My company assign me a project and the idea is totally new to me. We have one customer, they want to install two DMZ Controllers in thier Data Center. On another hand our customer are willing to share the Airport existing Access Points for thier SSID. Airport Network have 2 Master Controllers and three Local Controllers. We are going to establish GRE over IPSec Tunnel from Airport Master Controllers to our customer DMZ Controllers. Now in this scenario i have the below questions.
1. Where i should do VAP Configuration? (Customer DMZ Controller or Airport Master Controllers)
2. What is the Role of my DMZ Controllers in the said scenario.
3. When the end user try to connect with our customer SSID, as the APs reach to Local Controller to which the AP connected. What should be the role of DMZ Controller.
4. Our customer SSID is EAP-SIM based.
I would honestly find professional help with people that have already designed this type of network locally. There are many answers to your questions based on the need and what would need to be accomplished. There is also a great need to ensure that the solution is secure. A local partner is the best person to get involved in these discussions so that you can have all of your bases discovered. It is very difficult to design a network based on forum questions and it would not be a secure as hiring someone to do it...
With that being said, please look at the post here: http://community.arubanetworks.com/t5/Aruba-Solution-Exchange/L2-GRE-to-DMZ-controller-with-Captive-Portal-SSID/ta-p/202649 to see what a DMZ deployment looks like.
In our case we don't have captive portal. We have 802.1x EAP-SIM authentication.
As i uderstood from the artical you sent to me, in our case Internal Controllers are Airport Master and Local Controllers. On Airport master they have already configured groups and in that groups just i will add my SSID Profile, then the Airport APs will start to broadcast our SSID as well.
Lets assume if a user try to associate with our EAP-SIM SSID, the user authentication traffic will first hit the DMZ controller via GRE over IPSec tunnel. Now further i am confused
1. Once they reach to DMZ what will happened?
2. Where should i configure the Radius Server Group either on DMZ Controllers or Airport Master Controller or Airport Local Controllers
3. Another thing where the sessions will be terminated? on DMZ Controller or Internel Controllers (Airport master or Locals).
Why do you want a controller in the DMZ? That would allow us to answer your questions.
I have tried to replicate your scenario from the information you have provided (though it's still quite vague). Can you confirm if attached picture represents your current deployment?
If that picture depicts correct scenario, below should be the list of events:
1. A client should try to connect to the network (automatically in case of hotspot 2.0 is enabled or manually in case you are using Plain EAP-SIM Authentication).
2. Your Access Points are connected to Airport Local, it will handle your communication with the Radius Server and terminate your session. Your Local Controllers will communicate with your AAA servers to authenticate users and these Locals will be added as clients on your AAA servers.
3. As I understand from the description, you also a L2 firewall after DMZ that swaps the authentication VLAN. So effectively, I assume your gateway should be positioned as: DMZ-->Firewall->Gateway. Everything will be L2 between Airport Local and gateway. Your firewall will flip or swap your authentication vlan at egress interface to isolcate your Core Network from direct external access. Obviously this traffic will flow through GRE tunnel towards DMZ and you have to allow that VLAN over your GRE.
4. Once your traffic reaches your gateway to reach AAA, it will be routed accordingly. AAA will validate EIP-SIM credentials and return traffic will follow same path. So, your supplicant will be end users, authenticator will be Airport Local and authentication server will be AAA server.
5. Once user authenticates successfully, user should be able to acquire IP Address and you should be able to see his session on Airport Local Controller.
Your DMZ will just be carrying authentication traffic and user traffic to your DC via GRE tunnel and firewall will be isolating your core network from direct outside access. Authentication traffic needs to be passed through firewall to avoid external controllers (I believe you dont own the Airport Controllers) have direct access to your Core network and client traffic (Post authentication) should take normal path as other EAP-SIM users are taking in your network.
Thanks for your usual support and time Jibran Bhai, Happy too much to see you here.
Jibran bhai so i can say DMZ Controller in our case is transparent, i mean DMZ is just terminating the GRE over IPSec tunnel. And simply receive the traffic (Authentication and internet) and forward to the gateway.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.