ArubaOS and Controllers

Reply
Occasional Contributor II

any advice for Third party APs integration?

Hello we make an aruba deployment on a synchrotron in spain. There are 36 AP60 installed. Before aruba there was some dwl-2100ap access points from d-link.
Now those dlinks are on the tunnel a place full of harmful radiation. For the moment we will keep there the old d-links just in case they get fried.

Finally the acces to the wireless network will be trought a single ssid using wpa2-enterprise. Then we will separate the clients in 3 vlans according to their credentials. For this aruba uses the vlan value of the client returned by the radius server.
The vlans are staff, guest and voip.

We would like to integrate those d-links with aruba, as a third party aps. There is a feature called "stateful 802.1x".
More information https://airheads.arubanetworks.com/vBulletin/showthread.php?t=1048. Anybody knows if this could be used to integrate this old dlinks in our authentication method? Or does somebody believes that there are clever ways to do it? I'm open suggestions.
Aruba Employee

Re: any advice for Third party APs integration?

Yes, stateful dot1x would do what you want to do as long as the dlink APs support WPA2-Enterprise. From the 3.4.2 users guide (page 323):

Stateful 802.1x authentication: This feature allows the controller to learn the identity and role of a user connected to a third-party AP, and is useful for authenticating users to networks with APs from multiple vendors. When an 802.1x-capable access point sends a authentication request to a RADIUS server, the controller inspects this request and the associated response to learn the authentication state of the user. It then applies an identity-based user role through the Policy Enforcement Firewall.

You can configure this feature from the Security > Authentication > L2 Authentication > Stateful 802.1x Authentication Profile. You will need a server group for your RADIUS server (which you can reuse from your Aruba WPA2-Enterprise configuration) and a role for the client (again, you can reuse the same one you use for the Aruba APs).
Occasional Contributor II

Re: any advice for Third party APs integration?

Ok, thanks alot.
I'll red that part of the manual to see if i can fit it in my enterprise.
Occasional Contributor II

Re: any advice for Third party APs integration?

I've just readed that part of the manual.

Let's see if I get it straight.

With this feature i can connect the vlan where I have all the d-links to one port of the aruba. Then setup the gateway after the aruba so to connect to radius dlinks will have to pass trough aruba.
Then aruba intercepts the radius reply about the client and aply the pertinent policy.
Then aruba routes the client packets to the pertinent vlan.

Is this way or I'm wrong?

The aruba port must be trusted or untrusted?

Thanks!
Aruba Employee

Re: any advice for Third party APs integration?

I think you are on the right track. When the RADIUS accept message is seen by the controller, meaning the client has successfully authenticated, the controller will apply the appropriate role to the user (as defined by the stateful dot1x profile). There is really no need to change the VLAN, I don't believe. If you do change the VLAN, you will have to force the client to do a release/renew on its IP address. By applying the role, you will ensure only traffic you permit is allowed to pass through the controller.

The Aruba port must be untrusted for this to work, I believe.
Occasional Contributor II

Re: any advice for Third party APs integration?

I'm not sure, but i'm afraid the client will ask for the IP adress after the VLAN changes. Moreover, on the first VLAN (the ones where the AP's are) there is only dhcp server for the d-link mac adress.
Also I'm thinking about the potential security flaws of this setup. In the scenario where a staff and a guest connect to the same acces point. There is the possibility of guest sniffing staff communications. Or the wpa-802.1x doesn't allow this.

Anyway, thanks alot, i'll will try this configuration and tell how is it going.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: