Owners manual
Traffic Flow from IAP to CALEA Server through VPN
You can also deploy the CALEA server with the controller and configure an additional IPSec tunnel for corporate
access. When CALEA server is configured with the controller, the client traffic is replicated by the slave IAP and
client data is encapsulated by GRE on slave, and routed to the master IAP. The master IAP sends the IPsec client
traffic to the controller. The controller handles the IPSec client traffic while GRE data is routed to the CALEA server.
The following figure illustrates the traffic flow from IAP to the CALEA server through VPN.
Figure 95 IAP to CALEA Server through VPN
Ensure that IPSec tunnel is configured if the client data has to be routed to the ISP or CALEA server through VPN.
For more information on configuring IPSec, see Configuring an IPSec Tunnel on page 211.
Client Traffic Replication
Client traffic is replicated in the following ways:
l Through RADIUS VSA— In this method, the client traffic is replicated by using the RADIUS VSA to assign
clients to a CALEA related user role. To enable role assignment to clients, you need to create a user role and a
CALEA access rule, and then assign the CALEA rule to the user role. Whenever a client that is configured to use
a CALEA rule connects, a replication role is assigned.
l Through Change of Authorization(CoA)—In this method, a user session can start without replication. When the
network administrator triggers a CoA from the RADIUS server, the user session is replicated. The replication is
stopped when the user disconnects or by sending a CoA to change the replication role.
As the client information is shared between multiple IAPs in a cluster, the replication rules persist when clients roam
within the cluster.
Configuring an IAP for CALEAIntegration
To enable CALEA server integration, perform the following steps:
1. Create a CALEA profile.
Aruba Instant 6.4.0.2-4.1 | User Guide Services | 272