Wireless Access

I am pretty new to Aruba wireless so be gentle please :-)

Long story short I have been tasked to setup a ArubaOS based PtP link between two buildings to bridge an ethernet segment. Since one of the building already has a Aruba controller running 6.4 using AP-270 series AP's in a mesh seems like an easy solution. However since this is a new design I have to get CIS to sign off on it.

Looking through the User guide the configuration is very straightforward but the issue I will have is the only security feature mentioned in the configuration guide is a WPA2 pre-shared key. 

Since I am new to Aruba I am unsure whether or not that PSK is the only thing encrypting the bridged traffic or if that is only used to establish the communication between the Mesh node and the Mesh portal and the actual user traffic is carried inside some other tunnel.

If someone could tell me in a mesh ptp solution how is the actual data traffic secured as it traverses the wireless connection? Ideally it would be inside an IPSEC tunnel from the Mesh node to the controller. Is there a diagram or KB article that talks about this specific scenerio?

Also, what is the PSK for in the Mesh SSID? Am I right that it is essentially only to bootstrap the Mesh node connection or is it really what provides the encryption for the bridged traffic?

Thanks for any help you can give!

This should help clarify the security available when running mesh:

https://www.arubanetworks.com/techdocs/ArubaOS_6.4.4.x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Mesh/Mesh.htm?Highlight=Mesh

Thanks for the reply but unless I am blind there is really no information on the actual data flow security particularly when using Mesh as an ethernet bridging PtP solution. Literally the only relevant security information in there I can find related to the MSSID PSK.

What I need is a document that shows how bridged ethernet traffic traverses the wireless mesh network securely.

• Is it tunneled via a GRE tunnel, or some other tunneling mechanism?
• Where are the endpoints of the tunnel? Is it the controller or the Mesh portal?
• How is the traffic encrypted in transit? Is the only encryption the PSK AES encryption on the MSSID or is the tunnel encrypted vie IPSEC or some other means?

---

@nspitzer wrote:

 

What I need is a document that shows how bridged ethernet traffic traverses the wireless mesh network securely.

• Is it tunneled via a GRE tunnel, or some other tunneling mechanism?

---

Depends on the wired port profile. You can select bridge or tunnel. Bridge will drop the ethernet traffic at the mesh portal's ethernet interface, where tunnel will encapsulate it in GRE and bring it back to the controller.

---

@nspitzer 

• Where are the endpoints of the tunnel? Is it the controller or the Mesh portal?

---

If tunneled, the endpoint is the controller.

---

@nspitzer 

• How is the traffic encrypted in transit? Is the only encryption the PSK AES encryption on the MSSID or is the tunnel encrypted vie IPSEC or some other means?

---

Traffic is encrypted using the MSSID's PSK. 

Exactly what I needed and unfortunantly just what I feared. Given all the issues around WPA-2 PSK I can already guess what CIS is going to say about that. Maybe they will surprise me but I doubt it.

Thanks for the answer!

The solution to concerns about WPA2-PSK is to use a strong (i.e. long) passphrase.