Hi,
Lets start by saying:
In Split-tunnel, the user must get the ip address of the headend, NOT the remote site. Is your Virtual AP configured a split-tunnel? If it was, a client would NOT get an ip address from the remote site. In addition, the Virtual AP vlan should be a VLAN that exists at the headend..
The user/machince authentication is not done on the AP. -> is sent to the controller. The controller wil use the authentication server or its local internal database to check the user/machince/cert db.
- The trafffic who match the rules with action=" permit" will use the tunnel (back to the controller)
- The traffic who macht the rules with action = "route src-nat" wil bridge the traffic localy (Brench/Home Site)
You may wanna do some small reading here:
http://community.arubanetworks.com/aruba/attachments/aruba/108/1002/1/split-tunneling.pdf
Then,:smileywink: please read this guide:
(thanks to Mike Courtney)
Setting up a Split Tunnel port on an Aruba RAP2 / RAP5
The elements of this configuration are very similar to my previous Bridge post. The differences are in the initial Split Tunneling configuration.
1. The first step is to differentiate the IP space that will be tunneled back to the controller.
netdestination Org-IP-Space
network *.*.0.0 255.255.0.0
2. The next step is the magic behind Split Tunneling:
ip access-list session RAP-Split-Tunneling
any any svc-dhcp permit
any alias Org-IP-Space any permit
any any any route src-nat
This access list will allow a client to receive DHCP, will tunnel all traffic destined for the organization's IP space, and locally NAT the remaining traffic.
3. Create a user role for Split Tunnel port connections:
user-role RAP5-Split-Tunnel-Port
access-list session RAP-Split-Tunneling
access-list session allowall
4. Create a new AAA profile that references the above user role:
aaa profile "RAP5-Split-Tunnel-AAA"
initial-role "RAP5-Split-Tunnel-Port"
5. Next, the "wired-ap-profile" will reference the VLAN that is currently attached to the Aruba controller. For instance:
ap wired-ap-profile "RAP5-AP-Profile-Local-Split-Tunnel-Port"
wired-ap-enable
forward-mode split-tunnel
switchport access vlan 122
6. The "wired-ap-profile" will be referenced in a new "wired-port-profile" that will combine the above three steps.
ap wired-port-profile "RAP5-Local-Split-Tunnel-Port"
wired-ap-profile "RAP5-AP-Profile-Local-Split-Tunnel-Port"
no rap-backup
aaa-profile "RAP5-Split-Tunnel-AAA"
7. Finally, the last step is to tie the port profile to the appropriate RAP5 AP group. The following is the stanza to apply under your specific RAP5 AP group:
enet1-port-profile "RAP5-Science-Local-Split-Tunnel-Port"
===
Here's the controller CLI output that shows the above working as expected:
(Test-Controller) #show user-table | include split
*.*.20.24 00:80:a3:1d:f0:5b RAP5-Split-Tunnel-Port 07:02:53 RAP5WN-Dorm2-Basement Wired(Remote) 10.21.30.49:0/1 RAP5-Split-Tunnel-AAA split tunnel
:smileyhappy:
Then do some reading in this post:
http://community.arubanetworks.com/t5/Access-Points-and-Mesh-Routers/RAP-VLAN-Considerations/td-p/29918
Also another good guides for u to use and get the idea behind the split tunnel:
http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F166037%2F
http://www.booches.nl/2011/09/aruba-split-tunnel-with-a-rap-5wn/
Let us know if u have further questions - and if everything works for u.
:robothappy:
Me