Aruba Enterprise WLAN Controller Buyer's Guide - Page 2

Leveraging ArubaOS to power its Mobility Controllers and APs, Aruba tries to provide the same seamless service to roaming Wi-Fi users that they'd get from their cell phones.

 By Lisa Phifer
Page 2 of 2   |  Back to Page 1
Print Article

Add-on modules

Every Aruba controller includes TPM certificate and key storage, an IPv6-capable firewall, and basic rogue AP detection. "Since we have a dedicated encryption engine on the controller, we can accelerate 802.1X to reduce packets exchanged by ~50 percent," said Dondurmacioglu. Other baked-in controller functions include mobile IP roaming, captive portal Web authentication, guest access provisioning, and Adaptive Radio Management (ARM).

In addition to controller licenses for supported APs or RAPs, licenses can be purchased for controller add-ons:

  • XSec layer 2 encryption, targeted at government and military deployments.
  • RFProtect wireless IPS, which leverages Aruba APs to detect, locate, and contain rogue devices and attacks, enforce security policies, and visualize/classify RF interference.
  • Policy Enforcement Firewall, which enforces identity-based policies that block/forward/prioritize traffic from wireless APs, wired ports, or VPN tunnels.

Of these, Policy Enforcement Firewall has the broadest appeal. "Look at complaints in enterprise WLANs today: my performance is slow, my real-time apps don't run well, my iPad can't get access," said Dondurmacioglu. IT must map these user/app complaints onto IPs and VLANs used for policy enforcement. But what if enforcement was based on device, user, and app identity instead?

"How can I give different groups using various devices and apps the right services? We use three technologies to do this. First, we accomplish user-awareness through role-based access control. Second, we use device fingerprinting for bandwidth and access restrictions. Third, we use app fingerprinting to state-fully monitor sessions -- for example, giving SIP the right access," he said.

Overcoming outages

One concern posed by any centralized architecture is remote survival in the event of equipment failure or WAN outage. Aruba addresses this at several levels, starting with physical (standby or N+1) Master Controller redundancy. Series 600 controllers have ExpressCard slots for WAN fail-over. Local controllers support the Virtual Router Redundancy Protocol (VRRP) and receive all configurations and policies from a Master Controller.

According to Dondurmacioglu, if a RAP loses controller contact, it can continue providing local access but will lose centralized services like authentication. "We suggest redundant controllers, but you can still have link failures or power outages. You can choose to keep a locally-available SSID. If that SSID uses 802.1X, there will be no new users, but existing users can be supported. Or you can bring up a back-up SSID that uses PSK authentication to serve new users," he said.

Finally, although Master Controllers provide a single-point of policy configuration, large distributed networks often need more management tools. Aruba's AirWave Management Platform (AMP) can manage an enterprise's wireless infrastructure and provide visibility to the wired network edge - even if some APs and switches are not Aruba's. "In addition to seeing everything Aruba controllers do, AirWave can see your wired switches and relationships between ports and users. It can see user devices, AP health, switch health, controller health -- everything shows up in one place where information can be analyzed and visualized," said Dondurmacioglu.

Bottom line
To learn more about Aruba Mobility Controllers and supporting products, visit Aruba's Enterprise Solutions page, or drill into network architecture by reading Aruba's Mobility Controllers and Deployment Models Reference Design Guide [PDF].

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. An avid fan of all things wireless and frequent contributor to Wi-Fi Planet, Lisa has reviewed, deployed, and tested 802.11 products for nearly a decade.

This article was originally published on Mar 10, 2011
Get the Latest Scoop with Networking Update Newsletter