I'm an experienced Cisco Wireless Architect, working to convert to Aruba, and I just want to check my understanding of some design aspects. Sorry its a long post, but mostly the answers will be "OK" or "No, don't do it!". This all relates to OS8, 70xx/72xx controllers and 5xx APs.
I have 4 communities of users: "corporate" users which will authenticate using IEEE802.1x/EAP-TLS; "Guest" users, which will be unauthenticated but which will have a splash page for the user to accept an AUP; "Semi-Trusted" users, which will authenticate by PSK (MPSK?) and "CardReaders", which consists of hand-held devices with no supplicant or ability to actively authenticate, so will use MAB.
First question: because of the nature of the client devices, I plan to use 4 SSIDs. I could use dynamic VLAN assignment (by ClearPass-driven CoA) if two or more communities had the same authentication method, but that is not the case, so I need 4 VLANs unless someone can suggest a better way (please?). With regards the card readers, I need to put them on a separate VLAN which I can then pass to a firewall to implement secondary security measures, because MAB is about as secure as leaving the front door open.
Second Question: I plan to put the APs on switch ports assigned to an AP management VLAN and have each of the SSIDs tunnel back over that VLAN to the controllers (IPSec? GRE? with Cisco there is no option, its CAPWAP or CAPWAP). Then, when the tunnels arrive at the WLC, break them out to LANs, a separate one associated with each SSID. I can then take the LANs back out the WLC on a trunk to a L3 switch, where I will configure a VLAN SVI, so keep the WLC behaviour as that of a L2 switch. Is this the best way to do it?
Third Question: I plan to use DHCP to lease IP addresses to the APs, with Opt 43 to tell the AP about the WLC, so enabling Zero Touch deployment. Is this the best way, or does Aruba have better/simpler/more secure techniques?
Fourth(and you will be glad to hear, last!) Question: I will arrange for an external DHCP server to receive Client device DHCP requests emanating from clients, traversing the wireless, arriving on the WLC and breaking out via one of the WLANs on the controller. Is this the best way, or does Aruba have better/simpler/more secure techniques?
Thanks for any comments, and apologies for the length/depth of the questions. I've been using Dr Google, but I'm not finding documents that give me confidence, and I'm conscious I have a Cisco bias that I need to work through to get this right.
Thanks Guys!
Jim