ArubaOS 8.6.0.0 Help Center
You are here: Home > Managed Devices > Managed Node Feature Overview

Managed Device Feature Overview

ArubaOS supports these distributed enterprises through the following features designed specifically for managed devices in branch and remote offices:

Authentication survivability allows managed devices to store user access credentials and key reply attributes whenever clients are authenticated with external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers or LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. authentication servers, providing authentication and authorization survivability when remote authentication servers are not accessible.

Integration with existing Palo Alto Networks FirewallsFirewall is a network security system used for preventing unauthorized access to or from a private network., like WildFire™ anti-virus and anti-malware detection services. In deployments with multiple Palo Alto Networks firewallsFirewall is a network security system used for preventing unauthorized access to or from a private network., managed devices can select the best PAN firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. based on priority and availability.

Policy-based routing on each uplink interface, which allows you specify the next hop to which packets are routed. ArubaOS supports multiple next-hop lists, to ensure connectivity in the event that a device on the list becomes unreachable.

Uplink and VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. redundancy, and per-interface bandwidth contracts to limit traffic for individual applications (or categories of applications) either sent from or received by a selected interface.

Packet compression between Aruba devices (such as devices at the branch and main office), to maximize the amount of data that can be carried by the network.

A WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. health-check feature that uses ping-probes to measure WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. availability and latency on each uplink.

The following diagram depicts a managed device topology where a managed device in the branch office learns the address, routing information, and other provisioning information from the Mobility Master.

Figure 1  Managed Device Topology

Scalable Site-to-Site VPN Tunnels

ArubaOS supports site-to-site IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels based on an FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.. When you identify the remote peer for a managed device using an FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet., that node configuration can be applied across multiple branch managed devices, as the configured FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. can resolve to different IP addresses for each local branch, based on local DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. settings.

Crypto maps for site-to-site VPNs support a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID as the identifier for the source network. When the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. settings are pushed to a managed device, the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. negotiation process uses the IP address range for the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. This feature allows multiple managed devices to use a single group of configuration settings defined at a configuration node, as each managed device negotiates a different source network IP for its VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., based on the IP pool for the managed devices defined for that configuration node.

WAN Health Check

The health-check feature uses ping-probes to measure WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. availability and latency on selected uplinks. Based upon the results of this health-check information, the managed device can continue to use its primary uplink, or failover to a backup link. Latency is calculated based on the round-trip time of ping responses. The results of this health check appear in the WAN section of the Monitoring Dashboard.

IPsec Tunnels using GCM ciphers

Starting from ArubaOS 8.6.0.0, an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel can be established between managed devices and APs using GCM ciphers. The IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel can be established without loading the ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. custom certificates. By default, the APs send the GCM cipher algorithm in the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. set, along with the current cipher list. New dynamic maps are programmed on the managed devices to establish the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels with GCM ciphers.

To establish a successful IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with GCM ciphers, disable the default-rap-ipsecmap dynamic map and ensure that there is an ACR license for each AP in the deployment.

 

220 Series and 550 Series access points do not support GCM ciphers. The IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels are established using AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. ciphers.

/*]]>*/