Click here to load reader

Remote Acces Point

  • View
    7

  • Download
    0

Embed Size (px)

DESCRIPTION

AP

Text of Remote Acces Point

  • Copyright 2008 Aruba Networks, Inc. All rights reserved

    Module 8: Remote Access PointModule 8: Remote Access Point

    V1.0 8-08

  • Module OverviewModule Overview

    Aruba Remote AP solution

    Remote AP architectures

    Remote AP configuration steps

    Remote AP provisioning

    Copyright 2008 Aruba Networks, Inc. All rights reserved 8-2

  • Home / Nomadic OfficeCorporate HQInternet

    Services

    DSL RouterCORP

    DMZ

    GUEST

    MobilityController

    Internet Services

    GUESTVLAN

    SplitTunnel

    Remote AP CapabilitiesRemote AP Capabilities

    Copyright 2008 Aruba Networks, Inc. All rights reserved

    VOICE

    Firewall/NAT

    INTERNET

    Split Tunneling for Internet TrafficIntegrated User Access ControlIntegrated Stateful FirewallStandalone Operation

    CORP

    VOICE

    Remote AP

    8-3

  • Internet Connected Branch Office HQInternet Services

    GUEST

    Remote AP Untrusted TransportRemote AP Untrusted Transport

    Control Traffic

    User Traffic

    Local Probe

    Copyright 2008 Aruba Networks, Inc. All rights reserved

    4

    WAN / Public Internet

    Firewall/NAT

    VOICE

    CORP

    VOICE

    GUEST CORPDMZ

    AP ProvisioningConnect APReprovision with IPSec parametersDeploy to field

    Firewall/NAT

    APAP--Aruba Switch Aruba Switch Security: Security: -- DiffieDiffie--Hellman Group 2 for IKEHellman Group 2 for IKE-- 3DES Encrypted IPSec3DES Encrypted IPSec

    IPSec/NAT-T TunnelResponse

  • Remote AP Untrusted TransportRemote AP Untrusted Transport

    PAPI control protocol is secured with L2TP over IPsec

    Able to traverse NAT devices by using IPsec

    NAT-T by adding an additional UDP header (destination port 4500) before the ESP header

    User data should already be encrypted between the end station and Aruba controller so it adds unnecessary overhead to double-encrypt this traffic

    Copyright 2008 Aruba Networks, Inc. All rights reserved

    to double-encrypt this traffic

    Aruba offers an option to double-encrypt traffic, but this will impact performance.

    8-5

  • Remote AP Configuration StepsRemote AP Configuration Steps

    1. Configure a public IP address (or setup NAT in your firewall) for the Mobility Controller

    2. Configure the VPN server on the controller; the remote AP will be a VPN client to the server

    3. Configure the remote AP role

    4. Configure the authentication server that will validate the username and password for the remote AP

    Copyright 2008 Aruba Networks, Inc. All rights reserved

    the username and password for the remote AP

    5. Provision the AP with IPSec settings, including the username and password for the AP, before you install it at the remote location

    NOTE: You must install one or more Remote AP licenses in the Mobility Controller.

    8-6

  • Configure Public IPConfigure Public IP

    Create a VLAN

    Plan placement

    On a DMZ interface (usually)

    NATd through your corporate firewall

    Configure controllers IP address and ports

    Copyright 2008 Aruba Networks, Inc. All rights reserved

    For IPsec tunnel, need public address

    IP protocol ESP type 50 or NAT-T

    UDP port 4500

    8-7

  • Create a VPN PolicyCreate a VPN Policy

    Create a VPN Policy under Advanced Services

    Define VPN address pool name

    Define address range

    Define an IKE shared secret

    Define an IKE policy, such as

    Copyright 2008 Aruba Networks, Inc. All rights reserved

    priority 10

    3DES encryption

    SHA hash algorithm

    Pre-share authentication

    Diffe-Hellman Group 2

    8-8

  • Creating a VPN PolicyCreating a VPN Policy

    Copyright 2008 Aruba Networks, Inc. All rights reserved 8-9

  • Select Authentication SourceSelect Authentication Source

    Select an Authentication source ConfigurationSecurityAuthenticationServers Internal Database

    External servers may also be used

    Create a user for each remote AP

    Notes:

    It is recommended that the user name refer to the location or the

    Copyright 2008 Aruba Networks, Inc. All rights reserved

    It is recommended that the user name refer to the location or the AP Name for easy tracking and maintenance

    One remote AP user name and password can be used for all remote APs, but for added flexibility and security, it is recommended that each remote AP be programmed with a unique user name and password in the event one is lost or stolen

    8-10

  • Configure Authentication SourceConfigure Authentication Source

    Copyright 2008 Aruba Networks, Inc. All rights reserved 8-11

  • AP ProvisioningAP Provisioning

    Copyright 2008 Aruba Networks, Inc. All rights reserved 8-12

  • Best Practices for Remote APBest Practices for Remote AP

    Secure Remote AP

    Where ever connections exist to untrusted network Internet

    Home office

    Off-site meetings/conferences

    Branch Offices with cable modem/DSL, etc.

    Remote local controller is highly recommended over local bridging in a medium to large sized

    Copyright 2008 Aruba Networks, Inc. All rights reserved

    over local bridging in a medium to large sized environment.

    Create individual usernames and passwords for each Remote AP.

    8-13

  • Copyright 2008 Aruba Networks, Inc. All rights reserved

    Lab 8: Remote APLab 8: Remote AP