Summary
The solution template is designed to generate a complete configuration for all different types of SSIDs such as Open System, Pre-share Key and 802.1x Radius using most of the default settings and options.
When adding a new SSID to an existing AP group, only profiles relevant to the virtual AP configuration and profile are added to the AP group.
The Opmode supported are:
- Open System - No authentication or encryption.
- Pre-Share key WPA or WPA2 AES/TKIP encryption.
- 802.1x with Radius based authentication.
The configuration template contains optional configurations for the Microsoft Lync SDN API integration with Aruba Mobility Controller and contains optimized configuration when using the Clear Pass Policy Manager (CPPM) as an authentication server.
Link to the solution: https://ase.arubanetworks.com/solutions/id/45
Authentication Methods
Wi-Fi networks have multiple authentication methods available for use. Each method depends on the network goals, security requirements, user types, and client types that will access the network. Consider the types of data that will flow over the network, as that will narrow the authentication and encryption choices.
Authentication is typically separated into two models, Layer 2 and Layer 3. These models can be combined for additional authentication.
Layer 2 Authentication
Layer 2 authentication occurs before the client can complete a connection to the network and pass traffic. As the name suggests, the client does not have an IP address at this stage.
Open
Open authentication really means no authentication. The network is available for anyone to join and no keys are required. This form of authentication is often combined with a Layer 3 authentication method that is used after connection to the network.
WEP
Wired Equivalent Privacy (WEP) is the original security mechanism that was built into the 802.11 standard, and several variations are available. The most common version is static WEP where all stations share a single key for authentication and encryption. Other versions of WEP have different key lengths and dynamic key assignments.
As an authentication and encryption protocol, WEP was fully compromised in 2001. Automated tools make it easy to access a WEP network with no expertise or training. WEP is considered no more secure than an open network. Aruba recommends that all organizations discontinue the use of WEP and replace any older WEP only devices with more capable systems as soon as is practical.
MAC Authentication
MAC authentication is an early form of filtering. MAC authentication requires that the MAC address of a machine must match a manually defined list of addresses. This form of authentication does not scale past a handful of devices, because it is difficult to maintain the list of MAC addresses. Additionally, it is easy to change the MAC address of a station to match one on the accepted list. This spoofing is trivial to perform with built-in driver tools, and it should not be relied upon to provide security.
MAC authentication can be used alone, but typically it is combined with other forms of authentication, such as WEP authentication. Because MAC addresses are easily observed during transmission and easily changed on the client, this form of authentication should be considered nothing more than a minor hurdle that will not deter the determined intruder. Aruba recommends against the use of MAC-based authentication.
Pre-Shared Key
Pre-Shared Key (PSK) authentication is the most common form of authentication for consumer Wi-Fi routers. Like WEP, the key is used for both authentication and encryption. In enterprise deployments, PSK is often limited to devices that cannot perform stronger authentication. All devices share the same network key, which must be kept secret. This form of authentication is easy to configure for a small number of devices. However, when more than a few devices must use the key, key management quickly becomes difficult.
The key usually must be changed manually on devices, which poses more problems if the number of devices that share a key is very large. When an attacker knows the key, they can connect to the network and decrypt user traffic. Good security practice mandates that the key should be changed whenever someone with access to the key leaves the organization.
In some guest deployments, PSK is used to provide a minimum amount of protection for guest sessions, and authentication is performed by a Layer 3 mechanism. This key should also be rotated on a regular basis.
802.1X/EAP
802.1X was developed to secure wired ports by placing the port in a “blocking” state until authentication is completed using the Extensible Authentication Protocol (EAP). The EAP framework allows many different authentication types to be used, the most common being Protected EAP (PEAP), followed by EAP-TLS that uses server- and client-side certificates.
To secure user credentials, a Transport Layer Security (TLS) tunnel is created and user credentials are passed to the authentication server within the tunnel. When the authentication is complete, the client and the Aruba Mobility Controller (tunnel mode) or AP (decrypt tunnel and bridge modes) has copies of the keys that are used to protect the user session.
The Aruba Mobility Controller forwards the request to the RADIUS server that performs the actual authentication and sends a response to the Aruba controller. When authentication completes successfully, the RADIUS server passes encryption keys to the Aruba Mobility Controller. Any vendor-specific attributes (VSAs) are also passed, which contain information about the user. A security context is created, and for encrypted links, key exchange occurs where all traffic can now be encrypted.
Encryption Recommendation
Understanding WPA and WPA2
Platform Tested
Aruba Mobility Controller 3400 running AOS 6.2.1.1 build 38111
Licensing
Access Point and PEF.
References
[1] Aruba Network 802.11n VRD
[2] Deploying Mobility Controllers with Microsoft Lync SDN API
[3] Aruba and Microsoft Lync solution home