Aruba Networks Version 3.3 manual Secure Authentication Methods, Role Derivation

Page 41

Role Derivation

Aruba uses the term ‘Role Derivation’ to describe the process of determining which role is to be assigned to a user. The system can take into account the user’s credentials, location, time of day, and authentication type when deciding which role to assign.

This system can be as detailed or as general as the administrator prefers. The Role Derivation process determines:

zWhat class of service is provided to user traffic

zWhich Firewall ACLs are applied to the user’s traffic

zWhich VLAN the user is placed into

Secure Authentication Methods

The most common authentication methods for Campus WLANs are 802.1X, and Captive Portal; other authentication methods are also discussed in this section. Mobility Controllers at the Aggregation Layer are the central point of control for users and access points, and are typically deployed in the distribution layer of the network. The Mobility Controllers sit in the authentication path, terminate user-encrypted traffic, and enforce policy using the optional Aruba Policy Enforcement Firewall module.

This ICSA certified stateful firewall allows control of user traffic as well as application awareness through deep packet inspection. The Aruba Policy Enforcement Firewall module has the capacity to dynamically follow sessions, log user sessions, and take actions through the blocking of user traffic and blacklisting of users for policy violation. This Role-Based Access Control system allows users with different access rights to share the same access points.

A wireless user gains access to the network by attempting to associate to the AP with the strongest signal. The association request may have originated from a new user logging on to the network, or an active user who has just roamed to a different location. The 802.11 MAC layer protocol association request is forwarded to the Mobility Controller, which then attempts to retrieve the user’s state from the active user database. If the user was not active previously, the Mobility Controller will proceed to authenticate the user using 802.1X coupled with back-end authentications mechanisms such as RADIUS, Active Directory or LDAP.

The Mobility Controller can perform user authentication in multiple ways to suit the varying needs of an enterprise, and the existing AAA infrastructure in use. The most typical authentication methods employed on Aruba networks can be summarized as:

z802.1X based user authentication with a backend server

z802.1X PEAP termination on the controller

zPPP based user authentication over IPSec based VPNs

zCaptive Portal based user authentication

zA combination of authentication methods such as 802.1X followed by captive portal, or WEP authentication followed by VPN

Authentication in the Aruba system typically leverages existing authentication stores, including RADIUS, Active Directory, and LDAP. While the Aruba Mobility Controller does contain a scalable Local DB for users and guests, it is typically desirable to have that functionality leveraged from an existing authentication system to ease synchronization issues.

Campus Wireless Networks Validated Reference Design Version 3.3 Design Guide

Mobility Controller Configuration 41

Page 40 Page 42
Image 41
Page 40 Page 42
Contents Campus Wireless Networks Validated Reference Design Version Crossman Avenue Sunnyvale, California Phone Fax Contents Chapter RF Planning and Operation Reference Documents Aruba Reference ArchitecturesContacting Aruba Networks IntroductionTelephone Support Aruba’s User-Centric Network Architecture Understanding Centralized Wireless LAN NetworksCentralized Wlan Model Introducing Aruba’s User-Centric NetworkArubaOS ArubaOS and Mobility ControllerMobility Controller Air Monitor Multi-function Thin Access PointsAccess Point Aruba’s Secure Enterprise Mesh Network Mesh Portal or Mesh PointRemote AP Mobility Management SystemMobility Management System Proof-of-Concept Network PoC Network Physical DesignVlan PoC Network Logical and RF DesignProof-of-Concept Network Proof-of-Concept Network Campus Wlan Validated Reference Design Aruba Campus Wlan Physical ArchitectureAruba Campus Wlan Logical Architecture Data center ManagementMaster Campus Wlan Validated Reference Design Understanding Master and Local Operation Mobility Controller Access Point DeploymentMobility Controller High Availability Master Controller Redundancy Local Controller Redundancy Second Local controller has an opposite configuration Vlan Design Do Not Use Special VLANs Do Not Make Aruba the Default RouterVlan Vlan PoolsVLANs 10, 20, 30 User Mobility and Mobility DomainsMD1 ArubaOS Mobility DomainMaster Controller Placement Mobility Controller Physical Placement and ConnectivityMobility Controller and Thin AP Communication AP Placement, Power, and ConnectivityLocal Controller Placement Office Deployment AP Power and ConnectivityAP Location and Density Considerations Active Rfid Tag Deployment Voice DeploymentMobility Controller Configuration Configuration Profiles and AP GroupsConfiguration Profiles Required LicensesAP group Profile TypesProfile Planning SSIDs, VLANs and Role DerivationAP Groups VLANs SSIDsRole Derivation Secure Authentication MethodsAuthenticating with Corporate Authentication Methods for Legacy Devices Authenticating with Captive PortalEmployee Role Configuring Roles for Employee, Guest and Application UsersGuest Role Create a bandwidth contract and apply it to an AP group Create the block-internal-access policy Modify the guest-logon role Device Role Wireless Attacks Wireless Intrusion Detection SystemRole Variation by Authentication Method Rogue APs Page Mobility Controller Configuration RF Planning and Operation RF Plan ToolAdaptive Radio Management Page Minimum Scan Time Sec WMM and QoS Voice over Wi-FiQuality of Service Traffic Prioritization Voice Functionality and FeaturesNetwork Wide QoS Voice-Aware RF ManagementComprehensive Voice Management Voice over Wi-Fi LAN / WAN Controller Clusters Mobility Management SystemMultiple Master/Local Clusters Page Multiple Master/Local Clusters Licenses Appendix aLicenses Wlan Extension with Remote AP Appendix BWlan Extension with Remote AP Alternative Deployment Architectures Small Network DeploymentMobility Controller located in the network data center Medium Network DeploymentBranch Office Deployment Corporate data center DMZ Pure Remote Access Deployment
Top Page Image Contents