last person joined: 17 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Aruba DMZ Controllers Deployment

Jump to Best Answer
  • 1.  Aruba DMZ Controllers Deployment

    Posted Jan 15, 2017 07:50 AM

    Dear All,


    My company assign me a project and the idea is totally new to me. We have one customer, they want to install two DMZ Controllers in thier Data Center. On another hand our customer are willing to share the Airport existing Access Points for thier SSID. Airport Network have 2 Master Controllers and three Local Controllers. We are going to establish GRE over IPSec Tunnel from Airport Master Controllers to our customer DMZ Controllers. Now in this scenario i have the below questions.


    1. Where i should do VAP Configuration? (Customer DMZ Controller or Airport Master Controllers)

    2. What is the Role of my DMZ Controllers in the said scenario.

    3. When the end user try to connect with our customer SSID, as the APs reach to Local Controller to which the AP connected. What should be the role of DMZ Controller.

    4. Our customer SSID is EAP-SIM based.

  • 2.  RE: Aruba DMZ Controllers Deployment

    Posted Jan 15, 2017 08:31 AM

    I would honestly find professional help with people that have already designed this type of network locally.  There are many answers to your questions based on the need and what would need to be accomplished.  There is also a great need to ensure that the solution is secure.  A local partner is the best person to get involved in these discussions so that you can have all of your bases discovered.  It is very difficult to design a network based on forum questions and it would not be a secure as hiring someone to do it...

  • 3.  RE: Aruba DMZ Controllers Deployment

    Posted Jan 15, 2017 08:40 AM

    With that being said, please look at the post here:  http://community.arubanetworks.com/t5/Aruba-Solution-Exchange/L2-GRE-to-DMZ-controller-with-Captive-Portal-SSID/ta-p/202649 to see what a DMZ deployment looks like.

  • 4.  RE: Aruba DMZ Controllers Deployment

    Posted Jan 15, 2017 09:25 AM

    Thanks cjoseph,


    In our case we don't have captive portal. We have 802.1x EAP-SIM authentication.


    As i uderstood from the artical you sent to me, in our case Internal Controllers are Airport Master and Local Controllers. On Airport master they have already configured groups and in that groups just i will add my SSID Profile, then the Airport APs will start to broadcast our SSID as well. 


    Lets assume if a user try to associate with our EAP-SIM SSID, the user authentication traffic will first hit the DMZ controller via GRE over IPSec tunnel. Now further i am confused


    1. Once they reach to DMZ what will happened? 

    2. Where should i configure the Radius Server Group either on DMZ Controllers or Airport Master Controller or Airport Local Controllers

    3. Another thing where the sessions will be terminated? on DMZ Controller or Internel Controllers (Airport master or Locals).

  • 5.  RE: Aruba DMZ Controllers Deployment

    Posted Jan 15, 2017 09:50 AM

    Why do you want a controller in the DMZ?  That would allow us to answer your questions.

  • 6.  RE: Aruba DMZ Controllers Deployment
    Best Answer

    Posted Jan 15, 2017 10:10 PM
      |   view attached


    I have tried to replicate your scenario from the information you have provided (though it's still quite vague). Can you confirm if attached picture represents your current deployment?


    If that picture depicts correct scenario, below should be the list of events:

    1. A client should try to connect to the network (automatically in case of hotspot 2.0 is enabled or manually in case you are using Plain EAP-SIM Authentication).

    2. Your Access Points are connected to Airport Local, it will handle your communication with the Radius Server and terminate your session. Your Local Controllers will communicate with your AAA servers to authenticate users and these Locals will be added as clients on your AAA servers.

    3. As I understand from the description, you also a L2 firewall after DMZ that swaps the authentication VLAN. So effectively, I assume your gateway should be positioned as:  DMZ-->Firewall->Gateway. Everything will be L2 between Airport Local and gateway. Your firewall will flip or swap your authentication vlan at egress interface to isolcate your Core Network from direct external access. Obviously this traffic will flow through GRE tunnel towards DMZ and you have to allow that VLAN over your GRE.

    4. Once your traffic reaches your gateway to reach AAA, it will be routed accordingly. AAA will validate EIP-SIM credentials and return traffic will follow same path. So, your supplicant will be end users, authenticator will be Airport Local and authentication server will be AAA server.

    5. Once user authenticates successfully, user should be able to acquire IP Address and you should be able to see his session on Airport Local Controller.


    Your DMZ will just be carrying authentication traffic and user traffic to your DC via GRE tunnel and firewall will be isolating your core network from direct outside access. Authentication traffic needs to be passed through firewall to avoid external controllers (I believe you dont own the Airport Controllers) have direct access to your Core network and client traffic (Post authentication) should take normal path as other EAP-SIM users are taking in your network.

  • 7.  RE: Aruba DMZ Controllers Deployment

    Posted Jan 16, 2017 03:35 AM

    Thanks for your usual support and time Jibran Bhai, Happy too much to see you here.


    Jibran bhai so i can say DMZ Controller in our case is transparent, i mean DMZ is just terminating the GRE over IPSec tunnel. And simply receive the traffic (Authentication and internet) and forward to the gateway.