Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

About GRE Tunnel integrity

This thread has been viewed 3 times

  • 1.  About GRE Tunnel integrity

    Posted Jun 08, 2018 03:45 AM

    Hi,

     

    I'm searching some informations about encryption between controller and access-point.

    I want to be sure of the data security which is passing on my LAN.

    I have seen that decryption is realized by controller in "tunnel mode" so i'm not worried for SSID which are using AES or an other encryption protocol.

    But what is it happening with an open SSID ? Is the DATA encrypted ? Is there a function to be sure that a tunnel towards an acces-point can't be mounted by a rogue computer ?

     

    Waiting your help and your knowledge,

    Thanks,

    JB.

     

     



  • 2.  RE: About GRE Tunnel integrity

    EMPLOYEE
    Posted Jun 08, 2018 04:34 AM

    User traffic is tunneled between the access point and the controller using GRE, NOT encrypted.  If you are using encryption on that SSID, the traffic is tunneled and encrypted using whatever encryption you are using on that SSID.  If you are using an Open SSID, there is is no encryption and the traffic is just tunneled.

     

    WPA2-AES - Traffic is tunneled and encrypted with WPA2-AES

    WPA2-PSK-AES- Traffic is tunneled and encrypted with WPA2-PSK-AES.

    Open - Traffic is tunneled and not encrypted.

     

    If you want your traffic to be encrypted on the LAN, you should not be using an Open SSID.

     

    I hope that makes sense.



  • 3.  RE: About GRE Tunnel integrity

    Posted Jun 08, 2018 04:43 AM

    Thanks you for the confirmation of my doubts.

    I wrote this question because I've already worked with CAPWAP tunnels and it included an double-encryption capability.

     

    So, for my second point, do you know if the controller use a ARUBA proprietary GRE protocol to be sure that a tunnel towards an acces-point can't be mounted by a rogue computer ?

     



  • 4.  RE: About GRE Tunnel integrity

    EMPLOYEE
    Posted Jun 08, 2018 04:48 AM

    It is standard GRE.  Again, if a user captures the tunnel information, they will be able to see everything if the SSID is open.  If the SSID is encrypted they will only see encrypted information.

     

    Back in the day on Cisco, even encrypted traffic was decrypted at the access point and  then only tunneled via CAPWAP back to the controller, so it would be capable of being captured and reassembled on the LAN.  Aruba's traffic by default has always been tunneled all the way back to the controller and decrypted there, where it could not be viewed on the LAN.