Wireless Access

I'm an experienced Cisco Wireless Architect, working to convert to Aruba, and I just want to check my understanding of some design aspects. Sorry its a long post, but mostly the answers will be "OK" or "No, don't do it!". This all relates to OS8, 70xx/72xx controllers and 5xx APs. I have 4 communities of users: "corporate" users which will authenticate using IEEE802.1x/EAP-TLS; "Guest" users, which will be unauthenticated but which will have a splash page for the user to accept an AUP; "Semi-Trusted" users, which will authenticate by PSK (MPSK?) and "CardReaders", which consists of hand-held devices with no supplicant or ability to actively authenticate, so will use MAC Authentication Bypass (MAB). First question: because of the nature of the client devices, I plan to use 4 SSIDs. I could use dynamic VLAN assignment (by ClearPass-driven CoA) if two or more communities had the same authentication method, but that is not the case, so I need 4 VLANs unless someone can suggest a better way (please?). With regards the card readers, I *must* put them on a separate VLAN which I can then pass to a firewall to implement secondary security measures, because MAB is about as secure as leaving the front door open. Second Question: I plan to put the APs on switch ports assigned to an AP management VLAN and have each of the SSIDs tunnel back over that VLAN to the controllers (IPSec? GRE? with Cisco there is no option, it's CAPWAP or CAPWAP). Then, when the tunnels arrive at the WLC, break them out to LANs, a separate one associated with each SSID. I can then take the LANs back out the WLC on a trunk to a L3 switch, where I will configure a VLAN SVI, so keep the WLC behaviour as that of a L2 switch. Is this the best way to do it? Third Question: I plan to use DHCP to lease IP addresses to the APs, with Opt 43 to tell the AP about the WLC, so enabling Zero Touch deployment. Is this the best way, or does Aruba have better/simpler/more secure techniques? Fourth(and you will be glad to hear, last!) Question: I will arrange for an external DHCP server to receive Client device DHCP requests emanating from clients, traversing the wireless, arriving on the WLC and breaking out via one of the WLANs on the controller. Is this the best way, or does Aruba have better/simpler/more secure techniques? Thanks for any comments, and apologies for the length/depth of the questions. I've been using Dr Google, but I'm not finding documents that give me confidence, and I'm conscious I have a Cisco bias that I need to work through to get this right. Thanks Guys! Jim

1.  You should use 4 VLANs, yes.

2.  Your understanding of AP and user traffic trunked to the controller is correct.

3.  You have the Option of using a DNS a-record of "aruba-master", dhcp option 43 and 60, broadcast, and multicast for AP discovery of a conttroller.  https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/access-points/enab-ctrl-disc.htm?Highlight=discovery  If you have control over your DNS server, in my opinion, the dns a-record is the easiest to configure.

4.  An external dhcp server is the best way, because (1) If and when you add in redundancy ip addressing will not be tied to a single controller (2) troubleshooting of client ip addressing issues and dhcp configuration will be the same as it was before.

 

I hope this helps.

Hi cjoseph,

Thanks for your help, you have confirmed a bunch of stuff that makes me happy that my understanding is correct.

One thing I could use some more clarification on is the Tunnel type.

 

Cisco uses CAPWAP, end of story, but I understand Aruba uses IPSec....but is that with CAPWAP inside the IPSEC?

 

Can you clarify the tunnelling technique that is default/are available (in an environment with payment details being shipped, IPSec sounds very attractive!)

 

Thanks

Jim

---

@Jimbo1954 wrote:

Hi cjoseph,

Thanks for your help, you have confirmed a bunch of stuff that makes me happy that my understanding is correct.

One thing I could use some more clarification on is the Tunnel type.

 

Cisco uses CAPWAP, end of story, but I understand Aruba uses IPSec....but is that with CAPWAP inside the IPSEC?

 

Can you clarify the tunnelling technique that is default/are available (in an environment with payment details being shipped, IPSec sounds very attractive!)

 

Thanks

Jim

---

The tunnel type (transport) is GRE for wifi client traffic.  The traffic is encrypted with whatever wifi encryption is enabled all the way back to the controller (on the wired network) where it is decrypted.

 

As an aside, individual device application traffic should already be using application-level encryption at this time if payments are being accepted.

Very interesting topic.
If I may add some design considerations to cjoseph post.

- SSID 1 EAP (TLS and or PEAP) - AAA via Radius1 and dynamic VLAN assignment (*1)
- SSID 2 MPSK - AAA via Radius1 and dynamic VLAN assignment (*2)
- SSID 3 open - AAA via Radius1 captive portal and static VLAN binding

- *1 - assignment can be based on user deparment
- *2 - assignment can be based on device role

The whole solution is possible with HP Aruba Clearpass Radius.

Last hint for the card reader devices.
As they are categorized by CPPM, they could be mapped to a specific role.
The role on the other hand can have restricted access forced directly on the controller.

 

Greetings

Hi airsecxd , can I drill down into one of your comments, please?

You said: "- SSID 2 MPSK - AAA via Radius1 and dynamic VLAN assignment (*2)"

and

"- *2 - assignment can be based on device role"

and in saying that, you opened up a bunch of possibilities.

 

How do I identify/extract "device role"? If my dumb card readers were able to accept SSID/MPSK configuration as a minimum, I could use the same SSID to support Semi-Trusted users (call them "role 1") and card readers (as "role 2"). The issue is, how do I/can I separate the roles with ClearPass? If I can separate the roles, I can inject their traffic into different VLANs at the controller, I think...?

 

I feel I'm close to understanding this, can you just push me over the line :)

Thanks

Jim

Hi Jimbo1954,

I'll try it in a few lines.

 

As far as I'am into in MPSK, you create "devices" (not users) into Clearpass Guest.

Those devices can be tied to a "role" (in our case they have to).
A role can be expected like a tag on Clearpass.

The role gets interesting when existing and communicated to the controller.

On the controller there can be access policies behind a specific role.

Now if a device is connecting to the wifi, it gets autheticated by the Radius with the correct psk and afterwards authorized based on its role.
Authorization source would be Clearpass Guest.

If you have other devices i.e. for example printers you define another role with another set of access policies on the controller.

Additionally based on a attribute which is able to identify a specific user or device (in our example the role) you can push those devices in another VLAN after authentication.

 

That is how I would solve this requirement.

I hope that's the right direction to push you.

 

Thanks for both of your contributions to my education! Both very useful and helpful. I have given kudos to both of you, but I can't mark both answers as the accepted solution, so I will mark the last response as the solution, so that folk are inclined to read to the bottom. It's been useful, guys! My great thanks to you both! Thanks Jim