Download pdf - Remote Acces Point

Transcript

© Copyright 2008 Aruba Networks, Inc. All rights reserved

Module 8: Remote Access PointModule 8: Remote Access Point

V1.0 – 8-08

Module OverviewModule Overview

• Aruba Remote AP solution

• Remote AP architectures

• Remote AP configuration steps

• Remote AP provisioning

© Copyright 2008 Aruba Networks, Inc. All rights reserved 8-2

Home / Nomadic OfficeCorporate HQInternet

Services

DSL RouterCORP

DMZ

GUEST

MobilityController

Internet Services

GUESTVLAN

SplitTunnel

Remote AP CapabilitiesRemote AP Capabilities

© Copyright 2008 Aruba Networks, Inc. All rights reserved

VOICE

Firewall/NAT

INTERNET

Split Tunneling for Internet TrafficIntegrated User Access ControlIntegrated Stateful FirewallStandalone Operation

CORP

VOICE

Remote AP

8-3

Internet Connected Branch Office HQ

Internet ServicesGUEST

Remote AP – Untrusted TransportRemote AP – Untrusted Transport

Control Traffic

User Traffic

Local Probe

© Copyright 2008 Aruba Networks, Inc. All rights reserved

4

WAN / Public Internet

Firewall/NAT

VOICE

CORP

VOICE

GUEST CORPDMZ

AP Provisioning•Connect AP•Reprovision with IPSec parameters•Deploy to field

Firewall/NAT

APAP--Aruba Switch Aruba Switch Security: Security: -- DiffieDiffie--Hellman Group 2 for IKEHellman Group 2 for IKE-- 3DES Encrypted IPSec3DES Encrypted IPSec

IPSec/NAT-T Tunnel

Response

Remote AP – Untrusted TransportRemote AP – Untrusted Transport

• PAPI control protocol is secured with L2TP over IPsec

• Able to traverse NAT devices by using IPsec

• NAT-T by adding an additional UDP header (destination port 4500) before the ESP header

• User data should already be encrypted between the end station and Aruba controller so it adds unnecessary overhead to “double-encrypt” this traffic

© Copyright 2008 Aruba Networks, Inc. All rights reserved

to “double-encrypt” this traffic

• Aruba offers an option to “double-encrypt” traffic, but this will impact performance.

8-5

Remote AP Configuration StepsRemote AP Configuration Steps

1. Configure a public IP address (or setup NAT in your firewall) for the Mobility Controller

2. Configure the VPN server on the controller; the remote AP will be a VPN client to the server

3. Configure the remote AP role

4. Configure the authentication server that will validate the username and password for the remote AP

© Copyright 2008 Aruba Networks, Inc. All rights reserved

the username and password for the remote AP

5. Provision the AP with IPSec settings, including the username and password for the AP, before you install it at the remote location

NOTE: You must install one or more Remote AP licenses in the Mobility Controller.

8-6

Configure Public IPConfigure Public IP

• Create a VLAN

• Plan placement

• On a DMZ interface (usually)

• NAT’d through your corporate firewall

• Configure controller’s IP address and ports

© Copyright 2008 Aruba Networks, Inc. All rights reserved

• For IPsec tunnel, need public address

• IP protocol ESP type 50 or NAT-T

• UDP port 4500

8-7

Create a VPN PolicyCreate a VPN Policy

• Create a VPN Policy under Advanced Services

• Define VPN address pool name

• Define address range

• Define an IKE shared secret

• Define an IKE policy, such as

© Copyright 2008 Aruba Networks, Inc. All rights reserved

• priority 10

• 3DES encryption

• SHA hash algorithm

• Pre-share authentication

• Diffe-Hellman Group 2

8-8

Creating a VPN PolicyCreating a VPN Policy

© Copyright 2008 Aruba Networks, Inc. All rights reserved 8-9

Select Authentication SourceSelect Authentication Source

• Select an Authentication source• Configuration�Security�Authentication�Servers� Internal Database

• External servers may also be used

• Create a user for each remote AP

Notes:

• It is recommended that the user name refer to the location or the

© Copyright 2008 Aruba Networks, Inc. All rights reserved

• It is recommended that the user name refer to the location or the AP Name for easy tracking and maintenance

• One remote AP user name and password can be used for all remote APs, but for added flexibility and security, it is recommended that each remote AP be programmed with a unique user name and password in the event one is lost or stolen

8-10

Configure Authentication SourceConfigure Authentication Source

© Copyright 2008 Aruba Networks, Inc. All rights reserved 8-11

AP ProvisioningAP Provisioning

© Copyright 2008 Aruba Networks, Inc. All rights reserved 8-12

Best Practices for Remote APBest Practices for Remote AP

• Secure Remote AP• Where ever connections exist to untrusted network

• Internet

• Home office

• Off-site meetings/conferences

• Branch Offices with cable modem/DSL, etc.

• Remote local controller is highly recommended over local bridging in a medium to large sized

© Copyright 2008 Aruba Networks, Inc. All rights reserved

over local bridging in a medium to large sized environment.

• Create individual usernames and passwords for each Remote AP.

8-13

© Copyright 2008 Aruba Networks, Inc. All rights reserved

Lab 8: Remote APLab 8: Remote AP