01-21-2010 04:00 AM
Now those dlinks are on the tunnel a place full of harmful radiation. For the moment we will keep there the old d-links just in case they get fried.
Finally the acces to the wireless network will be trought a single ssid using wpa2-enterprise. Then we will separate the clients in 3 vlans according to their credentials. For this aruba uses the vlan value of the client returned by the radius server.
The vlans are staff, guest and voip.
We would like to integrate those d-links with aruba, as a third party aps. There is a feature called "stateful 802.1x".
More information https://airheads.arubanetworks.com/vBulletin/showthread.php?t=1048. Anybody knows if this could be used to integrate this old dlinks in our authentication method? Or does somebody believes that there are clever ways to do it? I'm open suggestions.
01-21-2010 05:13 AM
Stateful 802.1x authentication: This feature allows the controller to learn the identity and role of a user connected to a third-party AP, and is useful for authenticating users to networks with APs from multiple vendors. When an 802.1x-capable access point sends a authentication request to a RADIUS server, the controller inspects this request and the associated response to learn the authentication state of the user. It then applies an identity-based user role through the Policy Enforcement Firewall.
You can configure this feature from the Security > Authentication > L2 Authentication > Stateful 802.1x Authentication Profile. You will need a server group for your RADIUS server (which you can reuse from your Aruba WPA2-Enterprise configuration) and a role for the client (again, you can reuse the same one you use for the Aruba APs).
01-22-2010 01:48 AM
Let's see if I get it straight.
With this feature i can connect the vlan where I have all the d-links to one port of the aruba. Then setup the gateway after the aruba so to connect to radius dlinks will have to pass trough aruba.
Then aruba intercepts the radius reply about the client and aply the pertinent policy.
Then aruba routes the client packets to the pertinent vlan.
Is this way or I'm wrong?
The aruba port must be trusted or untrusted?
01-22-2010 06:11 AM
The Aruba port must be untrusted for this to work, I believe.
01-25-2010 09:05 AM
Also I'm thinking about the potential security flaws of this setup. In the scenario where a staff and a guest connect to the same acces point. There is the possibility of guest sniffing staff communications. Or the wpa-802.1x doesn't allow this.
Anyway, thanks alot, i'll will try this configuration and tell how is it going.