Aruba Networks Version 3.3 manual Device Role

Page 50

With the appropriate levels of encryption and authentication used, for different users associated and authenticated to the same AP at the same time, the system is completely secured. The unique combination of these security mechanisms and Aruba’s Role-Based Access Control (RBAC) gives an Aruba User-Centric Network far more control and granularity of user traffic than simply demanding a particular type of authentication and encryption. This same flexibility gives customers the ability to deploy Remote APs that broadcast Employee SSIDs at a user’s home for telecommuting or at another business to conduct a sales demonstration without fear of security breach.

Device Role

Special-purpose device roles are very similar to the guest access role; and most commonly include active RFID tags, voice and video devices. Device roles should be setup to allow them to perform only single functions and to be able to interact only with a known set of IP addresses. For example, a voice device should only be able to run voice protocols such as Session Initiation Protocol (SIP) to the SIP server, Real-Time Transport Protocol (RTP) and basic ICMP commands. Any other uses should result in the device being blacklisted as it is most likely the subject of an impersonation attack.

Data center	File
	File
	Web
Master	PBX
	RADIUS

Internet

Application

VLAN

Guest

SSID

Employee
SSID	Application
	SSID

50 Mobility Controller Configuration

Campus Wireless Networks Validated Reference Design Version 3.3 Design Guide

Image 50

Contents Campus Wireless Networks Validated Reference Design Version Crossman Avenue Sunnyvale, California Phone Fax Contents Chapter RF Planning and Operation Contacting Aruba Networks Aruba Reference ArchitecturesReference Documents IntroductionTelephone Support Understanding Centralized Wireless LAN Networks Aruba’s User-Centric Network ArchitectureIntroducing Aruba’s User-Centric Network Centralized Wlan ModelArubaOS and Mobility Controller ArubaOSMobility Controller Air Monitor Multi-function Thin Access PointsAccess Point Mesh Portal or Mesh Point Aruba’s Secure Enterprise Mesh NetworkMobility Management System Remote APMobility Management System PoC Network Physical Design Proof-of-Concept NetworkPoC Network Logical and RF Design VlanProof-of-Concept Network Proof-of-Concept Network Aruba Campus Wlan Physical Architecture Campus Wlan Validated Reference DesignAruba Campus Wlan Logical Architecture Data center ManagementMaster Campus Wlan Validated Reference Design Mobility Controller Access Point Deployment Understanding Master and Local OperationMobility Controller High Availability Master Controller Redundancy Local Controller Redundancy Second Local controller has an opposite configuration Vlan Design Do Not Make Aruba the Default Router Do Not Use Special VLANsVlan Pools VlanUser Mobility and Mobility Domains VLANs 10, 20, 30ArubaOS Mobility Domain MD1Mobility Controller Physical Placement and Connectivity Master Controller PlacementMobility Controller and Thin AP Communication AP Placement, Power, and ConnectivityLocal Controller Placement Office Deployment AP Power and ConnectivityAP Location and Density Considerations Voice Deployment Active Rfid Tag DeploymentConfiguration Profiles Configuration Profiles and AP GroupsMobility Controller Configuration Required LicensesProfile Types AP groupProfile Planning SSIDs, VLANs and Role DerivationAP Groups SSIDs VLANsSecure Authentication Methods Role DerivationAuthenticating with Corporate Authenticating with Captive Portal Authentication Methods for Legacy DevicesConfiguring Roles for Employee, Guest and Application Users Employee RoleGuest Role Create a bandwidth contract and apply it to an AP group Create the block-internal-access policy Modify the guest-logon role Device Role Wireless Attacks Wireless Intrusion Detection SystemRole Variation by Authentication Method Rogue APs Page Mobility Controller Configuration RF Plan Tool RF Planning and OperationAdaptive Radio Management Page Minimum Scan Time Sec WMM and QoS Voice over Wi-FiQuality of Service Network Wide QoS Voice Functionality and FeaturesTraffic Prioritization Voice-Aware RF ManagementComprehensive Voice Management Voice over Wi-Fi Controller Clusters Mobility Management System LAN / WANMultiple Master/Local Clusters Page Multiple Master/Local Clusters Appendix a LicensesLicenses Appendix B Wlan Extension with Remote APWlan Extension with Remote AP Small Network Deployment Alternative Deployment ArchitecturesMedium Network Deployment Mobility Controller located in the network data centerBranch Office Deployment Corporate data center Pure Remote Access Deployment DMZ