Wednesday, March 14, 2012
Aruba was the first presenter for the second day of Wireless Field Day 2. We were welcomed to their Executive Briefing Center by Ozer Dondurmacioglu, Product Marketing Manager for Aruba, then they kicked off their presentation with Keerti Melkote (founder of Aruba Networks, now the Chief Strategy Officer) outlining their approach to BYOD. He defined it as a security model for personal devices, application aware networking & simple, self provisioned access to a wireless LAN.
Kerrti thinks there are high security concerns around BYOD even thought it is the flavor of the day. Their goal is to reduce wired investements and build WLAN capacity by reducing siloed network management platforms (AAA, NAC, BYOD, Guest access).
Their BYOD solution is about optimizing the application layer at the air level through understanding how the application performs on the WLAN and ensuring that the WLAN is optimized to deliver that application. A new concept in BYOD is the notion of a personal WLAN within the context of an Enterprise wlan. This concept is emerging in the Higher ED sector. Policy enforcement in BYOD is done with Amigopod, this is an evolution of the RADIUS server. Policy enforcement for mobility - means that applications can be classified even when the data is encrypted.
According to Aruba's presentation, Aruba has a firewall inside the access point because when you're sending peer to peer traffic over the same WLAN there is no other way to firewall traffic between peers. On a wired network the clients are assumed to be trusted, this is not so on a wireless link. RBAC should be applied to every user wired or wireless, and the line between VPNs and local access should be blurred.
Another step in BYOD is to know at the application level when you've signed onto the WLAN. Single sign on is the core of authentication, and until 802.1x was standardized, network access was a free for all. You just got an ip address and you were were granted access. As you get to an authenticated access architecture, the way you connect gets shared with applications. In the context of multiple applications there is not one common store.
Identify / classify / control / optimize / follow
In an Aruba Instant AP, there is a controller-less Virtual Controller. The number of users supported for a singal instance of a virtual controller is up to 512 users today, but you can have multiple virtual controllers in a network as well.
Provision just one AP at a remote site as a virtual controller and each other AP at the remote site will download their software image from the designated virtual controller.
When Aruba refers to AAA, their reference is to Amigopod, Airwave and Avenda.
The Aruba switch offering allows IT administrators to push policy enforcement into the wiring closet. The idea is that you don't have to do VLANs on your network anymore by using the Aruba switches at the edge and the mobility controller at the core. The larger the mobility domain the deeper within the center of your LAN the controller needs to be.
Carlos Gomez then walked us through Aruba's BYOD demonstration of workflow based on provisioning. Aruba's BYOD solution has 3rd party integration with XML/SOAP API s for integration with existing applications. Wireless client pre-registration can be done through bulk import or scratch cards. The sponsor approval system can be used to setup new users, or there are other one time registration options. Carlos cited an Aruba hospital customer in Austrailia that has tied the Guest provisioning process into the patient admin system work flow. As the patient is admitted into the hospital system, a wireless username and password is also generated for the patient to use during their hospital stay.
When guest access is done through the Sponsor Approval, a user account is created in a disabled state. The sponsor gets requests for access, and can approve the guest access accounts or not.
Their disolveable client for BYOD device connectivity/management has a built in certificate Authentication PKI in a box. Separate provisioning of site certificates on a RADIUS server is not necessary. They are also working to have the same sponsor work flow for certificate creation.
The Aruba BYOD solution sues the TLS termination to get the serial number of the device attempting to connect to the WLAN, and they can use that to check the corporate asset database to ensure the device attempting to connect is a known corporate asset.
Licensing: There is no licensing with Aruba Instant APs, and they're taking steps to address the licensing headaches by grouping features and consolidating commonly requested features into bundles.
Pradeep Iyer gave us a deep dive into the hardware specifics of the Virtual Controller based WLANs. The Aruba Instant AP has a 1.6GHz CPU 256 NVRAM 16Mb flash memory. The virtual AP and controller UI does not use Flash, the UI is all written in HTML5. It was built to render on iPads, and there are no scrollbars. The throughput to/from the end user device is shown in a live update display. The UI supports 10 - 12 languages, Arabic and Chinese were used as examples of the most difficult languages to support smoothly in the UI. The default language of the UI is based on the default language of the laptop that's being used to connect to the UI, and the UI time is local time. This allows you to debug at local time rather than the timestamp on the debug. All event messages are maintained in UTC, and the display is adjusted according to the client device using the UI.
Pradeep then gave us information on the latest changes in ARM 2.0. Aruba's implementation of BandSteering is for laptops that are built to connect to the strongest signal. The 2.4GHz will typically be the strongest signal for client devices due to 2.4GHz signal propagation. BandSteering must identify the 5GHz capabilites of the client device, and fingerprint these possibilities to steer the client to the 5GHz band based on information in probes. Aruba had to change the ARM algorithm when the iPad came into the enterprise. Fair access to the RF for all connected clients and each gets the same amount of spectrum time. Pradeep states "If you control downlink, you get control of uplink at the same time".
Pradeep described the spectrum analysis capabilities of an Aruba AP model 13x as that the AP can get raw FFT to do spectrum analysis an but is a manual switch over to Spectrum Analyzer mode. The APs are not capturing raw FFT all the time. Like the Meraki, HP and Ruckus APs, the Aruba APs uses merchant silicon. The Aruba APs use an Atheros chip set.
Spectrum Analysis in Hybrid mode collects RF data on the configured channel as the AP is serving client data. The detected presence of a wireless preamble indicates the detection of a WiFi packet. Aruba's CCA uses 2 algorithms, energy detect and carrier sense.
The Aruba virtual controller IP is a static IP that is assigned to the network. When an AP is made a virtual controller, the AP assumes the identity of that IP address. The APs must on the native vlan for the upstream switch. The Virtual Controller AP algorithm is a L2 broadcast, and thus the Management IP addresses need to be on the same L2 network. This deployment method works for a small store, but can be extended by adding a controller. The APs talk to one another in a proprietary protocol, not CAPWAP. Content filtering is done through a split DNS model. The APs learn the domain name from the DHCP request/return of the domain information. The APs can identify the internal vs. external DNS requests after that information is obtained. The Virtual AP automatically detect the DHCP scopes in use and creates a non conflicting scope. The Virtual Controller is a DHCP server and all other APs are DHCP proxies. The Virtual Controller also becomes your NAT anchor.
The over the air provisioning process starts with the AP booting up, it advertises provisioning via an open SSID, the firewall will only allow connections to the Virtual Controller. The Virtual Controller is doing the function of the DHCP server. All the APs spoof a domain name and point to the Virtual Controller for further configuration. Any new AP that boots up looks for a mesh network and can use its provisioning PSK to get the configuration from the Virtual Controller.
Aruba also has an extensive collection of videos about their technology on their YouTube channel. Their uploads cover everything from their BYOD solution to videos counting down to the Aruba Airheads event March 21st - 23rd 2012 in Las Vegas.
Aruba was a sponsor of Wireless Field Day 2. As such, they were responsible for covering a portion of my travel and lodging expenses while attending Wireless Field Day 2. They did not ask for, nor where they promised any kind of consideration in the writing of this review/analysis. The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone. I was provided with an Aruba Instant AP-135 and an Aruba RAP-2WG access point and a one year license to have the AP managed by the Aruba Virtual Controller. I have not had the opportunity yet to connect this AP and do testing with it, but I will be doing so soon.