what is the main difference between deploying Pre-shared key method or dot1x method on Aruba controller ?
WPA2-Enterprise is far more secure than PSK but require a RADIUS authentication server.
Radius-Request are always handled by the controller (or a virtual instant controller), this is true for any forwaring mode.
In bridge-mode (when the controller is down) Radius request cannot reach the controller and will not work. Therefore clients cannot authenticate dot1x when the controller is down.
You have three options to create redundancy:
1. Do nothing, stay with one controller, accept the low risk a controller fails. Never expose myself
If you need redundancy in a critical enviorment what depends on wifi:
2. Place a second controller
If you have instant (IAP-xxx) access points;
3. Change to a instant Virtual Cluster, dont use a physical controller.
All depends on start with a design and requirements, is a pleasure to assist you with your questions.
What can you tell use:
- What controller do you have? What ArubaOS version
- How many and what model of AP's
- How many clients?
- What type of clients / application need.
- SSIDs and authentication methods.
- Remote locations (need for VPN?)
1- 7204 controller with the latest version, only one controller standalone mode
2- 303 APs . 30 Aps
3- approximately 100 client
4- N/A , i need to create ssid for guest clients with captive portal
5- authentication method WPA2 Personal ( is this what meant by Pre-shared key?)6- Campus Aps
Important note there's no radius server , the main problem is keeping Access points up when controller is down , what mode should i use with campus and what authentication method
The good news is that your AP-303 are "Unify" access points (similar/new name of instant APs) that can run in a virtual instant cluster.
Your controller a 7205 is oversized for your envoirment and can handle 256 APs where your need to support 30 APs in your environment a 7030 was fit better and support 64 APs. May ask why you choice for a 7205 controller?
As mentioned before captive-portal don't work in bridge mode. And the captive-portal runs on the wlan controller in a controller based solution, clients can't authenticated when the controller is down. Even if you had a dedicated radius sever, captive-portal and 802.1x are handled by the controller.
Forget about the forwarding mode bridge-mode it will not fit your solutions.
If you want redundancy on a controller based solution, add a second, a 7030 will fit your solution in a master-local set. BUT!!!! when you run ArbuaOS8 in and like to have clustering in active-active both controllers must be same, then you need a 7205 controller. Cluster mode is what we recommend because your users, ap's an controllers are highly redundant with hitless failover. Also your configuration is much more clear.
If a second controller is to expensive for you, you can go for the instant virtual controller option. It have almost the same feature set as a controller based solution, like clientmatch, adaptive radio management, roaming, captive-portal, IDS/IPS firewalling, end so on.
YES with PSK (Pre shared key) we mean WPA2-Personal or WPA3-Personal.
Based on 30 APs and 100 users the virtual controller solution will fits perfect your case.
On the a instant cluster you can run a simple captive-portal.
Some intant virtual controller notes:
One good reason for choose a controller based solutions is where you need a controller for VPN termination for IAP-VPN or RAPs or in some cases VIA clients.
One more thing: A instant virtual concluster can be managed from the AP, Aruba Airwave management solutions (licenced) or Aruba Central cloud solutions (subscripred). In Airwave or Central you can manage separate Aruba instant clusters together.
Hope this helps in making your decisions and better understand the solution choices.
If you need more help, just ask! But also consider to contact your local aruba partner.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.