Managed Device Feature Overview

ArubaOS supports these distributed enterprises through the following features designed specifically for managed devices in branch and remote offices:

Authentication survivability allows managed devices to store user access credentials and key reply attributes whenever clients are authenticated with external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers or LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. authentication servers, providing authentication and authorization survivability when remote authentication servers are not accessible.

Integration with existing Palo Alto Networks Firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network., like WildFire™ anti-virus and anti-malware detection services. In deployments with multiple Palo Alto Networks firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network., managed devices can select the best PAN firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. based on priority and availability.

Policy-based routing on each uplink interface, which allows you specify the next hop to which packets are routed. ArubaOS supports multiple next-hop lists, to ensure connectivity in the event that a device on the list becomes unreachable.

Uplink and VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. redundancy, and per-interface bandwidth contracts to limit traffic for individual applications (or categories of applications) either sent from or received by a selected interface.

Packet compression between Aruba devices (such as devices at the branch and main office), to maximize the amount of data that can be carried by the network.

A WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. health-check feature that uses ping-probes to measure WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. availability and latency on each uplink.

The following diagram depicts a managed device topology where a managed device in the branch office learns the address, routing information, and other provisioning information from the Mobility Master.

Figure 1  Managed Device Topology

Scalable Site-to-Site VPN Tunnels

ArubaOS supports site-to-site IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels based on an FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.. When you identify the remote peer for a managed device using an FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet., that node configuration can be applied across multiple branch managed devices, as the configured FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. can resolve to different IP addresses for each local branch, based on local DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. settings.

Crypto maps for site-to-site VPNs support a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID as the identifier for the source network. When the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. settings are pushed to a managed device, the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. negotiation process uses the IP address range for the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. This feature allows multiple managed devices to use a single group of configuration settings defined at a configuration node, as each managed device negotiates a different source network IP for its VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., based on the IP pool for the managed devices defined for that configuration node.

WAN Health Check

The health-check feature uses ping-probes to measure WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. availability and latency on selected uplinks. Based upon the results of this health-check information, the managed device can continue to use its primary uplink, or failover to a backup link. Latency is calculated based on the round-trip time of ping responses. The results of this health check appear in the WAN section of the Monitoring Dashboard.

IPsec Tunnels using GCM ciphers

Starting from ArubaOS 8.6.0.0, an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel can be established between managed devices and APs using GCM ciphers. The IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel can be established without loading the ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. custom certificates. By default, the APs send the GCM cipher algorithm in the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. set, along with the current cipher list. New dynamic maps are programmed on the managed devices to establish the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels with GCM ciphers.

To establish a successful IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with GCM ciphers, disable the default-rap-ipsecmap dynamic map and ensure that there is an ACR license for each AP in the deployment.

 

220 Series and 550 Series access points do not support GCM ciphers. The IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels are established using AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. ciphers.