Wireless Access

Reply
Highlighted

DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

Hello Guys

Right now we have a client which has the fallowing scenario:

Version 6.x

2x Master Controllers in the central site master stand by, it has a VRRP ip

 

they have like 15 remote Site

Each Site  has  one controller  in which they terminate their APs 

For example Site A  has 15 APs and all the 15 APS terminate their tunnel in  that controller

 

So its Master active  Master Stand By

 

15 remote Sites( all local controllers)

 

 

1x DMZ Controller in the Central site which has an internet for all the guest of all the 15 sites

 

 

Each  Remote Site has a GRE Tunnel for the Guest traffic that points to the  Central site controller VRRP IP  and  the central site controller has a GRE Tunnel to the DMZ .   im passing the vlan 800 which is my Guest traffic and that vlan just exist in the controllers, it does not exist in the clients networks and is not rouatable.

 

 

My question is simple i think

Can  i do the same scenario in Version 8?

It is recommended this in version 8?

There is a better way to manage this in version 8?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Highlighted

Re: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

I don't see a reason why this design would not be doable with AOS8.

 

My preference would be to have the remote sites tunnel directly to the DMZ controller, rather than hopping through the central controllers. I would either do user roles for guest users at the edge controller or at the DMZ controller, but having the user pass through the central controller does not add any functionality.


Charlie Clemmer
Aruba Customer Engineering
Highlighted

Re: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

Hello Charlie Thanks for your answer

 

If you do what you say,  would my guest  users will show up in the WLAN controllers? i mean it would not show as a wired user on the dmz controller?

The way i got it right now will correctly show what APs guest users are connected to in  Airwave which is nice.

 

Also i don t know if i should use multizone here, if it will benefit me in some way?

 

Cheers

Carlos

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Highlighted

Re: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

I guess i didnt type that i got master active and master stand by, and all the 15 sites are local controllers,  i just corrected that in my original post.

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Highlighted

Re: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

Multizone is probably not needed, but is an option. With multizone, the APs themselves (rather than the gateways) so that the guest SSID would tunnel directly from the AP to the DMZ controller without touching the datapath on the internal controllers.

 

Where are you doing user authentication for the guest users in your current setup? I'm assuming captive portal, but not sure whether the captive portal is internal to the controller, external, or reachable specifically from the inside or DMZ controllers.


Charlie Clemmer
Aruba Customer Engineering
Highlighted

Re: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

im doing the authentication on a clearpass.

The clearpass can reach the controllers, and controllers and reach clearapass  for specific ports i need only.

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Highlighted

Re: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

Forgot to comment you that im using both interfaces  Managment and data

 

The Managment is on the trusted zone and the data port is on the DMZ of the client.

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Highlighted

Re: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

You mentioned that the DMZ controller sees the guest users as wired users? So the DMZ controller is not trusting the GRE tunnel from the master controllers?


Charlie Clemmer
Aruba Customer Engineering
Highlighted

Re: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

I didnt mention, i was asking you,  i did say "The way i got it right now will correctly show what APs guest users are connected to in Airwave which is nice", but before asked you if the guest will show  correctly in the WLAN controllers and if it will not show as a wired user on the dmz controller

Sorry, i guess you have hard time reading my english, is not the best.

I though or i misunderstood what will happen with the guest clients, this was like 4 years ago.

I could change them all in this new project  to the DMZ controller if you think its best way to do it

 

It there any issue having it the way i got it??  i really would like to know that as future reference.

 

Thanks again for answering

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Highlighted

Re: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

My apologies for the confusion.

 

When tunneling guests, the authentication could be handled either at the remote controller where the APs terminate (my preference), or on the DMZ controller. There are valid reasons for having the authentication performed on either of the controllers ... the DMZ may be the only controller that has IP routing for the guest user space. 

 

If Airwave is correlating the guest user to an AP, then I believe the remote controllers are performing the authentication. This would also be fine in the AOS8 architecture as well, and would be my preference.


Charlie Clemmer
Aruba Customer Engineering
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: