Wireless Access

Hello,

I need to configure my VAP profile as split tunnel mode because of bridge mode restrictions about authenticating. And i can not use tunnel because the VLAN can not come to the Controller. But what i found in the KB's that i need to configure an ACL and that's it. But i want to know what are the best practices. Also when doing Source NAT on the users it just have one dynamic source NAT pool but there is no configuration in the document. Also when i configured everything user is authenticating but not getting an IP address. I am a bit confused with the configuration. Can anyone help?

The recommended forwarding mode for controllers is tunneled. You should have a very good reason to deviate from that, in probably Aruba Instant (or AOS10) is a better solution. However you did not share the details on what authentication restrictions you run into.

Note that split tunnel breaks roaming, so it will only work on a site with just a single AP and only if the AP is in RAP mode.

The traffic that should break out locally on the AP should have the 'Route Source NAT' action. Just Source NAT actions will be performed on the controller.
DHCP (and probably DNS) should be tunneled to the controller and the client will get an IP from the VLAN assigned at the controller.

It can be tricky to get such a deployment properly setup, but it is covered in the ArubaOS training on RAPs. If you don't know how to set it up, and your setup matches the conditions (single AP, RAP mode), you might best reach out to your Aruba partner or Aruba support to work with your configuration and network topology in front of you.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 17, 2022 03:38 AM
From: house gregory
Subject: Split Tunnel Mode

Hello,

I need to configure my VAP profile as split tunnel mode because of bridge mode restrictions about authenticating. And i can not use tunnel because the VLAN can not come to the Controller. But what i found in the KB's that i need to configure an ACL and that's it. But i want to know what are the best practices. Also when doing Source NAT on the users it just have one dynamic source NAT pool but there is no configuration in the document. Also when i configured everything user is authenticating but not getting an IP address. I am a bit confused with the configuration. Can anyone help?

Hello,
Thank you for your answer on this. Glad to know beforehand that split tunnel mode disables roaming. I have a setup that i can not add my Vlan in the Controller. The network design is not that way or maybe i need Vxlan. But in bridge mode i can not make 802.1x auth. Radius server attributes are dissappear and i can't assign dynamic vlan for each device type. Split tunnel mode may be a solution but i have multiple raps and clients will need roaming. I guess tunneling another vlan is my only option. Thank you for your feedback! Have a nice day.
Best regards,
Original Message:
Sent: Aug 18, 2022 04:36 AM
From: Herman Robers
Subject: Split Tunnel Mode

The recommended forwarding mode for controllers is tunneled. You should have a very good reason to deviate from that, in probably Aruba Instant (or AOS10) is a better solution. However you did not share the details on what authentication restrictions you run into.

Note that split tunnel breaks roaming, so it will only work on a site with just a single AP and only if the AP is in RAP mode.

The traffic that should break out locally on the AP should have the 'Route Source NAT' action. Just Source NAT actions will be performed on the controller.
DHCP (and probably DNS) should be tunneled to the controller and the client will get an IP from the VLAN assigned at the controller.

It can be tricky to get such a deployment properly setup, but it is covered in the ArubaOS training on RAPs. If you don't know how to set it up, and your setup matches the conditions (single AP, RAP mode), you might best reach out to your Aruba partner or Aruba support to work with your configuration and network topology in front of you.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 17, 2022 03:38 AM
From: house gregory
Subject: Split Tunnel Mode

Hello,

I need to configure my VAP profile as split tunnel mode because of bridge mode restrictions about authenticating. And i can not use tunnel because the VLAN can not come to the Controller. But what i found in the KB's that i need to configure an ACL and that's it. But i want to know what are the best practices. Also when doing Source NAT on the users it just have one dynamic source NAT pool but there is no configuration in the document. Also when i configured everything user is authenticating but not getting an IP address. I am a bit confused with the configuration. Can anyone help?

"But in bridge mode i can not make 802.1x auth. Radius server attributes are dissappear and i can't assign dynamic vlan for each device type."

That is not expected. Bridge mode SSIDs on controller APs should work fine with WPA2/3-Enterprise/EAP/802.1X, including VLAN/role assignment.

Please open a TAC case if it doesn't work for you.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 18, 2022 05:01 AM
From: house gregory
Subject: Split Tunnel Mode

Hello,
Thank you for your answer on this. Glad to know beforehand that split tunnel mode disables roaming. I have a setup that i can not add my Vlan in the Controller. The network design is not that way or maybe i need Vxlan. But in bridge mode i can not make 802.1x auth. Radius server attributes are dissappear and i can't assign dynamic vlan for each device type. Split tunnel mode may be a solution but i have multiple raps and clients will need roaming. I guess tunneling another vlan is my only option. Thank you for your feedback! Have a nice day.
Best regards,
Original Message:
Sent: Aug 18, 2022 04:36 AM
From: Herman Robers
Subject: Split Tunnel Mode

The recommended forwarding mode for controllers is tunneled. You should have a very good reason to deviate from that, in probably Aruba Instant (or AOS10) is a better solution. However you did not share the details on what authentication restrictions you run into.

Note that split tunnel breaks roaming, so it will only work on a site with just a single AP and only if the AP is in RAP mode.

The traffic that should break out locally on the AP should have the 'Route Source NAT' action. Just Source NAT actions will be performed on the controller.
DHCP (and probably DNS) should be tunneled to the controller and the client will get an IP from the VLAN assigned at the controller.

It can be tricky to get such a deployment properly setup, but it is covered in the ArubaOS training on RAPs. If you don't know how to set it up, and your setup matches the conditions (single AP, RAP mode), you might best reach out to your Aruba partner or Aruba support to work with your configuration and network topology in front of you.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 17, 2022 03:38 AM
From: house gregory
Subject: Split Tunnel Mode

Hello,

I need to configure my VAP profile as split tunnel mode because of bridge mode restrictions about authenticating. And i can not use tunnel because the VLAN can not come to the Controller. But what i found in the KB's that i need to configure an ACL and that's it. But i want to know what are the best practices. Also when doing Source NAT on the users it just have one dynamic source NAT pool but there is no configuration in the document. Also when i configured everything user is authenticating but not getting an IP address. I am a bit confused with the configuration. Can anyone help?