Thats correct. Thanks for your help! :)
If i may and you dont mind i can describe a bit more the design. Maybe you can give me some other vision.
It is a design for a virtual cellular provider that has many clients who are part of the group. Each client has its site with its APs and should manage them and monitor them.Users need to authenticate through eap/sim in this central location where the gateway is located. This is done through a SSID for that purpose, and then there is a second ssid for visitors. This other ssid is intended for guests and should have an SSID. If possible different for each client.
There are two architectures proposed. An Instant based architecture is designed with a central controller for vpn termination of each Instant cluster. Vpn would work here olny for auth traffic and voice to the carrier, leaving the rest local.
The Master - Local architecture should work on the same way, but with probably its not needed to use vpn, but normal ipsec tunnels to the master.
Airwave is also in the design, and for the instants aruba central is offered too.
I have to point the pros and cons of each. Which i can mention many points for the instant distributed but i need to know which are the pros of the master-local architecture.
Pros of instant:
- Full Redundancy with no extra cost
- Firewall without pefng license
- No License for APs on the sites
- More scalability
- Easier deployment
- Smaller harware on Master? (being only a termination for vpn tunnels)
What pros does the other architecture have?
Other question they ask is to give a proposal for centralized "policy enforcement" apart from the distributed one. They call "policy enforcement" to the responsible to redirect clients to a captive portal, establish sessions for each user, apply bw control, etc. This would be the controller function when not using another radius. I thought this could be done in the master-local architecture, but i see no pros on this, if we can set up all the policies on airwave and push them to locals to be applied by them. Maybe only in case they need to authenticate to an internal database that should be common for all sites?
Thanks