The Aruba ESP WLAN Features section describes the technologies and features used to implement an Aruba ESP wireless LAN. Topics covered include wireless security, visitor Wi-Fi, wireless multicast, wireless QoS, wireless network traffic engineering, and WLAN resiliency.
Table of contents
- WLAN Features
- Wireless Security
- Visitor Wireless
- WLAN Multicast and Broadcast
- WLAN QoS
- Bridge Mode Deployment
- Tunnel Mode Deployment
- WLAN Resiliency
- Campus Wireless Summary
Wireless security is a key component of the Aruba ESP WLAN solution. The latest improvements to wireless security are included in a protocol update called WPA3, which Aruba was instrumental in defining. Migrate wireless clients to WPA3 as soon as supported to ensure a reliable and secure WLAN.
WPA3 can be deployed using WPA3-Personal (SAE) or WPA3-Enterprise. WPA3 incorporates increased security, while the complexity remains the same as WPA2. WPA3 requires no changes in workflows or usage, with no new steps or caveats to remember. The Aruba Simultaneous Authentication of Equals (SAE) protocol was added to the IEEE 802.11s mesh networking standard and certified in 2012. SAE is an implementation of the dragonfly key exchange that performs a password-authenticated key exchange using a zero-knowledge proof. Each side proves it knows the password without exposing the password or password-derived data. The WPA3-SAE user experience is identical to WPA2-PSK, where a user simply enters the password and connects.
The Wi-Fi Alliance has published a list of WPA3-Certified Client Devices.
WPA3-Personal is a replacement for WPA2-PSK. It uses password-based authentication using the dragonfly key exchange (RFC 7664), which is resistant to active, passive, and dictionary attacks. For backward compatibility, enable “Transition Mode” so that WPA3 capable clients connect using WPA3-SAE and legacy clients connect using WPA2-PSK.
CCM 128 is WPA3 with AES CCM encryption and dynamic keys using 802.1X.
CCM 128 is the correct choice for networks moving to WPA3 today. The operating mode is backward compatible with WPA2, but adds optional support for 802.11w Protected Management Frame (PMF). Clients that are PMF capable (support 802.11w) and legacy clients can connect to the same SSID. The mode is supported in bridge, tunnel, and mixed-mode SSIDs.
WPA3 with AES GCM-256 encryption requires new key management (SHA-256), new ciphers, and PMF. Legacy clients are not supported. The operating mode can be used for sites requiring stronger key management and encryption when the client population supports GCM 256.
WPA3 with AES GCM-256 encryption uses Commercial National Security Algorithm (CNSA) (192 bit), new key management (SHA-384), and mandatory PMF endpoint support. The WPA3-Enterprise CSNA (192-bit) mode requires a compatible EAP server (such as Aruba ClearPass Policy Manager, version 6.8 or later) and requires EAP-TLS. Strict key exchange and cipher requirements may not be supported on all devices. The mode is supported in bridge, tunnel, and mixed-mode SSIDs. It is used primarily by government agencies.
Enhanced Open uses Opportunistic Wireless Encryption (OWE) to provide unauthenticated data encryption for open Wi-Fi networks. To the user, an Enhanced Open network appears just like an open network with no padlock symbol, but data are encrypted. OWE performs an unauthenticated Diffie-Hellman key exchange when the client associates with the AP.
This key is used to derive keys to encrypt all management and data traffic sent and received by the client and AP. Central proactively copies the keys to neighboring APs.
No additional device provisioning is required for Enhanced Open. Aruba recommends enabling Enhanced Open for visitor networks where encryption is needed but authentication is not required, such as coffee shops, bars, schools, public venues, and stadiums.
Transition Mode enables an administrator to configure a single open SSID for backward compatibility. The AP automatically creates two basic SSIDs with separate beacons when Enhanced Open is enabled.
BSSID 1 — An open network for non-Enhanced Open stations with an information element (IE) to indicate a BSSID 2 is available. Legacy clients connect to this BSSID, and their traffic is not encrypted.
BSSID 2 — A hidden Enhanced Open network with the Robust Secure Network Indicator Element (RSN-IE) Authentication Key Management (AKM) field indicating the use of suite 18 (the OWE suite) for authentication. In addition, an IE to indicate BSSID 1 is available. Enhanced Open-capable clients connecting to the hidden SSID receive PMF and encryption benefits.
Aruba supports configuring Enhanced Open SSID in bridge or tunnel mode.
The Multiple Pre-Shared Keys (MPSK) feature enables devices connecting to the same SSID to use different PSKs. One helpful example is headless Internet-of-Things (IoT) devices that do not support 802.1X. MPSK enhances WPA2 pre-shared key mode by enabling device-specific or group-specific passphrases. Using Aruba ClearPass Policy Manager, passphrases are assigned administratively to individual devices or to groups of devices based on common attributes such as profiling data, or assigned uniquely to individual device registrations. This establishes a one-to-one relationship between devices and a specific user to provide visibility, accountability, and management, and subsequently reduces the administrative burden when changing the passphrase for a set of devices.
Note: MPSK is not compatible with WPA3-Personal (SAE).
The Aruba ESP Architecture provides access to visitors and employees over the same infrastructure, while ensuring that visitor access does not compromise corporate network security.
Using the organization’s existing WLAN provides a convenient, cost-effective way to offer Internet access for visitors and contractors. The wireless visitor network:
- Provides Internet access to visitors through an open wireless SSID, with web access control in the gateway’s firewall.
- Supports the creation of temporary visitor authentication credentials that an authorized internal user can manage.
- Keeps visitor network traffic separate from the internal network.
Every AP can be provisioned with controlled, open access to wireless connectivity to the Internet. Visitor traffic is tunneled securely from the wireless AP back to the gateway and into a separate VLAN with Internet-only access. The figure below shows how traffic is passed from the wireless visitor network VLAN to the firewall.
Visitor Wireless Network
A visitor network should require a username and password entered on a captive portal. Lobby ambassadors or other administrative staff can issue temporary visitor accounts. This design provides the flexibility to tailor control and administration to the organization’s requirements while maintaining a secure network infrastructure.
It is common for the gateway to act as a DHCP server and router for visitor clients. As long as the projected load metrics are below the gateway’s recommended limits, Layer 3 operations can be enabled for visitors or IoT networks.
When routing is enabled on a gateway, use firewall policies to control traffic between VLANs. The DHCP service on the gateway is not redundant, so an external DHCP server is recommended for mission-critical visitor access.
The 802.11 standard states that multicast traffic over a WLAN must be transmitted at the lowest basic rate. Dynamic Multicast Optimization (DMO) is an Aruba technology that converts multicast frames to unicast before forwarding from a gateway to an AP. Unicast frames are acknowledged by the client and can be retransmitted if a frame is lost over the air. Unicast frames also are transmitted at the highest possible data rate supported by the client, which greatly reduces duty cycle in the cell, freeing up bandwidth for all users.
For performance optimization, avoid having more than one multicast source broadcasting the same data on the same WLAN datapath. Use the largest possible Layer 2 network to avoid converting multiple multicast streams simultaneously.
The figures below show a typical IP multicast topology with DMO enabled.
IP Multicast BSR, RP, MSDP, IGMP Snooping, and DMO Placement
Aruba WLANs can convert broadcast packets into unicast frames to optimize airtime usage. Broadcast frames over the air must be transmitted with the lowest possible data rate configured (called the “basic rate”). Since broadcasts have no delivery acknowledgment, there is no option to retransmit a lost broadcast frame. When the frame over the air is converted to unicast, the AP can send it at a much higher data rate and retrieve delivery confirmation. A lost frame can be retransmitted.
Unicast greatly decreases channel duty cycle and delivers frames at the highest possible data rate per client.
An SSID can be configured for broadcast filtering to optimize the WLAN performance. The default setting for an Aruba ESP WLAN managed in Central is ARP.
- ARP - The WLAN drops broadcast and multicast frames except DHCP, ARP, IGMP group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients.
- All - The WLAN drops all broadcast and multicast frames except DHCP, ARP, IGMP group queries, and IPv6 neighbor discovery protocols.
- Unicast ARP Only - This option enables the WLAN to convert ARP requests to unicast frames and send them to the associated clients.
- Disabled - The IAP forwards all the broadcast, and multicast traffic is forwarded to the wireless interfaces.
Wi-Fi Multimedia (WMM) is a certification program created by the Wi-Fi Alliance that covers QoS over Wi-Fi networks. WMM prioritizes network traffic into one of four queues. Based on its assigned traffic class, traffic receives different treatment, such as a shortened wait time between packets or tagging of packets using DSCP and IEEE 802.1p markings.
Users can define the traffic assigned to each queue, and DSCP and 802.1p values can be adjusted as needed to match the wired LAN.
To take advantage of WMM functionality in a Wi-Fi network, three requirements must be met:
- The AP is Wi-Fi Certified™ for WMM and has WMM enabled.
- The client device is Wi-Fi Certified™ for WMM.
- The source application supports WMM.
Note: WMM is supported in all Aruba Wi-Fi products.
QoS is set for a VLAN or port and can be set dynamically per application using a policy enforcement firewall. Most networks, including wireless LANs, operate below capacity. There is very little congestion, and traffic flows well. QoS provides predictable behavior for congested periods. During overload conditions, QoS mechanisms grant certain traffic high priority while making fewer resources available to lower-priority traffic. Increasing the number of voice users, for instance, may mean delaying or dropping data traffic.
Wi-Fi manages airtime contention using carrier-sense, multiple-access with collision avoidance (CSMA/CA), much like shared Ethernet networks did in the past. CSMA/CA requires that each device monitors the wireless channel for other Wi-Fi transmissions before transmitting a frame. The Wi-Fi standard defines a distributed system in which there is no central coordination or scheduling of clients or APs. However, with Wi-Fi 6 and BSS coloring, channel contention is reduced greatly.
The WMM protocol adjusts two CSMA/CA parameters: the random back-off timer and the arbitration inter-frame space, according to the QoS priority of the frame to be transmitted. High-priority frames are assigned shorter random back-off times and arbitration inter-frame spaces, while low-priority frames must wait longer.
Back-off and Arbitration Inter-frame Timers for WMM
WMM defines four priority levels for 802.11 traffic. In ascending priority:
- Best effort
Since QoS must be maintained end-to-end, WMM priority levels must be mapped to the QoS priorities used on the LAN. The table below shows how DSCP priorities are translated to the four WMM priority levels.
WMM to DSCP Mapping
|WMM access category||Description||DSCP|
|Voice priority||Real-time interactive||46|
|Video priority||Multimedia streaming||26|
|Background priority||Best effort||0|
AirSlice is a unique RF technology that uses Policy Enforcement Firewall (PEF) deep packet inspection to guarantee performance for latency-sensitive, high-bandwidth, and IoT services such as 4K video streaming or unified communications (UC). An Advanced License is required to enable Deep Packet Inspection before configuring AirSlice.
The table below lists the applications supported by default with Air Slice.
|Skype for Business|
|Amazon Web Services|
More information about AirSlice can be found in the Aruba AirSlice Tech Brief.
Bridge Mode provides an easy solution when tunneled traffic and advanced gateway features are not required. In this mode, wireless traffic is bridged directly from the AP into the wired infrastructure. The access switch ports for the APs are trunked to provide SSID-to-VLAN connectivity. The AP handles the packet encryption, user authentication, and policy enforcement functions, while features such as RF management, key management, live upgrades, monitoring, and troubleshooting are managed in Central.
The figure below illustrates the ArubaOS 10 (AOS 10) bridge mode topology.
Aruba gateways can be added to a greenfield design or an existing bridge mode deployment. A tunnel mode deployment offers robust security features and maximum operational flexibility. Gateways can be deployed individually or clustered for increased redundancy and scale. Clusters are automatically created by adding gateways to the same group in Central.
Tunnel Mode increases visibility into applications, which helps prioritize business-critical data. This model also provides microsegmentation, dynamic RADIUS proxy, and encryption over the LAN. Seamless roaming is supported across an entire Layer 3 campus.
It is important to note that while AOS 10 does allow for the use of multiple versions of Gateways and APs within a single cluster, best practice is to adhere to matching AP and Gateway versions in order to ensure consistent feature support and overall stability throughout the WLAN.
The diagram below shows the AOS 10 tunneled mode topology.
APs in Tunneled Mode
Enabling this feature directs the gateway to respond to an ARP request on behalf of a client in the user table. When enabled on a VLAN with an IP address, the gateway provides its MAC address in the proxy ARP. If the VLAN does not have an IP address, the gateway supplies the client’s MAC address. This feature is turned off by default. Enable it only to address deployments in which the gateway is a transparent hop to another device, such as with Aruba VIA (Virtual Internet Access) VPN.
Campus installations of a gateway should always be Layer 2, and the gateway should not perform Layer 3 operations. The client’s default gateway should be another device, such as a router or switch, and the Layer 2 network should be dedicated for the clients attached to the gateway. The gateway’s broadcast and multicast management features enable the use of large subnets without issue.
Make the Layer 2 network as large as can be supported by the gateway and switching infrastructure. Table sizes, ARP learning rates, physical layer rates, and redundancy all affect the switching infrastructure design.
Aruba ESP provides a variety of components useful for designing a highly available, fault-tolerant network. This section provides general guidelines for software features that increase fault tolerance and allow for upgrades with minimal service impact.
Authentication keys are synchronized across APs by the Key Management Service (KMS) in Central. This allows clients to roam between APs without reauthenticating or rekeying encrypted traffic. Key sync reduces the load on the RADIUS servers and speeds the roaming process for a seamless experience. Key synchronization and management are handled automatically by the APs and Central; no additional user configuration is required.
Traffic from a client can be synchronized across primary and secondary gateways when using a cluster. This allows the client to fail from the primary gateway to the secondary seamlessly. The system synchronizes encryption keys between APs, so when a client moves to its secondary gateway, the client does not need to reauthenticate or rekey its encrypted traffic. To the client, moving between gateways or APs is transparent.
This is a crucial component of Aruba’s high availability design and Live Upgrade features. When using a bridged SSID, the firewall state is synced for each roaming event, so the client experiences seamless roaming with no traffic disruption.
When a gateway fails, clients left with a single gateway connection are rebalanced across the cluster. The length of time required for this operation depends on the number of clients on the network. If a second gateway fails before the rebalancing can occur, the client is disassociated and reconnected to an available gateway. The client can reestablish a connection as long as other gateways are not at capacity.
To mitigate a multiple gateway failure, minimize the common points of failure. To limit the risk of domain failure, use disparate line cards or switches, multiple uplinks spanning line cards or switches, port configuration validation, and multiple gateways.
The ESP campus WLAN provides network access for employees, visitors, and IoT devices. Regardless of their location, wireless devices have the same experience when connecting to their services.
The benefits of the Aruba wireless solution include:
- Seamless network access for employees, visitors, and IoT devices.
- Plug-and-play deployment for wireless APs.
- Wi-Fi 6 enhancements that address connectivity issues for high-density deployments and improve the performance of the network.
- Live upgrades to perform operating system updates with little to no impact on service.