Wireless Access

Reply
New Contributor

About GRE Tunnel integrity

Hi,

 

I'm searching some informations about encryption between controller and access-point.

I want to be sure of the data security which is passing on my LAN.

I have seen that decryption is realized by controller in "tunnel mode" so i'm not worried for SSID which are using AES or an other encryption protocol.

But what is it happening with an open SSID ? Is the DATA encrypted ? Is there a function to be sure that a tunnel towards an acces-point can't be mounted by a rogue computer ?

 

Waiting your help and your knowledge,

Thanks,

JB.

 

 

Guru Elite

Re: About GRE Tunnel integrity

User traffic is tunneled between the access point and the controller using GRE, NOT encrypted.  If you are using encryption on that SSID, the traffic is tunneled and encrypted using whatever encryption you are using on that SSID.  If you are using an Open SSID, there is is no encryption and the traffic is just tunneled.

 

WPA2-AES - Traffic is tunneled and encrypted with WPA2-AES

WPA2-PSK-AES- Traffic is tunneled and encrypted with WPA2-PSK-AES.

Open - Traffic is tunneled and not encrypted.

 

If you want your traffic to be encrypted on the LAN, you should not be using an Open SSID.

 

I hope that makes sense.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
New Contributor

Re: About GRE Tunnel integrity

Thanks you for the confirmation of my doubts.

I wrote this question because I've already worked with CAPWAP tunnels and it included an double-encryption capability.

 

So, for my second point, do you know if the controller use a ARUBA proprietary GRE protocol to be sure that a tunnel towards an acces-point can't be mounted by a rogue computer ?

 

Guru Elite

Re: About GRE Tunnel integrity

It is standard GRE.  Again, if a user captures the tunnel information, they will be able to see everything if the SSID is open.  If the SSID is encrypted they will only see encrypted information.

 

Back in the day on Cisco, even encrypted traffic was decrypted at the access point and  then only tunneled via CAPWAP back to the controller, so it would be capable of being captured and reassembled on the LAN.  Aruba's traffic by default has always been tunneled all the way back to the controller and decrypted there, where it could not be viewed on the LAN.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: