The recommended forwarding mode for controllers is tunneled. You should have a very good reason to deviate from that, in probably Aruba Instant (or AOS10) is a better solution. However you did not share the details on what authentication restrictions you run into.
Note that split tunnel breaks roaming, so it will only work on a site with just a single AP and only if the AP is in RAP mode.
The traffic that should break out locally on the AP should have the 'Route Source NAT' action. Just Source NAT actions will be performed on the controller.
DHCP (and probably DNS) should be tunneled to the controller and the client will get an IP from the VLAN assigned at the controller.
It can be tricky to get such a deployment properly setup, but it is covered in the ArubaOS training on RAPs. If you don't know how to set it up, and your setup matches the conditions (single AP, RAP mode), you might best reach out to your Aruba partner or Aruba support to work with your configuration and network topology in front of you.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 17, 2022 03:38 AM
From: house gregory
Subject: Split Tunnel Mode
Hello,
I need to configure my VAP profile as split tunnel mode because of bridge mode restrictions about authenticating. And i can not use tunnel because the VLAN can not come to the Controller. But what i found in the KB's that i need to configure an ACL and that's it. But i want to know what are the best practices. Also when doing Source NAT on the users it just have one dynamic source NAT pool but there is no configuration in the document. Also when i configured everything user is authenticating but not getting an IP address. I am a bit confused with the configuration. Can anyone help?