Aruba Networks Version 3.3 manual SSIDs, VLANs

SSIDs

SSIDs appear as the name of the network displayed in the ‘Available Wireless Networks’ screen on a wireless client. While many APs in the same network will share the same SSID, each will have a unique BSSID. This feature is often used to let users know which SSID they should attempt to associate to, and to provide different levels of security to each of the SSIDs, such as WPA, WPA2, and Captive Portal. Clients typically make roaming decisions based on the received signal strength of the audible BSSIDs they can hear.

The diagram above shows the most common SSID design for enterprise organizations that includes three different SSIDs. A strong authentication and encryption suite is used for employee users, in this case WPA2 - Enterprise. The network administrator might choose a name something like ‘Acme Corp Employee’ for this SSID.

The second SSID is used for specific devices which are not capable of modern high authentication and encryption levels. As of this writing, common examples includes the following devices:

zPortable barcode scanners

zActive RFID tags

zAll but the latest WiFi phones

zIP video cameras

In this case, the Mobility Controller uses an SSID such as ‘Acme Corp-Application’ and uses the strongest authentication and encryption suite supported by the devices; in this case, WPA-PSK (pre- shared key).

The final SSID is used to provide guest access to the network. This SSID will not run any encryption and will require guests to authenticate using the Captive Portal capability that is built into the Aruba Mobility Controller. The guest users can authenticate against a centralized authentication server or the built-in Local Database on the Mobility Controller; which is common when combined with the guest provisioning role on the controller.

VLANs

At the controller, users who successfully authenticates via an Aruba AP into any of these three SSIDs are treated very differently in the Role Derivation process according to the Configuration Profiles in the AP Group assigned to that AP. The Employee user is most likely placed on a VLAN with access to internal network resources, although this can be further refined with sophisticated ACLs applied on a per-packet basis. The dual-mode WiFi phone is placed on a voice-only VLAN and only permitted to contact a SIP server and transmit RTP traffic. Any attempt by the device to do something else would automatically ‘blacklist’ that device from the network. Finally, the Guest user would be placed onto a guest-only VLAN that only has access to the default gateway leading to the internet.