This document provides instructions for configuring split-tunneling on a Cisco wireless controller to allow remote access points (RAPs) to forward some traffic over an IPSec VPN tunnel to the controller while sending other traffic locally. The key steps are: 1. Define an internal network destination that specifies the IP ranges that should be tunneled. 2. Create a RAP user policy that tunnels traffic to the internal destination over the VPN but sources locally any other traffic. 3. Configure a RAP user role and AAA profile to authenticate and authorize RAP users. 4. Set up a virtual AP profile for the RAPs with the AAA profile and split-tunnel forwarding mode.