A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed

A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER

Motasem Al Amour Senior Sales Engineer

2


CONTENTS

A Mobility Solution For An enterprise Customer ....................................................................................................... 1 Mobility in the Company ........................................................................................................................................... 3 Employees ................................................................................................................................................................ 3 Developers ............................................................................................................................................................... 3 Technicians .............................................................................................................................................................. 4 Marketing .................................................................................................................................................................. 4 BYOD ....................................................................................................................................................................... 5 External Employees, Consultants and Trainees ....................................................................................................... 5 Employees Access ................................................................................................................................................... 7 Guest Access ........................................................................................................................................................... 8 Barcode Scanner Access ......................................................................................................................................... 9 Mobility by Location ................................................................................................................................................ 10 Indoor ..................................................................................................................................................................... 10 Connectivity ............................................................................................................................................................ 10 Voice over WLAN ................................................................................................................................................... 10 Interaction with Zero-configuration Networking ...................................................................................................... 11 Home Office ............................................................................................................................................................ 11 On the road ............................................................................................................................................................. 12 Mobility & Security .................................................................................................................................................. 13 Access Security with ClearPass ......................................................................................................................... 13 Access for BYOD .................................................................................................................................................... 13 Securing the Access to the LAN ............................................................................................................................. 15 Securing the WLAN Infrastructure .......................................................................................................................... 15 Having Control with AirWave .................................................................................................................................. 17 Aruba Location Services ......................................................................................................................................... 18 How does it work? .................................................................................................................................................. 18 Beacon Management ............................................................................................................................................. 19 Mobility Solution System Design ............................................................................................................................ 20

DOCUMENT TYPE


Mobility in the Company Before discussing the details of the mobility solution, architecture and design let’s just go through different scenarios related to mobility encountered by an employee working with different mobile devices, an external employee, consultant working for the company, a trainee and a guest visiting the company. Important is the ease of use, security and low maintenance costs including administrative work.

Employees Employees are not treated equally when they access the network because their jobs, devices and requirements are different. For simplicity let’s just focus on 3 departments: developers, technicians and marketing. Developers work with very sensitive data that needs to be protected. It is to be made sure that only those persons can access the data and only using well protected devices. Technicians on the other hand don’t require such strict security policy, all they need is access to some internal resources. Marketing does not need to access most of the internal resources, they need mainly to interact with social media. Role Based Access Control (RBAC) is going to be applied on the WLAN controller. Every job role is defined in a Role on the controller that consists of a set of firewall policies. That means we will have one WPA2 Enterprise SSID let’s call it Employees but every employee connected to it will be placed in a role appropriate to his job function. A role contains firewall rules up to layer7 including applications, web categories and web reputations. In addition a role might contain bandwidth contracts to set limits on total bandwidth allowed for the role, or set a limit for an application or web category. For instance the role has no limits on the bandwidth, but when going to web pages with streaming content 2Mbps is allowed at maximum. Note that WPA2 Enterprise uses 802.1X and after the authentication is completed every device in the SSID will have its own dynamic key with a short lifetime. Breaking the key is almost impossible, even if it should be broken, the lifetime of that key will be over and the device will have acquired a new dynamic key. The company already has an AD or an LDAP Server where all employees are recorded with the proper OU (organization units) and attributes. Windows devices have joined an AD and are part of the domain. Developers A developer prefers to work with a notebook that is provided by the company and is part of the domain. Because the security policy is very strict for developers, we will need to authenticate the notebook, authenticate the user and check the security status of the device.

4


• Device Authentication: When the notebook has already joined the domain, then the device needs to authenticate to the AD which is done with Machine Authentication.

• User Authentication: The user needs to authenticate either with a username/password or a certificate. If the company already has a PKI infrastructure then this can be used, if not a certificate is pushed to the device and the user will be authenticated with this certificate. The generation of the certificates and provisioning is discussed here.

• Check the security status of the device: for instance checking the anti-virus is running, firewall is active, patch level is accurate, certain processes are running ...

When all these conditions are met the developer is assigned the role Developer. This role allows the user on this device to access whatever resources needed (set per firewall rules) based on the security principle “need to know”. Suspicious internet sites will be filtered on the controller. If for instance the notebook did not meet the security conditions, it will be put in a quarantine Role/VLAN and will not have access to internal resources. When the user does HTTP/HTTPS he will be forwarded to a page indicating he is in a quarantine network and request from him to fix the security vulnerabilities found on his device (install patches, remove USB stick ...). When the user resolve the issue(s), a reassessment will be done and if the user & device satisfy the security policy the user will be put in the Developer role. The same actions can take place if the user is joining the network through LAN and/or WLAN. Technicians Technicians work mainly with a tablet, these are owned by the company and distributed to the technicians. In order to have administrative privileges on these devices a Mobile Device Management (MDM) software (MobileIron, AirWatch ...) is purchased. So security policy can be enforced on the devices like installation of certain Apps, setting the PIN etc. When a technician wants to access the Employees SSID with his tablet that is already managed by the MDM, we need to authenticate the device and user.

• Device authentication: Before the tablet is allowed to access the network a query to the MDM is sent. The query can ask if the device is still managed, is it jail broken or if the device fulfils the security policy.

• User authentication: Is done by certificates, the generation of the certificates and provisioning is discussed later here.

When both these conditions are met the user on this device is given the role Technician. This role allows access to the internal resources needed for the technician to do his job. Marketing Employees working with marketing are not bound to a certain device. Bring Your Own Device (BYOD) or Choose Your Own Device (CYOD) is applied. The employee needs to authenticate with a certificate on any device (up to 3). After successful authentication the role Marketing is applied to this user and device. This role prohibits the user from accessing most internal resources but allows it to access streaming and social media with a bandwidth of 8 Mbps+.

5


BYOD The company also allows the employees’ private devices to join the network. And have access to some internal resources like email checking and access to some internal portals. While some companies tell their employees to use the Guest SSID for their private devices, this would not be a best practice for the following reasons: • The employee might access internal data on his device. If he is going to use the guest SSID

which is open and the data is not encrypted, someone would be able to capture these data with a simple traffic sniffer.

• Guests might encounter bad WLAN experience when there is no enough bandwidth left for them. Especially if the IT has limited bandwidth reserved for the guest uplink.

For that reason (and maybe others) the employees join the Employees SSID with their private devices. But when they join the network they will be assigned a Role BYOD that only allows them to access the internet and only the desired resources in the intranet. Employees are allowed to bring at most only 2 private devices. Some others like managers and marketing are allowed to bring more.

External Employees, Consultants and Trainees These are persons who are not employees but work/train in the company for a certain amount of time (1 day to several months). The question is, how can these persons access the network resources in a secure manner without generating much administrative burden for the IT? The IT cannot allow those persons to use the open guest SSID, as the user will need to access internal resources. The IT doesn’t also have the resources to create an AD account and do the helpdesk tasks for those persons. Even if an account is created, how are the credentials to be sent securely to such persons? Let’s take an example of a Trainee Ali who is to be trained for 3 months. The IT already defined a role Trainee with the appropriate set of VLAN and firewall rules. HR has processed the application of Ali and among the information HR knows is his mobile number, email and his supervisor. When Ali needs to have network access with his tablet. He goes to the guest SSID and in the captive portal he will see a web login as illustrated in the figure below.

6


So Ali will click on the link, then a new page will open, and he will fill the fields appropriately.

7


The name, mobile number and email of Ali are checked against the HR database, if the data are consistent then an email is sent to Ali’s supervisor asking for his approval. As long as the supervisor did not approve, Ali’s account is inactive. After the approval Ali gets his credential either in the same HTTPS web page (as seen below) or via SMS. In both cases Ali will use these credentials not in the Guest SSID but in the Employees SSID where he will be given the role Trainee. Ali’s account will expire after 3 months as this is the period noted in HR DB. .

Note that IT was not involved in creating/enabling the account and yet the account generation is secure and simple. The user can reset his password in case he forgets it in the guest portal.

Employees Access As we saw so far the Employees SSID has been used by all the employees. It has also been used for employees’ private devices and externals, consultants and trainees. One SSID, different roles, VLANs, firewall rules and bandwidth contracts according to the job function of the employee and the device used. The question is why did we design it in this way and did not create different SSIDs each is responsible for a specific task? So there will be an SSID for BYOD, Trainees, Employees ... There are several good reasons for that: • Saving AirTime: WLAN is a half-duplex medium only one radio in a channel (AP or client)

can transmit at the same time. All SSIDs transmitted from the same AP will use the same channel. Every SSID generates a specific overhead in the air (beacon frames for instance). The more SSIDs the larger is the overhead and this wasted time is stolen from the clients and is not available for their use. This means fewer bandwidth and more jitter

8


for VoWLAN. It is considered as best practice when designing WLAN to create as few SSID as needed.

• Simplicity: The administrator needs to maintain only one SSID, helpdesk knows it has to deal with only one SSID.

As we will see later the Employees SSID can also be used for VoWLAN or UCC software (Unified Communication and Collaboration) like MS Lync (Skype Business).

Guest Access To allow visitors and guests to use WLAN when they are on premise an open Guest SSID is configured. As for the example for Ali the trainee, a guest account needs to be generated without any administrative cost. In addition the account generation should be secure, auditable and prohibits any misuse. The guest will need to create an account on his own where he has to specify which department he is visiting. After selecting a department and filling the other fields an email will be sent to a distribution list/specific person in this department who needs to approve the request.

9


After the approval the guest will get his credentials via SMS. The identity of the guest is provided by 2 means, his email/SMS and the internal approval, both actions are logged. No administrative costs were needed. After the guest login and to prohibit excess WLAN usage, the guest user is allowed to use 500MB within 24 hours, if this limit is reached the BW to the internet is reduced to 256 kbps. Employees are not allowed to use the Guest SSID, any device that has joined the Employee SSID before or is managed by the MDM and tries to join the Guest SSID will be rejected.

Barcode Scanner Access Most barcode scanners are not capable of doing 802.1X to login with username/password or a certificate. To enable secure WLAN usage a PSK SSID should be used wherever such scanners are used, let’s call this SSID Scanners. An SSID that is using PSK has some security concerns:

• Key Management: the shared key or the passphrase is a common secret that has to be shared among all users who wish to join the SSID. The IT has to change the key every time an employee leaves the company or when a device is lost. Otherwise there could be a risk of non-allowed access to the SSID.

• Sniffing: If someone knows the key (in a legitimate or illegitimate way), he is able to decrypt and sniff all the WLAN traffic in the SSID.

• Key capture: the shared key or passphrase can be captured in many different ways like brute force/dictionary attack and social engineering. An attacker can run a persistent attack for days and weeks and try millions of key combinations to guess the key. Most likely such an attack will be unnoticed

One cannot eliminate all the security risks related to a PSK SSID, but Aruba lets you mitigate the risk to an acceptable level by:

• As this SSID is to be used only by scanners, only whitelisted scanners are allowed to join the SSID. MAC authentication is done for the device against an inventory DB or a static MAC list. The scanner must know the key and has its MAC must be whitelisted.

• Scanners usually communicate with a specific server using a specific service. After the scanner has joined the SSID it will get a role that only allows it to do just that, nothing more and nothing less.

• An alert is to be generated via email/sms to the administrators in case a wrong key is repeatedly provided in a very short time.

10


Mobility by Location The company is not only spread across several locations, mobility is also required in several other scenarios, we will discuss 3 of them, indoor, home office and on the road.

Indoor By indoor we mean inside office buildings, warehouses and depots. The WLAN is capable of completely replacing LAN in all aspects. Connectivity WLAN connectivity exists since the 90s, but the communication was never that reliable and fast as it is today with the new standard 802.11ac. This standard allows a single client to reach a TCP throughput of almost 1 Gbps. The WLAN is capable of sending large amount of data in fast and secure manner. The Employees SSID can treat all applications and employees equally, or better is to priorize the traffic according to the type of applications that is sent over the air and to the job function. For instance a Citrix session should be more priorized as email traffic. The CIO or C-Level employees should be priorized over other employees. Voice over WLAN Voice performance over WLAN has been enhanced to a large extent with new standards, the most important one of them is Wireless Multi Media (WMM). With WMM voice and video traffic is given more priority over other kind of traffic. If both the WLAN infrastructure, client hardware and the VoWLAN application are all WMM capable, voice performance will be enhanced a lot. For classic VoWLAN (SIP and RTP) this would be enough, but complex Unified Communication and Collaboration (UCC) applications like Lync or Skype Business need more than that. When two clients do a voice call, they do a peer-to-peer session and a dynamic port is used for communication between them. The communication between the clients and with the Lync server is encrypted. The intelligence that is needed is to distinguish between the different types of communication (voice, video, chat and data transfer) and to apply the appropriate prioritization. Giving the wrong prioritization would have undesired consequences. The Aruba Controller has the intelligence to dynamically open the ports for a p2p communication and can detect the type of communication and apply the correct prioritization. After the call is ended a report is generated about the call that can help for evaluation, reporting and troubleshooting. The Employees SSID can be used for VoWLAN and Lync communication. An employee can use his tablet/smartphone to do voice/video calls with excellent quality. The IT administrator gets periodically reports about the VoWLAN quality and tools for an easy and fast troubleshooting.

11


Interaction with Zero-configuration Networking Zero-configuration Networking or Zeroconf is a set of protocols that enable service discovery, address assignment and name resolution for desktop computers, mobile devices and network services. Bonjour, Apple’s trade name for its zeroconf implementation, is the most common example. Through which one can share the screen of his iPhone, iPad or MacBook with an AppleTV using AirPlay to view the screen of the device on a TV or beamer. Or the automatic discovery of printers that are AirPrint capable and printing wirelessly. Zeroconf is designed for flat, single-subnet IP networks such as wireless networking at home. It relies on multicast for the discovery and as such these services will not be available if the Bonjour-capable device is in a VLAN and the clients are in another as most likely the case would be in an enterprise. Aruba has developed a technology called AirGroup to solve this problem. The controller will act as a multicast proxy, it can then forward the multicast packets as unicast to the clients allowed to use the service. Let’s take 2 scenarios. The company has several AirPrint capable printers, some are accessible to all employees, others are in protected areas and few are in offices. All these printers are (for simplicity) in a single VLAN X. There are different types of employees who work with an iPad in the Employees SSID, each in a certain VLAN according to the assigned role. Now an employee wishes to print something, the last thing we want is to list all available printers to the employee and let him choose one of them. We also want document printing to be processed in a secure manner, printed documents are not to be picked up by the wrong persons. So for instance if the CFO wants to print something, only the printer in his office is shown in the list. A developer can see only the printer in his department, and a regular employee sees only the accessible printer in his floor/department. But when using a private smartphone, only the Black-White printer is visible. Another scenario, AppleTVs are connected to beamers in all meeting rooms. Employees have by default access to those. If an employee is in a meeting room then AirGroup lists only the AppleTV in the room for the employee (regardless of employee VLAN). But there are circumstances where this AppleTV needs to be shared with a guest who needs to show a presentation. In the same process for guest registration, the sponsor needs to give his approval for the guest to use the Guest SSID. The sponsor can in addition indicate if the user can also use the AppleTV. When allowed to, the guest will be in the guest VLAN and yet will be capable of sharing his screen. Another guest in the same VLAN, who is not allowed to do so will not even see the AppleTV.

Home Office The company has a work-life balance concept that allows their employees to work at home. For the employee’s device(s) it should be irrelevant whether the access to the network is on premise or elsewhere. The employee should reach whatever information he needs and do the VoIP calls as if it resides in the company’s network. Aruba provides Remote Access Points (RAP) to do just that. AP-205H is shown below. A RAP builds an IPSec VPN tunnel to the WLAN controller broadcast the SSID(s). Traffic to intranet is tunneled and internet traffic may be locally bridged. A RAP has many network ports, the AP-205H in the figure for instance has 4 and one of them can provide PoE to other devices. The employee needs to plug the RAP into his DSL modem and the RAP will build the VPN tunnel and the Employees SSID will be broadcasted. The employee gets the same rights and roles as if he is seated in the company. The network ports can also be used to plug other devices and tunnel them to the company. For example if a VoIP telephone or printer is plugged into the RAP, they will get an internal IP address and will be part of

12


the intranet. If we take the example of the previous section in which the CFO’s printing requests are sent to the printer in his office. If the CFO is doing home office, these requests will be forwarded to the printer at home.

On the road The company needs a mobility solution for their employees that travel a lot or are at customer site and need a secure connection back to the intranet. The classical solution was based on VPN clients. VPN clients are installed on client devices, if they get an uplink a tunnel will be built to the company. VPN clients are not an optimal solution especially if the company has a BYOD or CYOD policy for the following reasons:

• A client needs to be installed on every device: who will install it, who is going to configure it, what if the user don’t have admin privileges on the device ...

• The software needs maintenance: who is going to provide support for the users, who is going to upgrade the clients ...

The cost of VPN clients is not only the hardware, software and licenses, it is the many hours stolen from the IT department to maintain and support it. In addition it is not a handy and flexible solution. Aruba provides a solution for that is based on the RAP we saw before. But this time a 3G/LTE stick is plugged into the USB port to provide the uplink. And the Employees SSID is transmitted. The employee can connect to this encrypted SSID and authenticate with a username/password or certificate with any device and get the appropriate role for his job function and the type of devices used. The traffic to the company is encrypted within the IPSec tunnel, internet traffic can be locally bridged.

13


Mobility & Security How can we offer mobility in the examples and scenarios we saw before and yet make sure that the company is not made vulnerable? We can divide security for mobility into 2 categories: Access Security and WLAN Infrastructure Security.

Access Security with ClearPass With access security we mean giving the access to legitimate persons/devices with the correct amount of privileges. Aruba provides a Software called ClearPass. With ClearPass an access policy can be created based on a combination of:

• The user and its attributes in AD/LDAP • The device used: manufacturer, type, managed by MDM, fulfillment of security policy ... • The location: Location X or Y, meeting room, home office ... • Time and day • Art of access: WLAN or LAN

ClearPass can use the existing knowledge in the company for employees, devices, guests … by connecting to AD/LDAP or to any SQL database. As we saw in the example of Ali the trainee, ClearPass has connected to the HR DB to get information like email, telephone, start and end data and supervisor name. All these information and maybe from different sources can be used to create the access policy. After setting a policy, ClearPass will send the controller/switch a Role to place the user into, and the controller/switch will enforce this using firewall rules or placement in a particular VLAN. Access for BYOD ClearPass can also be used to facilitate the access for smartphones, tablets and notebooks. The goal is to issue a certificate for every device and use this certificate for authentication. The administrator does not need to touch these devices or install an application on them. Let’s go through the process if an employee wants to bring his private iPhone into the Employees SSID:

1. As the SSID is encrypted the employee needs to enter his username/password. ClearPass will notice that this is a new device that does not has a certificate and will initiate the OnBoarding process,

2. But before that, ClearPass will review its policy to check if this employee (OU, attributes, MemeberOf) or his device is allowed to enter the network.

3. The device is associated to the WLAN and gets an IP but will be put into a role that only allows it communicate with ClearPass to complete the OnBoarding process.

4. When doing HTTP or HTTPS in a browser the request is forwarded to a captive portal that looks like the picture below

14


5. The employee puts his username/password 6. If his credentials are correct he will need to install the ClearPass Certificate

7. After installing the certificate, a profile containing the device certificate is to be installed. When installed the iPhone is in possession of a certificate that is used for authentication.

ClearPass is acting as a Certificate Authority (CA), it will issue the certificates for the devices. If the company already has a PKI infrastructure, then ClearPass can be integrated into it.

15


The certificate is bound to a user and his device, at any time the certificate can be revoked. Also the certificate expiration can be set according the user role, for instance a consultant gets a certificate for one week and an employee for 3 years. The IT department was not involved in the process of provisioning the device. Securing the Access to the LAN Access to the LAN should not be neglected. What happens if someone plugs his notebook into a patched ethernet port? Or if he unplugged the cable of the printer and plugged in his notebook instead? Most probably that (malicious) user will get a connection and an IP and he is in the internal network. ClearPass can enhance access on the LAN as for WLAN. The keyword is 802.1X authentication. The client needs to do 802.1X authentication either with the username/password or certificate, after a successful authentication the client will be placed in the appropriate role/VLAN according to the policy on ClearPass. If the plugged-in device is not 802.1X capable like a printer, then ClearPass can detect the type of that device (based on MAC address, DHCP fingerprint), if it is a printer then it will bypass 802.1X and put in a role that only allows printing. If a guest need to use the ethernet port, he obviously can’t use 802.1X, ClearPass will forward the guest to do web authentication on the guest captive portal (as if the guest is authentication of the Guest SSID). In other words the switch is capable of doing dynamic VLAN/Role assignment based on user/device that is plugged in the port. VLAN tagging on the ports is no more necessary. The IT will not lose precious time on patching or tagging the ports. In addition the access to the network would be more secure.

Securing the WLAN Infrastructure A WLAN security policy should be in place to make sure that the WLAN is available when needed and secure when used. The company’s security policy may include all or some of the following elements

• Rogue Access Points: employees are prohibited to plug unauthorized APs into the network. Any AP that is plugged into the network without authorization should be detected immediately and removed from the network.

o The WLAN infrastructure will detect the rogue AP and can prohibit any clients from connecting to it, notify the administrator, generate a ticket and locate the AP. Note that if LAN Security is implemented with 802.1X as described in the previous section, an AP cannot be plugged into the network from the first place.

• The detection of Denial of Service (DoS) attacks • Prohibit masquerading attacks: this happens when someone broadcasts the same SSID as for

the company (mostly used with open SSIDs). The attacker can see the whole client traffic and act as Man-in-the-middle, this opens a wide door for many attacks

• Employees are not allowed to connect to other neighbor open SSIDs. This can cause data loss. o Aruba will not allow a device that has successfully authenticated to an encrypted SSID to

connect to a foreign open SSID. • Disallow bridging between WLAN and LAN

o Aruba will recognize any such attempt and will prohibit the client from using the WLAN • Disallow Hot Spots: employees are not allowed to turn on the hotspot functionality on their

smartphones o Aruba will initiate a ticket or alert the administrator if a hotspot is detected.

16


The job of an AP is to provide Wi-Fi services for clients, an AP will scan other channels for a period of 110ms every 10 seconds (1% of the time). During this scan the AP might detect the existence of rogue APs and WLAN attacks on other channels. If a rogue AP is detected on another channel, the AP cannot prohibit clients from detecting to that AP and at the same time serve its own client efficiently. To have a better security Aruba recommends:

• The usage of Air Monitors (AM): these are APs that don’t serve any clients but scan the air all the time. They can detect attacks very early and can react more efficiently.

• The usage of Spectrum Monitors (SM): As AMs these APs don’t server any clients, but they scan the frequency spectrum. They are not tuned to WiFi (802.11), they observe all frequencies in the 2.4 and 5 GHz band. As the 802.11 use the unlicensed frequencies other devices and protocols may use it as well. An attacker may use a frequency jammer to jam some or all frequencies. With SMs non-WiFi interference and deliberate L1 DoS attacks can be detected.

17


Having Control with AirWave All who worked with WLAN know how difficult and complex it can be to troubleshoot a client issue. Problems could range from wrong authentication, unable to get DHCP release, bad coverage, noisy channel, overloaded AP, application issue, client driver ... To solve the problem you have to see the big picture, or all components that might have influence on a client performance, to name few Controller, Switch, AP, the medium, client’s SNR, retransmission rate, errors etc. Not to forget the IT human resources are limited. Aruba provides AirWave as WLAN Management software. AirWave can not only manage the WLAN infrastructure of Aruba and other vendors, it is also a monitoring, alerting, reporting and troubleshooting tool. Airwave gives the administrator the ability to track problems very quick and simple. For instance the figure below shows as end-to-end monitoring for a specific client including, the medium, AP, switch and controller.

Airwave saves clients logs for up to 550 days, this gives a very good look back in the history when the administrator wants to know how was the WLAN performance for a specific device, the whole building, a location or the whole network. Triggers can be issued in case of an event that might include any event in the WLAN infrastructure like rogue AP detected, channel utilization is more than 80%, client error rate below 50%, etc. Airwave is the tool to visualize the WLAN, show heatmaps, client distribution, channel utilization and many others. The figure below shows the heatmap and the client distribution in a floor.

18


Aruba Location Services The company developed an App for tablets and smartphones, this App allows users to do:

• Indoor navigation: to find and navigate to a specific point of interests within the company, like where is meeting room x, the office of Mr. Smith, article y in the warehouse ...

• Push up notifications: a general or personalized notification sent to users who enter/leave a specific area. For instance a customer is visiting a company, a welcome message will be sent and provide assistance to navigate him to his contact person.

These location services are based on Bluetooth Low Energy (BLE) and not WLAN. BLE provides a more accurate location calculation (1-3m) and the interaction with mobile devices. The Solution consists of:

• Aruba Beacons: Small, low-power wireless transmitters, Aruba Beacons broadcast 2.4-GHz radio signals at regular intervals. They come in two physical formats. USB Beacons to be plugged in any USB port and Battery-Powered Beacons can be placed anywhere within a venue (battery last for 18-24 months).

• Meridian Platform: a cloud hosted platform that interacts with the App to provide information such as maps, location of the beacons on the map, when to trigger the push-up notifications etc.

• App for the mobile device: The App can be created easily in the Meridian platform. If the company decides to create its own App, the programmers can interact with Meridian using SDK.

How does it work? When a client wishes to navigate to a certain place, it opens its App and have Bluetooth enabled on his smartphone. Using Bluetooth it will sense nearby Aruba Beacons. These beacons will only transmit in short regular interval their ID, so they will not interact with client. The App will then send meridian the IDs of the beacons it hears and request from Meridian to send it the portion of the map where these beacons exist and with the exact location of those beacons on the map. Having this the App can localize itself using triangulation (at least 3 beacons must be seen), and so a blue dot appears on the map. When compared to GPS and Google Maps, the beacons would be the satellites and the App is Google Maps App and Meridian will be the Google cloud or datacenter where the maps are stored. .

19


Beacon Management The Aruba Beacon solution does not need any IT-Infrastructure to work. However when having Aruba WLAN infrastructure in place the management and monitoring of beacons can be done through the WLAN infrastructure. A USB-beacon will be plugged into an Aruba AP or an AP is used with a built-in beacon is used. This AP is then capable of monitoring/managing all nearby beacons. The figure below illustrates the process of beacon management with Aruba Wi-Fi.

20


Mobility Solution System Design Based on the companies requirements described throughout the document a design for the mobility infrastructure is provided in the figure below:

The headquarter in which the datacenter is located contains 2 redundant campus controller. APs in the HQ are terminated on these controllers, in addition other controllers located in other locations are managed through them. The HQ also contains an Airwave instance to monitor the whole mobility infrastructure. ClearPass is also running in the HQ to provide secure access to the network for all devices in addition to provide access for guest users. The company offers way finding in the HQ so that Aruba Beacons are installed, the management of these beacons is done using the Aruba WLAN infrastructure. The company has several branch offices. We assume there are no IT administrators in these locations, the branch controller is configured with zero touch provisioning (ZTP) to find the campus (master) controller and dynamically download its configuration. In both HQ and the branch offices the Employees and Guest SSID are broadcasted. Internet traffic is bridged locally while any other traffic is tunneled to the HQ. A warehouse is similar to a branch office, but an additional PSK SSID is transmitted to be used for hand scanners. Aruba Beacons are also used to provide navigation for persons or pallet transporter to specific stored product or an article.

21


Employees who do home office will have a RAP at home. They need to plug in the RAP to their DSL modem and the RAP will build an IPSec tunnel to the controller. The Employees SSID is broadcasted. The ethernet ports of the RAP are tunneled back to the HQ. For employees that are on the road or do field service a RAP with an LTE stick is provided. When the RAP boots it uses LTE as its uplink and build the VPN tunnel to the controller. The Employees SSID is broadcasted.

Documents

A MOBILITY SOLUTION FOR AN ENTERPRISE CUSTOMER.compressed