Aruba Networks Version 3.3 manual Appendix B, Wlan Extension with Remote AP

Page 69

Appendix B

WLAN Extension with

Remote AP

Remote Access Point (RAP) solutions involve configuring a standard thin access point to provide a customer-defined level of service to the user by tunneling securely back to the corporate network over a wide area network. The WAN may be either be a private network such as a frame relay or MPLS network, or a public network such as a residential or commercial broadband Internet service. The same SSIDs, encryption, and authentication that exist on the corporate network are present on the RAP, or the administrator can choose to enable just a subset of the functionality of campus-connected APs. The Remote AP is a licensed feature, with each Remote AP requiring a separate license.

For telecommuter or home-office applications, an Aruba RAP is much more than a simple home wireless device. It is instead an extension of all of services available on the corporate network including voice and video in a similar fashion to a branch office but with fewer configuration headaches. For instance, the user’s laptop will automatically associate with the RAP just as it would in the corporate network, and allows for centralized management of a truly mobile edge. Dual-mode voice devices can place and receive calls.

IPSec/AES-CCM encrypted control channel

Corporate HQ

Remote location

Guest

SSID

Corporate

SSID

Voice

SSID

 

 

 

Websites

 

 

 

 

 

 

 

Corporate

Internet

 

traffic

Firewall /

SSID

 

 

 

 

NAT-T

 

 

(split tunnel)

 

 

 

 

 

 

 

 

 

 

 

 

 

IPSec

Internet

tunnel

Voice

 

SSID

The feature integration of the RAP functions into both the Mobility Controller and thin AP as an end-to- end system is critical to having a solution that is both technologically and cost effective. By integrating authentication, encryption, firewall, and QoS features the network administrator has a single point of troubleshooting and maintenance. This reduces both initial capital expenditure as well as ongoing maintenance costs.

A much larger benefit that comes with this solution is transparent security. The RAP provides a solution that does not add any additional burden to the user beyond their regular login credentials. They simply see connectivity to the home office the same as it is when they are in the office. There is nothing new to remember to do, no tokens to lose, and no mistakes in connecting.

To connect to the Mobility Controller that is inside the corporate network, the Remote AP uses NAT Transversal (NAT-T) to connect through the corporate firewall to the Mobility Controller.

Campus Wireless Networks Validated Reference Design Version 3.3 Design Guide

WLAN Extension with Remote AP 69

Image 69
Contents Campus Wireless Networks Validated Reference Design Version Crossman Avenue Sunnyvale, California Phone Fax Contents Chapter RF Planning and Operation Reference Documents Aruba Reference ArchitecturesContacting Aruba Networks IntroductionTelephone Support Aruba’s User-Centric Network Architecture Understanding Centralized Wireless LAN NetworksCentralized Wlan Model Introducing Aruba’s User-Centric NetworkArubaOS ArubaOS and Mobility ControllerMobility Controller Multi-function Thin Access Points Access PointAir Monitor Aruba’s Secure Enterprise Mesh Network Mesh Portal or Mesh PointRemote AP Mobility Management SystemMobility Management System Proof-of-Concept Network PoC Network Physical DesignVlan PoC Network Logical and RF DesignProof-of-Concept Network Proof-of-Concept Network Campus Wlan Validated Reference Design Aruba Campus Wlan Physical ArchitectureAruba Campus Wlan Logical Architecture Data center ManagementMaster Campus Wlan Validated Reference Design Understanding Master and Local Operation Mobility Controller Access Point DeploymentMobility Controller High Availability Master Controller Redundancy Local Controller Redundancy Second Local controller has an opposite configuration Vlan Design Do Not Use Special VLANs Do Not Make Aruba the Default RouterVlan Vlan PoolsVLANs 10, 20, 30 User Mobility and Mobility DomainsMD1 ArubaOS Mobility DomainMaster Controller Placement Mobility Controller Physical Placement and ConnectivityAP Placement, Power, and Connectivity Local Controller PlacementMobility Controller and Thin AP Communication AP Power and Connectivity AP Location and Density ConsiderationsOffice Deployment Active Rfid Tag Deployment Voice DeploymentMobility Controller Configuration Configuration Profiles and AP GroupsConfiguration Profiles Required LicensesAP group Profile TypesSSIDs, VLANs and Role Derivation AP GroupsProfile Planning VLANs SSIDsRole Derivation Secure Authentication MethodsAuthenticating with Corporate Authentication Methods for Legacy Devices Authenticating with Captive PortalEmployee Role Configuring Roles for Employee, Guest and Application UsersGuest Role Create a bandwidth contract and apply it to an AP group Create the block-internal-access policy Modify the guest-logon role Device Role Wireless Intrusion Detection System Role Variation by Authentication MethodWireless Attacks Rogue APs Page Mobility Controller Configuration RF Planning and Operation RF Plan ToolAdaptive Radio Management Page Minimum Scan Time Sec Voice over Wi-Fi Quality of ServiceWMM and QoS Traffic Prioritization Voice Functionality and FeaturesNetwork Wide QoS Voice-Aware RF ManagementComprehensive Voice Management Voice over Wi-Fi LAN / WAN Controller Clusters Mobility Management SystemMultiple Master/Local Clusters Page Multiple Master/Local Clusters Licenses Appendix aLicenses Wlan Extension with Remote AP Appendix BWlan Extension with Remote AP Alternative Deployment Architectures Small Network DeploymentMobility Controller located in the network data center Medium Network DeploymentBranch Office Deployment Corporate data center DMZ Pure Remote Access Deployment