Copyright 2008 Aruba Networks, Inc. All rights reserved
Module 8: Remote Access PointModule 8: Remote Access Point
V1.0 8-08
Module OverviewModule Overview
Aruba Remote AP solution
Remote AP architectures
Remote AP configuration steps
Remote AP provisioning
Copyright 2008 Aruba Networks, Inc. All rights reserved 8-2
Home / Nomadic OfficeCorporate HQInternet
Services
DSL RouterCORP
DMZ
GUEST
MobilityController
Internet Services
GUESTVLAN
SplitTunnel
Remote AP CapabilitiesRemote AP Capabilities
Copyright 2008 Aruba Networks, Inc. All rights reserved
VOICE
Firewall/NAT
INTERNET
Split Tunneling for Internet TrafficIntegrated User Access ControlIntegrated Stateful FirewallStandalone Operation
CORP
VOICE
Remote AP
8-3
Internet Connected Branch Office HQInternet Services
GUEST
Remote AP Untrusted TransportRemote AP Untrusted Transport
Control Traffic
User Traffic
Local Probe
Copyright 2008 Aruba Networks, Inc. All rights reserved
4
WAN / Public Internet
Firewall/NAT
VOICE
CORP
VOICE
GUEST CORPDMZ
AP ProvisioningConnect APReprovision with IPSec parametersDeploy to field
Firewall/NAT
APAP--Aruba Switch Aruba Switch Security: Security: -- DiffieDiffie--Hellman Group 2 for IKEHellman Group 2 for IKE-- 3DES Encrypted IPSec3DES Encrypted IPSec
IPSec/NAT-T TunnelResponse
Remote AP Untrusted TransportRemote AP Untrusted Transport
PAPI control protocol is secured with L2TP over IPsec
Able to traverse NAT devices by using IPsec
NAT-T by adding an additional UDP header (destination port 4500) before the ESP header
User data should already be encrypted between the end station and Aruba controller so it adds unnecessary overhead to double-encrypt this traffic
Copyright 2008 Aruba Networks, Inc. All rights reserved
to double-encrypt this traffic
Aruba offers an option to double-encrypt traffic, but this will impact performance.
8-5
Remote AP Configuration StepsRemote AP Configuration Steps
1. Configure a public IP address (or setup NAT in your firewall) for the Mobility Controller
2. Configure the VPN server on the controller; the remote AP will be a VPN client to the server
3. Configure the remote AP role
4. Configure the authentication server that will validate the username and password for the remote AP
Copyright 2008 Aruba Networks, Inc. All rights reserved
the username and password for the remote AP
5. Provision the AP with IPSec settings, including the username and password for the AP, before you install it at the remote location
NOTE: You must install one or more Remote AP licenses in the Mobility Controller.
8-6
Configure Public IPConfigure Public IP
Create a VLAN
Plan placement
On a DMZ interface (usually)
NATd through your corporate firewall
Configure controllers IP address and ports
Copyright 2008 Aruba Networks, Inc. All rights reserved
For IPsec tunnel, need public address
IP protocol ESP type 50 or NAT-T
UDP port 4500
8-7
Create a VPN PolicyCreate a VPN Policy
Create a VPN Policy under Advanced Services
Define VPN address pool name
Define address range
Define an IKE shared secret
Define an IKE policy, such as
Copyright 2008 Aruba Networks, Inc. All rights reserved
priority 10
3DES encryption
SHA hash algorithm
Pre-share authentication
Diffe-Hellman Group 2
8-8
Creating a VPN PolicyCreating a VPN Policy
Copyright 2008 Aruba Networks, Inc. All rights reserved 8-9
Select Authentication SourceSelect Authentication Source
Select an Authentication source ConfigurationSecurityAuthenticationServers Internal Database
External servers may also be used
Create a user for each remote AP
Notes:
It is recommended that the user name refer to the location or the
Copyright 2008 Aruba Networks, Inc. All rights reserved
It is recommended that the user name refer to the location or the AP Name for easy tracking and maintenance
One remote AP user name and password can be used for all remote APs, but for added flexibility and security, it is recommended that each remote AP be programmed with a unique user name and password in the event one is lost or stolen
8-10
Configure Authentication SourceConfigure Authentication Source
Copyright 2008 Aruba Networks, Inc. All rights reserved 8-11
AP ProvisioningAP Provisioning
Copyright 2008 Aruba Networks, Inc. All rights reserved 8-12
Best Practices for Remote APBest Practices for Remote AP
Secure Remote AP
Where ever connections exist to untrusted network Internet
Home office
Off-site meetings/conferences
Branch Offices with cable modem/DSL, etc.
Remote local controller is highly recommended over local bridging in a medium to large sized
Copyright 2008 Aruba Networks, Inc. All rights reserved
over local bridging in a medium to large sized environment.
Create individual usernames and passwords for each Remote AP.
8-13
Copyright 2008 Aruba Networks, Inc. All rights reserved
Lab 8: Remote APLab 8: Remote AP
![Memahami acces point di linux [tugas 2]](https://img.pdfslide.us/doc/110x75/55a09a9d1a28ab606a8b464f/memahami-acces-point-di-linux-tugas-2.jpg?t=1656583866)
