Hi,
We're planning a new Aruba deployment for improved guest/BYOD and occassional secure corporate access. The guest/BYOD side I think we're OK with for now..
As we're not quite ready to move to a pure wireless environment for our corporate network at this stage, our laptops (predominately Windows 7 clients) will retain wired (docked) connections but we'd like them to easily transition to the corporate WLAN when undocked for meetings etc, and back to the wire, seamlessly without requiring user input or a logoff/on to authenticate to the WLAN.
We require both machine & user authentication for the WLAN, so our current plan is to use 802.1x EAP/PEAP-MSCHAPv2 with machine and user authentication via NPS/Active Directory.
The way we see it working is most users will leave their wifi adapters switched on even when docking, so presumably when the laptop boots it will initiate the LAN adapter as usual but it will also initiate and authenticate to our corporate WLAN as well. The O/S should hopefully prefer the LAN interface based on metrics keeping the majority of traffic on the wire, but users can then undock and work wirelessly when required. Is this basically correct and can we rely on Windows doing the right thing with routing?
I also think one of the issues we may face with enforcing machine auth is where users have for some reason docked with the wifi adapter switched off and logged in to the machine only over the LAN. In this case, we're assuming WLAN machine authentication won't happen when they switch on the wifi adapter and they will fail to authenticate fully and perhaps require a logoff/on to join the WLAN?
As a side - we really like the granular role based access the WLAN gives us, so we're wondering is if it's somehow possible to take advantage of this with our existing LAN switches (Cisco) to provide Aruba centric role based access on the wired side as well, and get away from VLAN based security (without the need for Aruba mobility switches :-) We are able to configure the wired LAN such that the Aruba controllers will be the next hop/gateway for wired devices if that is relevant in any way. Also, perhaps this may solve the problem with machine authentication when the wifi adapter is switched off, as the client will already have authenticated over the wire?
Being able to provide consistent user role based access whether wired or wireless and transition seamlessly would be ideal but I'm not sure if we can do this with our current wired infrastructure. Ahigh-leveldiagramisattached, any comments or guidance appreciated!
Kind Regards,
Adrian