Aruba Networks Version 3.3 manual Corporate

Page 43

Using RADIUS and a WPA2 protected connection as an example, authentication occurs using 802.1X. The Mobility Controller forwards the request to the RADIUS server who performs the actual authentication and sends a response to the Mobility Controller. Once authentication completes successfully, encryption keys are passed to the Mobility Controller from the RADIUS server, along with the user’s access policies. The Mobility Controller then completes the role derivation process and adds the new user, along with all the relevant state information, into the active user database and completes the authentication process. A security context is created, and for encrypted links, key exchange occurs where all traffic is now encrypted.

WLAN				L2/L3
switch				switch

			3	2	5
			3		5
					3


			AP		Corporate
1			AP		backbone
1

4

1.Client sends 802.11 association request that is automatically forwarded by the AP to the WLAN switch

2.WLAN switch responds with association acknowledgement

3.Client and WLAN switch start 802.1X authentication conversation along with RADIUS server

RADIUS

server

4.Encryption keys passed to the WLAN switch, and user derives own encryption keys, begins sending encrypted data

5.WLAN switch decrypts data, processes packets, applies services and forwards packets based on .11 MAC

If the user already exists in the active user database and is now attempting to associate to a new AP, the Mobility Controller will understand that an active user has moved, will restore the user’s connectivity state and initiate mobility processing.

ArubaOS uniquely supports AAA FastConnect™, which allows the encrypted portions of 802.1x authentication exchanges to be terminated on the Mobility Controller where Aruba’s hardware encryption engine dramatically increases scalability and performance. Supported for PEAP- MSCHAPv2, PEAP-GTC, and EAP-TLS, AAA FastConnect™ removes the requirement for external authentication servers to be 802.1x-capable and increases authentication server scalability by permitting several hundreds of authentication requests per second to be processed.

Campus Wireless Networks Validated Reference Design Version 3.3 Design Guide

Mobility Controller Configuration 43

Image 43

Contents Campus Wireless Networks Validated Reference Design Version Crossman Avenue Sunnyvale, California Phone Fax Contents Chapter RF Planning and Operation Introduction Aruba Reference ArchitecturesReference Documents Contacting Aruba NetworksTelephone Support Aruba’s User-Centric Network Architecture Understanding Centralized Wireless LAN NetworksCentralized Wlan Model Introducing Aruba’s User-Centric NetworkArubaOS ArubaOS and Mobility ControllerMobility Controller Access Point Multi-function Thin Access PointsAir Monitor Aruba’s Secure Enterprise Mesh Network Mesh Portal or Mesh PointRemote AP Mobility Management SystemMobility Management System Proof-of-Concept Network PoC Network Physical DesignVlan PoC Network Logical and RF DesignProof-of-Concept Network Proof-of-Concept Network Campus Wlan Validated Reference Design Aruba Campus Wlan Physical ArchitectureAruba Campus Wlan Logical Architecture Data center ManagementMaster Campus Wlan Validated Reference Design Understanding Master and Local Operation Mobility Controller Access Point DeploymentMobility Controller High Availability Master Controller Redundancy Local Controller Redundancy Second Local controller has an opposite configuration Vlan Design Do Not Use Special VLANs Do Not Make Aruba the Default RouterVlan Vlan PoolsVLANs 10, 20, 30 User Mobility and Mobility DomainsMD1 ArubaOS Mobility DomainMaster Controller Placement Mobility Controller Physical Placement and ConnectivityLocal Controller Placement AP Placement, Power, and ConnectivityMobility Controller and Thin AP Communication AP Location and Density Considerations AP Power and ConnectivityOffice Deployment Active Rfid Tag Deployment Voice DeploymentRequired Licenses Configuration Profiles and AP GroupsMobility Controller Configuration Configuration ProfilesAP group Profile TypesAP Groups SSIDs, VLANs and Role DerivationProfile Planning VLANs SSIDsRole Derivation Secure Authentication MethodsAuthenticating with Corporate Authentication Methods for Legacy Devices Authenticating with Captive PortalEmployee Role Configuring Roles for Employee, Guest and Application UsersGuest Role Create a bandwidth contract and apply it to an AP group Create the block-internal-access policy Modify the guest-logon role Device Role Role Variation by Authentication Method Wireless Intrusion Detection SystemWireless Attacks Rogue APs Page Mobility Controller Configuration RF Planning and Operation RF Plan ToolAdaptive Radio Management Page Minimum Scan Time Sec Quality of Service Voice over Wi-FiWMM and QoS Voice-Aware RF Management Voice Functionality and FeaturesTraffic Prioritization Network Wide QoSComprehensive Voice Management Voice over Wi-Fi LAN / WAN Controller Clusters Mobility Management SystemMultiple Master/Local Clusters Page Multiple Master/Local Clusters Licenses Appendix aLicenses Wlan Extension with Remote AP Appendix BWlan Extension with Remote AP Alternative Deployment Architectures Small Network DeploymentMobility Controller located in the network data center Medium Network DeploymentBranch Office Deployment Corporate data center DMZ Pure Remote Access Deployment