Aruba Networks Version 3.3 manual Secure Authentication Methods, Role Derivation

Role Derivation

Aruba uses the term ‘Role Derivation’ to describe the process of determining which role is to be assigned to a user. The system can take into account the user’s credentials, location, time of day, and authentication type when deciding which role to assign.

This system can be as detailed or as general as the administrator prefers. The Role Derivation process determines:

zWhat class of service is provided to user traffic

zWhich Firewall ACLs are applied to the user’s traffic

zWhich VLAN the user is placed into

Secure Authentication Methods

The most common authentication methods for Campus WLANs are 802.1X, and Captive Portal; other authentication methods are also discussed in this section. Mobility Controllers at the Aggregation Layer are the central point of control for users and access points, and are typically deployed in the distribution layer of the network. The Mobility Controllers sit in the authentication path, terminate user-encrypted traffic, and enforce policy using the optional Aruba Policy Enforcement Firewall module.

This ICSA certified stateful firewall allows control of user traffic as well as application awareness through deep packet inspection. The Aruba Policy Enforcement Firewall module has the capacity to dynamically follow sessions, log user sessions, and take actions through the blocking of user traffic and blacklisting of users for policy violation. This Role-Based Access Control system allows users with different access rights to share the same access points.

A wireless user gains access to the network by attempting to associate to the AP with the strongest signal. The association request may have originated from a new user logging on to the network, or an active user who has just roamed to a different location. The 802.11 MAC layer protocol association request is forwarded to the Mobility Controller, which then attempts to retrieve the user’s state from the active user database. If the user was not active previously, the Mobility Controller will proceed to authenticate the user using 802.1X coupled with back-end authentications mechanisms such as RADIUS, Active Directory or LDAP.

The Mobility Controller can perform user authentication in multiple ways to suit the varying needs of an enterprise, and the existing AAA infrastructure in use. The most typical authentication methods employed on Aruba networks can be summarized as:

z802.1X based user authentication with a backend server

z802.1X PEAP termination on the controller

zPPP based user authentication over IPSec based VPNs

zCaptive Portal based user authentication

zA combination of authentication methods such as 802.1X followed by captive portal, or WEP authentication followed by VPN

Authentication in the Aruba system typically leverages existing authentication stores, including RADIUS, Active Directory, and LDAP. While the Aruba Mobility Controller does contain a scalable Local DB for users and guests, it is typically desirable to have that functionality leveraged from an existing authentication system to ease synchronization issues.