Wireless Access

Looking to set up a VPN solution using an old controller running ArubaOS 6.5.4.x 

Using macOS internal l2tp/ipsecclient either with machine auth via passphrase or a cert

Controller L3 auth / vpn configured to use clearpass. Auths get sent back filter-id =<...> and controller currently has an allow all ACl set .

ip address pool set up and controller has an ip address assigned to it 

From the client  point of view, I connect ,get an ip address . clearpass shows auth request and passes back correct stuff. 

Client has appropriate dns servers set up but dns resolution just times out... and cannot connect to anything.

not sure where to look next.  Thought we only needed PEFV licenses for the VIA client

What role does your user obtain?

If the ip address pool you are using for users is not routable (not on a subnet on the controller), your user role for users will need to source-nat user traffic.

So image shows vlan with ip address of 144.32.16.5 which is pingable from elsewhere. My iphone connected with ip address of 144.32.16.11 

ACL ruleset is allow all, can't ping it from controller or externally . 144.32.16.1 is router endpoint on ComWare switch somewhere

Clearpass returns the uoy_vpn_user role in filterid

Find out what the user role of the device is in the user table, NOT what is returned by the radius server.  Use "show datapath session table <ip address of user>" to see if traffic is being generated.

looks like it is sending dns to .243

yup Here is the silly thing .We have another  Juniper based vpn service. I'm currently connected to that on this macbook. I've then fired up  an l2tp/ipsec connection to the Aruba mobility controller .... and everything is working. If I ssh to something the other end sees an ip address of 144.32.16.11 which is the aruba vpn ip address assigned to me out of the Aruba configured pool