Wireless Access

So I must admit, I'm not an Aruba guy... yet! I have been a Ruckus and Aerohive guy for a while, but I have been wanting to learn Aruba, and my wish is coming true in a bad way. I'm getting thrown head on into a situation where I have one day to get 32 AP's (125) and a controller up (3400). 

 

I cant get my hands on the controller before I arrive in a few days, but I think I have everything I need, execpt one thing. 

 

Here are my needs

- 1000 people max - Each with up to 2 max devices (I will never hit this limit)

- In some form, they all need their own passcode. 

- users split between 3 SSID's each with a different rate limit, and different QOS settings

 

I would like to avoid an external captpive portal to handle each user credintial, and I would rather do it via WPA2-PSK-AES so they just have a simple password for each user. 

 

Here is all the info I have on the licenses installed on the controller...

______________________________________________

(Aruba3400) #show license limits

License Limits
--------------
Limit  Value
-----  -----
32     Access Points
0      RF Protect
0      xSec Module
0      120abg Upgrade
0      121abg Upgrade
0      124abg Upgrade
0      125abg Upgrade
0      Next Generation Policy Enforcement Firewall Module
0      Advanced Cryptography
0      Service provider AP

(Aruba3400) #show ver
Aruba Operating System Software.
ArubaOS (MODEL: Aruba3400-US), Version 6.3.1.12
Website: http://www.arubanetworks.com
Copyright (c) 2002-2014, Aruba Networks, Inc.
Compiled on 2014-10-02 at 18:04:37 PDT (build 46311) by p4build

ROM: System Bootstrap, Version CPBoot 1.2.0.0 (build 20527)
Built: 2009-01-20 18:56:10
Built by: p4build@re_client_20527


Switch uptime is 6 minutes 10 seconds
Reboot Cause: User reboot (Intent:cause:register 78:86:50)
Supervisor Card
Processor XLR 516 (revision C4) with 1187M bytes of memory.
32K bytes of non-volatile configuration memory.
512M bytes of Supervisor Card System flash (model=CF 512MB).

(Aruba3400) #

_________________________________________

 

My questions...

-Without any PEF licenses, How many uses WPA2-PSK-AES accounts can I set up on the 3400?

-Can I limit each user/account to only 2 devices?

-The AP's will be the 125's, I know original 125's needed an upgrade to work on 802.11N, but the client says that the AP are alrealdy 802.11N. Was the 125upgrade a firmware thing in each AP, or is it a controller license? Whats 125abg upgrade license?

 

PS, this controller and these AP's have been been together, its parts from differnt offices coming together at a new office. 

You can only have 1 PSK per SSID. You could however add a captive portal
inside the controller with individual user passcodes



Yes, you can limit the number of simultaneous users per captive portal
session



That license is no longer in use. AP licenses work for any AP.

Cappalli

 

Thanks for the quick reply 

 

Couple of follow up questions. When reading the datasheet for the 3400, it says max users is 2048, but has an astrick that says that is determined by PEF licences. When it talks about users, does it mean Per guest account for captive portal? http://www.arubanetworks.com/pdf/products/DS_A3000.pdf

 

-Is any additional licence needed for the internal Captive portal?

-Are there any limitations to user policys under the captive portal? 

-If I just put up one SSID, can I have groups of users with different speed and firewall policys?

 

Im trying to understand more about the Next Generation Policy Enforcement Firewall Module? Can you provide any info as to what this is and If I need it? I have only been able to find that one licenses applies to 8 AP's...  But do I need it to apply any firewall policys to Users?

 

Thanks

• Yes, the maximum users for that controller is 2,048
• No, you can use a basic captive portal without any additional licenses
• Without the PEF license, you cannot modify the firewall policies
• Without PEF, you cannot do different user roles. All authenticated users would be placed into the same role. Bandwidth contracts are not available without PEF
• The PEFNG license allows for advanced policy and firewall. Things like RBAC that allow you to put users into different roles and add stateful firewall policies, bandwidth contracts and application QoS.
• Licensing if 1 for 1. If you choose to use PEFNG and have 8 APs, you would need 8 PEFNG licenses

 

Thanks for the info! 

 

This only leaves me with one more question. 

 

Is there a difference between PEF and NGPEF? 

 

We have another controller I can use, but just have to drop down to 24 AP's which will be ok...

 

Here's the licenses. 

---------------------------------------------------------------------

(rvt21-Wireless-Controller) #show license limits
License Limits
--------------
Limit Value
----- -----
24 Access Points
0 Ortronics Access Points
24 RF Protect
0 xSec Module
0 120abg Upgrade
0 121abg Upgrade
0 124abg Upgrade
0 125abg Upgrade
72 Next Generation Policy Enforcement Firewall Module
0 Advanced Cryptography
0 Service provider AP(rvt21-Wireless-Controller) #
(rvt21-Wireless-Controller) #

---------------------------------------------------------------------

 

Will I need anything else to achive my goal of different group users poilicies/speeds on the same SSID with captive portal to auth each user who have their own individual passcode?

 

Thanks

 

PEF is the license for pre ArubaOS5.0 deployements.

You should be ordering PEFNG licenses and have your controllers running in a greater than 5.0 release.

 

Licensing:

Figure out what licenses you need. For the features you request you need AP and PEFNG licenses.

Make sure to get 1 AP and 1 PEFNG license for each AP you will be installing.

 

I am not sure how one would limit the active sessions to 2 per user. You can limit it to 1 session or not limit it as far as I know (if you are only using the controller without external auh server).. but I may be missing something here.

 

Other than that you're set.