Security

Got a question about ipsec shared keys

Our mobility controllers are configured to support L2TP/IPSec connectivity for our remote APs . For a while now.  I've been using the OS X / iOS built in VPN client to connect to the Univertsity using this L2TP/IPSec route. At present this means that I'm using the same shared key we configure into all of our remote Access Points.

We're now in a situation where we want to roll out the Aruba VPN setup to a wider audience (e.g. all of IT Services). What I don't want to do is hand out the same shared key  we use for our remote APs  to every man and his dog. 

1). Can we  confiure our controllers to support multiple shared keys for ipsec connectivity?

2). If so any conifg examples/docn appreciated.

At this point in time I don't want to look at using VIA as that's just replacing one vn client to install on a machine with another one. I'd rather try and use an operating system supported built in client.

Rgds

Alex

If you configured your remote APs as certificate-based RAPs, they do not depend on the preshared key.  All 802.11n and new access points should support certificate-based provisioning.

o.k. We're about to move over to ArubaOS 6.4 so that'll get rid of a batch of unsupported APs (AP65's) so I guess we can look at generating our own CA and moving RAPS over to using that.

Rgds

Alex

alexsuoy,

You will not need to create your own CA.  RAPS will only need their mac addreses in the whitelist when using certificate-based authentication.

EDIT:

Please see the thread here:  http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Raps-with-DMZ-controller/m-p/218963#M43180 for detailed instructions on what you need to setup at minimum.  Certificate-based authentication has been in use since ArubaOS 5.x and can be used on your current version of code with any 802.11n or higher access points.  You would not have to wait for 6.4.