11-09-2014 04:46 AM
I'm working on a implementation to stretch out the connectivity from our offices to externals sites using RAP and performing 802.1x on the wires and I need a few more switch ports.
Initially I've been trying to utilize a simple switch adding a small Juniper EX-2200C without any configuration but unfortunately clients can't authenticate due the switch needs to be fully configured for 802.1x and the EAPol frames are dropped in between. So far, the only switch which is transparent is a cheap Dlink GO. It works fine but I'd like to know if someone else has a better option to just expand the switch ports without having to configure something else and without breaking the security.
11-09-2014 06:10 AM - edited 11-09-2014 06:11 AM
How many extra ports do you need? You have a couple of options outside of what you have already tried:
- Add a second or third RAP-155P. Configure them as an Instant cluster with one another and configure port security for each remaining port.
- Add an Aruba Mobility Access Switch (varoius models and port densities from 12, 24, and 48). An S1500-12P being the lowest density/cost choice, yet retains all the MAS functionality.
Both options allows for VPN functionality to a Mobility Controller at another site if neessary.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
11-09-2014 09:11 AM
First of all, thanks for the input.
I'm looking for 16 ports. RAPs will be placed in an untrusted place outside of my corp network so security is a must. In my deployment I use RAP with zero touch so is very easy to deployment and maintain.
I tested the same with an Aruba Switch but for the security and support model this option is adding a new platform to maintain which needs to be configured and also keeps a copy of the configuration at the remote end. Aruba Switch is not fully Zero touch and would require maintaining more firmware and new roadmaps. RAP is much easier to provision, update and modify and upgrade.
When I tried it with a Juniper EX switch, I managed to configure a switch port out of the 4 from the RAP as a trunk to pass the frames to the central controller to terminate the 802.1x. It works but this is so much complicated to maintain and also I don't want to open one port of the RAP so is unsecured.
Your first option is fine but with 16 ports I would to multiply hardware/cost of the solution by 4 and the scope is EMEA so the cost wouldn't be affordable.
11-09-2014 09:28 AM
11-09-2014 09:41 AM
It would be nice in case we were in the Aruba LAN Infrastructure model but we are the Juniper side with a strong direction to standardize. If I introduce a new vendor, I would have to pass down all the knowledge to all support levels along with the new software/hardware roadmap. RAP is what we use for teleworkers and this new proposal to provide a solution for hosting connectivity from remote places and works really nice, easy, simple and cheap. I would like to avoid a new deviation.
I see this as an excellent feature for rolling out LAN deployments in the small enterprises
By the way, thanks for your feedback too
11-09-2014 09:47 AM
I definitely understand the approval piece. From the training piece, the Aruba switch is nearly identical to an Aruba controller. The idea to securely extend the network at a low cost was one of the major reasons the switch was brought to market.