socket and the configuration on that port. 

My testing AP is a pretty old model 61 with only one eth for all upstream data and no console is available on that AP.

I hope there maybe someone could give me some tips here?

What are you trying to do?

I am trying to take advantage from split tunnel mode for my captive portal enabled SSID.

And all the traffic from Guest VLAN should route locally at remote site (with Guest's IP not the src-nat). That could make more controll on remote site firewall to manipulate remote site client network use.

Split-tunneling is only designed for traffic to be tunneled back to the headend (controller) or source-natted out of an AP.  It is not designed to bridge traffic, because a split-tunneled user only has a headend ip address (tunneled).  It does not have an ip address if traffic is simply bridged.  That it is why for split tunneled traffic, it must be source-natted to pass beyond the access point.  At that point, it takes the ip address of the remote AP as its source ip address.  You cannot bridge split-tunneled traffic...

HI

I have following problem

I configured RAP access point from series 335. Access point is with public address and sucesfully connected with my controller 7010 with version 8.2

A controller is configured as MD node and i have Aruba MM deployed in vidtual machine.

I have to create split tunnel for corporate SSID with radius authentication i CLEARPASS and this is working only in TUNNEL mode.

I create RAP-SPLIT user role like this:

any any service dhcp permit

any any service dns permit

any alias (corp network X.X.255.255) permit

alias (corp network X.X.255.255) any permit

any any any route-source-nat

In aruba SSID virtual AP profile i configured split-tunnel forwarding mode.

Every RAP Access point is connected to controllers and have IP from Pool of aruba MM controller this DHCP pool is not routed of corporate network.

 When wireless client is connected to Split-Tunnel SSID is authenticated sucessfuly and have ip address From corporate DHCP server subnet BUT dont have internet.

Thank you for your help.

What is the actual mask in the network statement?

any alias (corp network X.X.255.255) permit

alias (corp network X.X.255.255) any permit

Anytihng ending with .255 designates a host and not a network.  More likely it would be:

any alias (corp network X.X.255.0) permit

alias (corp network X.X.255.0) any permit

Hi Colin Thank you for your reply.

My corporate Network is in 192.16.0.0 subnet

in Alias i configure following

Alias Corp-Network

192.168.0.0

255.255.0.0

To see what the AP is doing with that traffic on that user, I would type:

show datapath session ap-name <name of ap> table <ip address of client

Ok.

I aply following Role for all users connected in rap split tunnel SSID in attached file.

I olso must addet following :

When i connect to RAP ap from console i dont have ping to 8.8.8.8 when RAP is connected to controller

If my RAP ap losse connection to controller he have full reachability to 8.8.8.8 or 8.8.4.4

Hi Colin

Why the RAP access point dont have access to internet ?

Access point is connected to controller like RAP access point and have public IP address. I have controller 7010 with port connected to internet with publat ic address. In port is applied inbound access list that permit only nat service, tftp service and icmp cervice do i miss samting else. Access point succesfully connected to controller and have private address from MM controller.

Does the RAP connect to the controller?  If yes, it does have internet access.  Which test is failing?

Yys the RAP succesfully connect to controller :

213.16.36.151   213.16.36.150   17   64445 4500   0/0     0    48  0   0/0/4       20e  1224       452139     FC

213.16.36.150   213.16.36.151   17   4500  64445  0/0     1    0   14  0/0/4       20e  259        69227      F

I connect to RAP with console cable and try to ping 8.8.8.8

        <<<<<       Welcome to the Access Point     >>>>>

~ # [   80.144047] __ieee80211_smart_ant_init: devname = wifi0,  interface_id = 0
[   80.226623] VAP device aruba001 created osifp: (c530a6c0) os_if: (dbff8000)
[   80.624797] 0x340, 0x0, 0x40 )
[   80.665854] __ieee80211_smart_ant_init: devname = wifi1,  interface_id = 1
[   80.748280] VAP device aruba101 created osifp: (c4160580) os_if: (c5288000)
[   81.541891] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[   84.466523] build_inb_sa keylen 20 auth dest c5292000 src c5bc38d9
[   84.541317] enc len 32 dest c5292340 src c5bc38b8
[   84.598016] memcpy done
[   98.695262] build_inb_sa keylen 20 auth dest c52929c0 src c52b21b9
[   98.769512] enc len 32 dest c5292d00 src c52b2198
[   98.826022] memcpy done
[   99.971595] asap_mod: asap_dpa.c:3683:dpaa_add_flow() dpaa_add_flow set allowclear flow for tunnel 2
[  100.083325] fsl_dpa_gre: setting Manip!
[  100.700310] asap_mod: asap_dpa.c:3775:dpaa_update_mtu() update flow mtu, 0->1200
[  100.790297] fsl_dpa_gre: setting Manip!
[  100.884759] ASAP_FIREWALL_REM_MCAST "500 0 1 1"
[  100.967055] wlan_mlme_app_ie_delete: appie is NULL. Do nothing.
[  102.076419] ASAP_FIREWALL_REM_MCAST "500 1 1 1"
[  102.163038] wlan_mlme_app_ie_delete: appie is NULL. Do nothing.
[  103.961534] asap_firewall_eth_type_trans: skb protocol/pkt_type 8100/0 expected 8100/2

~ #
~ #
~ #
~ #
~ #
~ #
~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

I start to tinking is this problem with split tunnel SSID or not.

When i configure SSID with tunnel forwarding mode I have no problem with end diveces and users

When i change the mode to split-tunnel users authentication is OK and get address from corporate DHCP but they dont have connection to internet and corporate resurce.

in Mobility Controller I see the RAP access point like WIRED device connected to internet port of MD controller 7010 and this "wired client" is with defalt logon role for controller.

Hi Colin,

I sucesfully deployed RAP-Split Tunnel on Wireless and LAN. My mistace is in role of remote users....

I asket you one last question We have second controller 7010. I dont know is best practise to deploy thease to controllers in L2-Classic controller cluster or not for RAPs. We have and fiew CAP access points in our corporate network. I posted current working deployment and deployment with cluster.

Please advaice.

Thank you.