ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 41
Registered: ‎04-01-2009

AAA FastConnect ?

I heard/read a little bit about the AAA fastconnect feature on Aruba Controllers today and was curious if anyone could provide more info on what exactly the benefit is of using this? Is this just a method of managing session keys that is proprietary to Aruba?
Also is anyone using this in production and have verified any improvement in performance?

what i found on Aruba's website:
AAA Fast Connect also improves the rate at which users can authenticate (and re-authenticate, which is critical for secure roaming performance), up to a 3X improvement in authentication rates and roam times.
Fastest roaming with WPA/WPA2: If encryption is done at each AP in a conventional distributed model, then each AP needs to have a copy of each WLAN client’s session key to provide seamless roaming between AP’s. As the number of clients and AP’s grow in a wireless infrastructure, the number of keys that need to be distributed becomes unmanageable – this phenomenon is known as ‘key explosion’. With Aruba’s centralized encryption architecture, only a single copy of each key is stored on the controller – regardless of the number of AP’s and clients deployed.

thanks to anyone who can share info!
Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Re: AAA FastConnect ?

AAA FastConnect is another word for EAP termination. One of the most resource-intensive tasks for a radius server is keying/rekeying for clients that authenticate. FastConnect offloads this function and allows the radius server to just do authentication, doing the keying/rekeying in hardware and allowing the radius server to do authentication. When termination is enabled, the client will be presented with and see a certificate that is on the controller, as opposed to the one on the radius server. This allows the radius server to do many more authentications per second, because it does not have to consume cycles on keying and rekeying, which can be very resource intensive.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 41
Registered: ‎04-01-2009

Re: AAA FastConnect ?

Thanks Colin!
So pardon my ignorance on the server side of things, but does all that rekeying really put that much of a load on a server? I guess my thought is if i have a cluster of servers doing my RADIUS wouldn't they have more horse power than my 3400 controller?

Also does the fact that you are terminating the EAP tunnel at the controller save much in terms of bandwidth if you had to send your RADIUS auth's across a WAN link or reduce the amount of time it will take a client to roam?
Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Re: AAA FastConnect ?

It does increase the utilization, because the function is done is software on the server. Aruba does it in hardware and offloads that function from the server so that the authentications per second can be increased on the radius server.

To leverage a group of servers, you would have to do it round-robin, but if you could have a server able to do twice as many authentications due to the decreased utilization, instead of adding another server to manage or be purchased, that might prove more cost effective. In a typical lan, the bandwidth is not the issue. Some people would take advantage of this feature and others feel differently. The important thing is the ability to choose, either way.

Another side-effect of the feature is that instead of having multiple radius server certificates, you can have a single certificate on the controller that would forward the authentication onto a number of downstream radius servers.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎01-08-2010

Re: AAA FastConnect ?

Hi,

I was wondering if there is a better method of dealing with 802.1x termination on multiple controllers than using multiple certificates. We have 3 controllers load balancing 1000 AP's on our network. Because the certificates must be initially accepted within OSX and Windows (regardless if they are signed by a trusted authority), there is the possibility that a user will get prompted 3 times on our network for authentication... Not exactly the end of the world but I would like to streamline the process as much as possible.
Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Re: AAA FastConnect ?

The CA of each certificate has to be accepted. If you get the 3 certs from the exact same CA, you are good.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎01-08-2010

Re: AAA FastConnect ?

Thanks Colin,

I hear what you are saying but in practice this doesn't work as expected. For example, in Snow Leopard, when one connects to an 802.1x network for the first time, a dialogue box "verify certificate" is presented to them. They have 3 options, "show certificate", "cancel" or "continue". "Continue" is the default option, and if chosen, it adds the server's cert to the user's keychain with the option "eap - always trust" enabled. It does not however add the root CA as trusted for EAP. So when the user roams to a different controller, they are prompted again.

The user can add the root CA by clicking the "show certificate" box, and going to the root CA and clicking trust, but it is not intuitive for the average user.

Windows 7 has similar behavior for it's EAP settings, except the initial warning is pretty scary to look at.

I don't think this is really an Aruba issue as much as a "eap trust" issue with OSX and Win 7, but it's annoying nonetheless. I'm not sure why if the root CA is bundled with the operating system (geotrust) and trusted by the web browsers why it cannot be trusted by default for eap.
Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Re: AAA FastConnect ?

You are 100% correct. There is no way to skirt the Trust issue, especially when you need to support multiple operating systems. Verisign, Geotrust, et. al. also use multiple certificate authorities, even within the same company.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base