CLEANACCESS Archives

January 2007

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Aruba Wireless
From:
"Duguay, Gerard" <[log in to unmask]>
Reply To:
Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:
Fri, 19 Jan 2007 10:04:53 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (165 lines) 
We also deployed Aruba this past summer/fall and are relatively
satisfied with the solution. We are running CCA In-Band, and the Aruba
controller sits behind Clean Access. Our wireless is in its own vlan,
and all clients are treated like the (hostile) residential segment: they
need the CCA client complete with the typical OS and AV/AS checks.

On the plus side, the Aruba deployment went EXTREMELY smooth, and the
APs are a real breeze to monitor and manage. Being thin APs, we were
able to establish a common profile (encryption settings, address
assignment, single SSID, channel and power settings, etc). In the field,
you "hang" the AP (more on this below) and it dutifully reports back to
the controller for its configuration. Two of us installed approximately
120 APs in a month's time and had very little behind-the-keyboard setup
requirements.

The APs auto-sense each other as well as any other (rogue) devices in
the RF space, reporting all of this back to the central controller. You
can designate some as air-monitors which "patrol" the space and can even
DOS rogue devices if you choose. The GUI is pretty intuitive, but it is
a bit sluggish. You'll need to spend time with the CLI to really monitor
and manage events in real time. 

We deployed AP65s throughout campus. These devices are pretty compact,
but they were a bit of a pain in locations that did not have the
false-ceiling attachments for which they were designed. Aruba
engineering put the Ethernet jack directly on the back of the device so
that the cable would be invisible as it poked through the false ceiling;
the AP has a clip arrangement on the back that attaches to the ceiling
tile bracket. Very nice - where it works. Unfortunately, you cannot
mount this model directly to any flat surface, and false ceiling
brackets come in all sizes - only a limited number of which play nicely
with the AP65 bracket. In locations where we wanted to wall-mount the
AP, we had to go with a kludgey box/bracket design that I'm still
somewhat embarrassed about. 

Aruba charges an extra $30 for each power supply (where you're not
running POE), and yet another $30 for the cheap security brackets needed
to secure the AP to anything but the limited-fit ceiling tiles. These
buggers run around $300 (per AP) and Aruba's inclination to charge
"extra" for the "accessories" made me feel like they are quite happy to
nickel and dime us to death.

The biggest "yeah-but" with the whole Aruba-CCA configuration has to do
with intermittent dropped associations between client, AP, (and CCA).
Clients lose their wireless association and silently reconnect a minute
or so later. It's been difficult to determine if this is an issue with
RF interference, CCA heartbeat timeouts, something else, or all of the
above.  Our Aruba engineer has been out on several occasions (great guy
by the way, very helpful, very available.) Nothing odd is reported in
Aruba controller; but CCA reports an "unable to ping" and forcefully
logs out a should-be-connected user. We continue to fuss both with RF
interference mapping and with CCA session timeout configurations. I'm
happy to discuss this in more detail (off-line) with anyone interested
but won't elaborate here.

Overall we are pleased with the Aruba deployment: it's ease of setup,
manageability, control, and interface with (behind) CCA. It was expense,
though less so that the Aironet route. Aruba offers some powerful
security tools we've yet to fully explore. We are quite a bit smaller
than Kyle's deployment, so his interests in distributed management and
per-user bandwidth control don't affect us. Kind regards,

- Gerard Duguay, CIS
Seattle Pacific University


-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Mike Garner
Sent: Thursday, January 11, 2007 9:57 AM
To: [log in to unmask]
Subject: Re: Aruba Wireless

Thanks Kevin! Are there others out there..?

Regards,
~Mike

------------------------------------------
Mike Garner
IT, Western State College of Colorado
[log in to unmask]
970.943.3123 
970.943.7069 (fax)

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Kyle Evans
Sent: Thursday, January 11, 2007 6:56 AM
To: [log in to unmask]
Subject: Re: Aruba Wireless

We have CCA, and we just deployed Aruba wireless this past Fall.  The
solution works fine, but I wouldn't say we've become die-hard Aruba
zealots.  During talks with Aruba before the actual deployment, the
engineers said that Aruba is compatible with CCA in-band but not
out-of-band.  Fortunately, our servers are in-band, but if yours are
out-of-band then you may have problems.  You could always get a new CAS
dedicated to wireless and set it up as in-band though (we're still in
the process of procuring CASes dedicated to wireless).

Basically, the way it works is like this:  We set up a vlan with private
address space for the APs so we don't have to burn real IP space on
them.  The AP communicates with the controller on this vlan.  When a
client connects to an AP, the AP sets up an encrypted tunnel to the
controller and all the client's traffic is routed through the controller
via the tunnel.  At the controller, the client's traffic is assigned to
a vlan that has real IP address space.  The whole time the client is
connected, all of it's traffic is being routed through the controller. 
The vlan that the client's traffic is placed onto at the controller is
managed by CCA, just like the wired networks.

Most of the issues that needed to be solved were related to having one
SSID for the entire campus and making that work with individual
requirements for specific departments.  For example, we wanted students
in the residence halls to go through CCA, but not every department on
campus.  Currently, there also isn't good distributed management of APs
so that individual departments can control their APs (and nobody
else's).  However, this is *supposed* to work in the next release of
ArubaOS (and MMS--the management platform).

Another thing, we have a large deployment (~2000 APs) and we didn't want
to use per user firewalls, but we did want to use per user bandwidth
limiting.  Aruba recommended not limiting bandwidth per user because of
how large our deployment is.  We're not happy with that.  I suspect the
same would be true of per user firewalling.


Kyle




Mike Garner wrote:
> Hello all-
>
> We're currently a "cisco" shop for our swithing, routing, and wi-fi
but
are
> considering the move from fat AP's to lightweight AP's. The clear
leaders
> are Aruba Networks and Airespace (now Cisco). The Aruba products have
some
> interesting features including per user firewalls, role based
> authentication/access, etc.. though some of these features seem to
overlap
> CCA. I'd appreciate hearing from any CCA schools that have I
implemented
CCA
> and Aruba. How does it work? Are you happy with the solution. Is CCA
> in-band, out-of-band, etc.? Do you have non-Aruba vlans that are still
> routed through or protected with CCA, for example wired dorms?
>
> Thanks!
> ~Mike
>
> ------------------------------------------
> Mike Garner
> IT, Western State College of Colorado
> [log in to unmask]
> 970.943.3123 
> 970.943.7069 (fax)
>
>

ATOM RSS1 RSS2