Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

SECURE REMOTE ACCESS POINT PROVISIONING

  • 1.  SECURE REMOTE ACCESS POINT PROVISIONING

    Posted Mar 16, 2020 03:06 AM
      |   view attached

    For customers wishing to distribute Remote Access Points (RAP) to their employees there are concerns of overhead and security.

    They are looking for a zero-touch method where the remote access points will get their configuration automatically and at the same time the distribution, authentication and connectivity is done securely. For instance how to deal with the case, when a RAP is sent via post to an employee at home and this RAP is lost or gets in unauthorized hands?

    Aruba provides a secure provisioning solution for it Remote Access Points. This is described in the figure below:

     

    p3.jpg

    As seen in the figure, the key element here is that the RAP allows no wired or wireless connectivity until the user connects his laptop to a wired port on the RAP and authenticates on the captive portal using his Active Directory or Windows username and password. The user does it once; after that the RAP is whitelisted and will allow the configured settings like WiFi and Wired connectivity. This step prevents the RAP from coming under unauthorized hands before it reaches its destination.

    The provisioning of the RAP is simple, zero-touch and secure. This scenario was implemented by large German customer in the transportation business as well as many other security-aware customers.

     

    Also worth to mention is that the IPSec VPN is established through a certificate built into a TPM (Trusted Platform Module) chipset that exist on the RAP. This certificate cannot be tampered with. This ensures confidentiality of data transmitted over the internet.

     

    This kind of secure provisioning is unique to Aruba.

     

    At Aruba we advance how people live and work

    Attachment(s)



  • 2.  RE: SECURE REMOTE ACCESS POINT PROVISIONING

    Posted Mar 16, 2020 05:35 AM

    Can you please share how you whitelist the RAP during the captiveportal login?



  • 3.  RE: SECURE REMOTE ACCESS POINT PROVISIONING

    Posted Mar 16, 2020 06:14 AM

    The keyword is "AP Authorization Profiles" have a look in the AOS User Guide under "Configuring Remote AP Authorization Profiles".

    The idea is, the RAP will use an AP Group (the AP Authorization Group) before a user authenticates. What I have done for a customer, we did not create any SSID in this Group and allowed only the usage of wired Ports 1-3. On these ports we configured a role which will forward the user to the controller captive portal. The authentication was against customer's NAC. After a user authenticates successfully on the wired port, the AP have the configuration in its AP Group up and running including SSIDs and Wired Ports. 



  • 4.  RE: SECURE REMOTE ACCESS POINT PROVISIONING

    Posted Mar 16, 2020 01:45 PM

    It this process relying on Aruba Activate or Central Platform? Also is the AP actually running in RAP mode or is it running in IAP with a VPN? This is vary interesting since I may be deploying more RAPs as the CV progresses and they are an awesome solution event though the older networking guys don't like the flexibility but can't deny its the best solution.



  • 5.  RE: SECURE REMOTE ACCESS POINT PROVISIONING

    Posted Mar 17, 2020 03:33 AM

    Relying on Activate. 

    The described secure provisioning is only available with RAP



  • 6.  RE: SECURE REMOTE ACCESS POINT PROVISIONING

    Posted Mar 19, 2020 09:24 AM

    Awesome solution even though I don't have the slick authenticate to a port via wired. I would be interested in seeing how that is configured. But for the provision of RAPs using Activate without having to touch them is great. I have the APs come up in a Staging group with all port and wife shut off. Basically a manual process to get them turned on.



  • 7.  RE: SECURE REMOTE ACCESS POINT PROVISIONING

    Posted Mar 20, 2020 05:31 AM

    Wired Port Authentication is described very good in AOS8 User Guide.

    In Short, you will define a Role in the same process as you would do for Wireless Roles. Then you will set this role in the Wired Profile.

    AOS 8.5 documentation are here

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=34189



  • 8.  RE: SECURE REMOTE ACCESS POINT PROVISIONING

    Posted Mar 20, 2020 10:36 AM

    How is it influencing the whitelist during the login?