Aruba Networks Version 3.3 manual SSIDs, VLANs

Page 40

SSIDs

SSIDs appear as the name of the network displayed in the ‘Available Wireless Networks’ screen on a wireless client. While many APs in the same network will share the same SSID, each will have a unique BSSID. This feature is often used to let users know which SSID they should attempt to associate to, and to provide different levels of security to each of the SSIDs, such as WPA, WPA2, and Captive Portal. Clients typically make roaming decisions based on the received signal strength of the audible BSSIDs they can hear.

Employee

Guest

SSID

SSID

 

 

Application SSID

arun_055

The diagram above shows the most common SSID design for enterprise organizations that includes three different SSIDs. A strong authentication and encryption suite is used for employee users, in this case WPA2 - Enterprise. The network administrator might choose a name something like ‘Acme Corp Employee’ for this SSID.

The second SSID is used for specific devices which are not capable of modern high authentication and encryption levels. As of this writing, common examples includes the following devices:

zPortable barcode scanners

zActive RFID tags

zAll but the latest WiFi phones

zIP video cameras

In this case, the Mobility Controller uses an SSID such as ‘Acme Corp-Application’ and uses the strongest authentication and encryption suite supported by the devices; in this case, WPA-PSK (pre- shared key).

The final SSID is used to provide guest access to the network. This SSID will not run any encryption and will require guests to authenticate using the Captive Portal capability that is built into the Aruba Mobility Controller. The guest users can authenticate against a centralized authentication server or the built-in Local Database on the Mobility Controller; which is common when combined with the guest provisioning role on the controller.

VLANs

At the controller, users who successfully authenticates via an Aruba AP into any of these three SSIDs are treated very differently in the Role Derivation process according to the Configuration Profiles in the AP Group assigned to that AP. The Employee user is most likely placed on a VLAN with access to internal network resources, although this can be further refined with sophisticated ACLs applied on a per-packet basis. The dual-mode WiFi phone is placed on a voice-only VLAN and only permitted to contact a SIP server and transmit RTP traffic. Any attempt by the device to do something else would automatically ‘blacklist’ that device from the network. Finally, the Guest user would be placed onto a guest-only VLAN that only has access to the default gateway leading to the internet.

40 Mobility Controller Configuration

Campus Wireless Networks Validated Reference Design Version 3.3 Design Guide

Image 40
Contents Campus Wireless Networks Validated Reference Design Version Crossman Avenue Sunnyvale, California Phone Fax Contents Chapter RF Planning and Operation Aruba Reference Architectures Reference DocumentsContacting Aruba Networks IntroductionTelephone Support Understanding Centralized Wireless LAN Networks Aruba’s User-Centric Network ArchitectureIntroducing Aruba’s User-Centric Network Centralized Wlan ModelArubaOS and Mobility Controller ArubaOSMobility Controller Access Point Multi-function Thin Access PointsAir Monitor Mesh Portal or Mesh Point Aruba’s Secure Enterprise Mesh NetworkMobility Management System Remote APMobility Management System PoC Network Physical Design Proof-of-Concept NetworkPoC Network Logical and RF Design VlanProof-of-Concept Network Proof-of-Concept Network Aruba Campus Wlan Physical Architecture Campus Wlan Validated Reference DesignAruba Campus Wlan Logical Architecture Data center ManagementMaster Campus Wlan Validated Reference Design Mobility Controller Access Point Deployment Understanding Master and Local OperationMobility Controller High Availability Master Controller Redundancy Local Controller Redundancy Second Local controller has an opposite configuration Vlan Design Do Not Make Aruba the Default Router Do Not Use Special VLANsVlan Pools VlanUser Mobility and Mobility Domains VLANs 10, 20, 30ArubaOS Mobility Domain MD1Mobility Controller Physical Placement and Connectivity Master Controller PlacementLocal Controller Placement AP Placement, Power, and ConnectivityMobility Controller and Thin AP Communication AP Location and Density Considerations AP Power and ConnectivityOffice Deployment Voice Deployment Active Rfid Tag DeploymentConfiguration Profiles and AP Groups Mobility Controller ConfigurationConfiguration Profiles Required LicensesProfile Types AP groupAP Groups SSIDs, VLANs and Role DerivationProfile Planning SSIDs VLANsSecure Authentication Methods Role DerivationAuthenticating with Corporate Authenticating with Captive Portal Authentication Methods for Legacy DevicesConfiguring Roles for Employee, Guest and Application Users Employee RoleGuest Role Create a bandwidth contract and apply it to an AP group Create the block-internal-access policy Modify the guest-logon role Device Role Role Variation by Authentication Method Wireless Intrusion Detection SystemWireless Attacks Rogue APs Page Mobility Controller Configuration RF Plan Tool RF Planning and OperationAdaptive Radio Management Page Minimum Scan Time Sec Quality of Service Voice over Wi-FiWMM and QoS Voice Functionality and Features Traffic PrioritizationNetwork Wide QoS Voice-Aware RF ManagementComprehensive Voice Management Voice over Wi-Fi Controller Clusters Mobility Management System LAN / WANMultiple Master/Local Clusters Page Multiple Master/Local Clusters Appendix a LicensesLicenses Appendix B Wlan Extension with Remote APWlan Extension with Remote AP Small Network Deployment Alternative Deployment ArchitecturesMedium Network Deployment Mobility Controller located in the network data centerBranch Office Deployment Corporate data center Pure Remote Access Deployment DMZ