Wired Intelligent Edge

last person joined: 10 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Role of MAS

This thread has been viewed 0 times

  • 1.  Role of MAS

    Posted Jan 26, 2013 10:00 AM
    For a remote office deployment, should a MAS be deployed behind a firewall? I would imagine IPSec and/or GRE of the mobility switch ip need to be opened.

    My goal is to provide remote offices authenticated port access. The MAS would tunnel back to a controller for policy enforcement.

    I almost wish I had deployed 5 raps rather than the MAS. Reason I say that is I have firm understanding based on the reference guide for remote office. I am just having a hard time getting my brain around the MAS.

    Can someone describe, architecturally, how you deployed a MAS for a remote office?



  • 2.  RE: Role of MAS

    EMPLOYEE
    Posted Jan 28, 2013 11:57 AM

    Hi,
    The Mobility Access Switch (MAS) platforms can be deployed in several remote office configurations:

    1) MAS behind a RAP

    • RAP provides local internet access and access to Corporate resources (aka split-tunnel), stateful user-enforcement and NAT
    • MAS can provide stateless user-enforcement (via UDR, 802.1x, MAC-Auth, Guest Captive Portal).

     

    2) MAS behind Firewall

    • Firewall provides local internet access, stateful firewall and NAT.
    • MAS can establish IPSEC VPN tunnel for access to Corporate resources (Requires AOS 7.2)
    • MAS can provide stateless user-enforcement (via UDR, 802.1x, MAC-Auth, Guest Captive Portal)
    • MAS can also tunnel user-traffic via Tunneled Node on a per-port basis back to Mobility Controller for stateful user-enforcement. (requires LIC-x-AP and LIC-SEC-x per standalone switch or ArubaStack)

     

    3) Standalone MAS

    • MAS establishes IPSEC VPN tunnel for access to Corporate resources and Internet Access (Requires AOS 7.2). A stateless ACL would be applied on egress interface only allowing return IPSEC traffic
    • MAS can provide stateless user-enforcement (via UDR, 802.1x, MAC-Auth, Guest Captive Portal)
    • MAS can also tunnel user-traffic via Tunneled Node on a per-port basis back to Mobility Controller for stateful user-enforcement. (requires LIC-x-AP and LIC-SEC-x per standalone switch or ArubaStack)

     

    I hope this helps.

     

    Best regards,

     

    Madani



  • 3.  RE: Role of MAS

    Posted Jan 28, 2013 03:38 PM

    Thank you madjali - I worked through a config this weekend and have the MAS behind a firewall and tunnled over an IPSEC tunnel.  That works, except I have yet to establish "internet" connectivity although I do authenticate and have access to internal corporate resouces.

     

    Im intrigued by deployment #1, as that may be more in tune (and simplier) with my objectives.  

     

    In that configuration, is each port of the MAS authenticate via the same 802.1x profile that the RAP is configured for on the controller?   Is the 802.1x request just passed the same as the wired ports  on the RAP?    Is the port just set as untrusted with a trunk port on the RAP?  (IE- MAS trunked to RAP).   I'll start experimenting with that to see if I can get it working.

     

    Thanks for thorough response and any additional details you might have on option #1.