01-29-2013 04:31 AM
We're planning a new Aruba deployment for improved guest/BYOD and occassional secure corporate access. The guest/BYOD side I think we're OK with for now..
As we're not quite ready to move to a pure wireless environment for our corporate network at this stage, our laptops (predominately Windows 7 clients) will retain wired (docked) connections but we'd like them to easily transition to the corporate WLAN when undocked for meetings etc, and back to the wire, seamlessly without requiring user input or a logoff/on to authenticate to the WLAN.
We require both machine & user authentication for the WLAN, so our current plan is to use 802.1x EAP/PEAP-MSCHAPv2 with machine and user authentication via NPS/Active Directory.
The way we see it working is most users will leave their wifi adapters switched on even when docking, so presumably when the laptop boots it will initiate the LAN adapter as usual but it will also initiate and authenticate to our corporate WLAN as well. The O/S should hopefully prefer the LAN interface based on metrics keeping the majority of traffic on the wire, but users can then undock and work wirelessly when required. Is this basically correct and can we rely on Windows doing the right thing with routing?
I also think one of the issues we may face with enforcing machine auth is where users have for some reason docked with the wifi adapter switched off and logged in to the machine only over the LAN. In this case, we're assuming WLAN machine authentication won't happen when they switch on the wifi adapter and they will fail to authenticate fully and perhaps require a logoff/on to join the WLAN?
As a side - we really like the granular role based access the WLAN gives us, so we're wondering is if it's somehow possible to take advantage of this with our existing LAN switches (Cisco) to provide Aruba centric role based access on the wired side as well, and get away from VLAN based security (without the need for Aruba mobility switches :-) We are able to configure the wired LAN such that the Aruba controllers will be the next hop/gateway for wired devices if that is relevant in any way. Also, perhaps this may solve the problem with machine authentication when the wifi adapter is switched off, as the client will already have authenticated over the wire?
Being able to provide consistent user role based access whether wired or wireless and transition seamlessly would be ideal but I'm not sure if we can do this with our current wired infrastructure. Ahigh-leveldiagramisattached, any comments or guidance appreciated!
01-29-2013 05:41 AM
- You'd hope that Windows would choose to route traffic over the proper LAN interface rather than WLAN, but this is no always the case. As issues arise with some of my customers, I point them at solutions like Wireless Autoswitch. It basically runs as a service and disable/enables wireless based upon the presence of the LAN.
- You mention that you want to use both user and machine auth; but what you didn't say was whether you wanted to "enfoce machine authentication" in Aruba terms. If you just want to be able to auth both users and computers, your fear of users being docked then moving to wireless should not be an issue. If you want to "enforce machine auth" in the dot1x authentication profile, then yes; you'll need the computer to authenticate wirelessly at least once during the cache period (also defined in the dot1x profile).
- As for your wired Cisco switches. You have the ability to route all traffic through the controller and authenticate the device; however I don't believe you can do 802.1X authentication in this scenario. You have the option to use Captive Portal for connecting users, but I believe when a client connects, the Cisco switch would see the EAPOL message; and not pass it through to the controller.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
01-29-2013 06:15 AM
with windows 7 it is possible to determine interface priority and not rely on the old way with the highest bandwidth interface is used.
this is how you configure it:
01-29-2013 08:08 AM
Thanks for the feedback and the info on autoswitch, we'll bear this in mind but I think would prefer to use interface priorities if possible as per boneyard's post (thanks).
With regards to machine and user authentication, we want to prevent unauthorized devices being allowed to connect to the corporate WLAN using AD credentials.
So at the moment we're planning on enforcing machine authentication but if there are other ways of acheiving this then open to suggestions - we want to avoid deploying PKI if possible.