For customers wishing to distribute Remote Access Points (RAP) to their employees there are concerns of overhead and security.
They are looking for a zero-touch method where the remote access points will get their configuration automatically and at the same time the distribution, authentication and connectivity is done securely. For instance how to deal with the case, when a RAP is sent via post to an employee at home and this RAP is lost or gets in unauthorized hands?
Aruba provides a secure provisioning solution for it Remote Access Points. This is described in the figure below:
As seen in the figure, the key element here is that the RAP allows no wired or wireless connectivity until the user connects his laptop to a wired port on the RAP and authenticates on the captive portal using his Active Directory or Windows username and password. The user does it once; after that the RAP is whitelisted and will allow the configured settings like WiFi and Wired connectivity. This step prevents the RAP from coming under unauthorized hands before it reaches its destination.
The provisioning of the RAP is simple, zero-touch and secure. This scenario was implemented by large German customer in the transportation business as well as many other security-aware customers.
Also worth to mention is that the IPSec VPN is established through a certificate built into a TPM (Trusted Platform Module) chipset that exist on the RAP. This certificate cannot be tampered with. This ensures confidentiality of data transmitted over the internet.
This kind of secure provisioning is unique to Aruba.
At Aruba we advance how people live and work
Can you please share how you whitelist the RAP during the captiveportal login?
The keyword is "AP Authorization Profiles" have a look in the AOS User Guide under "Configuring Remote AP Authorization Profiles".
The idea is, the RAP will use an AP Group (the AP Authorization Group) before a user authenticates. What I have done for a customer, we did not create any SSID in this Group and allowed only the usage of wired Ports 1-3. On these ports we configured a role which will forward the user to the controller captive portal. The authentication was against customer's NAC. After a user authenticates successfully on the wired port, the AP have the configuration in its AP Group up and running including SSIDs and Wired Ports.
It this process relying on Aruba Activate or Central Platform? Also is the AP actually running in RAP mode or is it running in IAP with a VPN? This is vary interesting since I may be deploying more RAPs as the CV progresses and they are an awesome solution event though the older networking guys don't like the flexibility but can't deny its the best solution.
Relying on Activate.
The described secure provisioning is only available with RAP
Awesome solution even though I don't have the slick authenticate to a port via wired. I would be interested in seeing how that is configured. But for the provision of RAPs using Activate without having to touch them is great. I have the APs come up in a Staging group with all port and wife shut off. Basically a manual process to get them turned on.
Wired Port Authentication is described very good in AOS8 User Guide.
In Short, you will define a Role in the same process as you would do for Wireless Roles. Then you will set this role in the Wired Profile.
AOS 8.5 documentation are here
How is it influencing the whitelist during the login?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.