Wireless Access

Hi there

I'm working on a implementation to stretch out the connectivity from our offices to externals sites using RAP and performing 802.1x on the wires and I need a few more switch ports.

Initially I've been trying to utilize a simple switch adding a small Juniper EX-2200C without any configuration but unfortunately clients can't authenticate due the switch needs to be fully configured for 802.1x and the EAPol frames are dropped in between. So far, the only switch which is transparent is a cheap Dlink GO. It works fine but I'd like to know if someone else has a better option to just expand the switch ports without having to configure something else and without breaking the security.

 

Regards,

Antonio

 

How many extra ports do you need?   You have a couple of options outside of what you have already tried:

 

- Add a second or third RAP-155P.  Configure them as an Instant cluster with one another and configure port security for each remaining port.

- Add an Aruba Mobility Access Switch (varoius models and port densities from 12, 24, and 48).    An S1500-12P being the lowest density/cost choice, yet retains all the MAS functionality.

 

Both options allows for VPN functionality to a Mobility Controller at another site if neessary.

 

 

Hi clembo

First of all, thanks for the input.

I'm looking for 16 ports. RAPs will be placed in an untrusted place outside of my corp network so security is a must. In my deployment I use RAP with  zero touch so is very easy to deployment and maintain.

I tested the same with an Aruba Switch but for the security and support model this option   is adding a new platform to maintain which needs to be configured and also keeps a copy of the configuration at the remote end. Aruba Switch is not fully Zero touch and would require maintaining more firmware and new roadmaps. RAP is much easier to provision, update and modify and upgrade.

When I tried it with a Juniper EX switch, I managed to configure a switch port out of the 4 from the RAP as a trunk to pass the frames to the central controller to terminate the 802.1x. It works but this is so much complicated to maintain and also I don't want to open one port of the RAP so is unsecured.

Your first option is fine but with 16 ports I would to multiply hardware/cost of the solution by 4 and the scope is EMEA so the cost wouldn't be affordable.

 

Regards,

Do you have airwave?

yep, I have a master/failover on the 8.0.5

You can achieve full zero touch deployment , central configuration and firmware upgrades for the mobility access switch with AirWave.

It would be nice in case we were in the Aruba LAN Infrastructure model but we are the Juniper side with a strong direction to standardize. If I introduce a new vendor, I would have to pass down all the knowledge to all support levels along with the new software/hardware roadmap. RAP is what we use for teleworkers and this new proposal to provide a solution for hosting connectivity from remote places and works really nice, easy, simple and cheap. I would like to avoid a new deviation.

 

I see this as an excellent feature for rolling out LAN deployments in the small enterprises

 

By the way, thanks for your feedback too

This is all just adding more information :-) (not trying to beat a dead horse)

I definitely understand the approval piece. From the training piece, the Aruba switch is nearly identical to an Aruba controller. The idea to securely extend the network at a low cost was one of the major reasons the switch was brought to market.