Aruba Networks Version 3.3 ユーザーズマニュアル
40
| Mobility Controller Configuration
Campus Wireless Networks Validated Reference Design Version 3.3
| Design Guide
SSIDs
SSIDs appear as the name of the network displayed in the ‘Available Wireless Networks’ screen on a
wireless client. While many APs in the same network will share the same SSID, each will have a unique
BSSID. This feature is often used to let users know which SSID they should attempt to associate to, and
to provide different levels of security to each of the SSIDs, such as WPA, WPA2, and Captive Portal.
Clients typically make roaming decisions based on the received signal strength of the audible BSSIDs
they can hear.
wireless client. While many APs in the same network will share the same SSID, each will have a unique
BSSID. This feature is often used to let users know which SSID they should attempt to associate to, and
to provide different levels of security to each of the SSIDs, such as WPA, WPA2, and Captive Portal.
Clients typically make roaming decisions based on the received signal strength of the audible BSSIDs
they can hear.
The diagram above shows the most common SSID design for enterprise organizations that includes
three different SSIDs. A strong authentication and encryption suite is used for employee users, in this
case WPA2 - Enterprise. The network administrator might choose a name something like ‘Acme Corp
Employee’ for this SSID.
three different SSIDs. A strong authentication and encryption suite is used for employee users, in this
case WPA2 - Enterprise. The network administrator might choose a name something like ‘Acme Corp
Employee’ for this SSID.
The second SSID is used for specific devices which are not capable of modern high authentication and
encryption levels. As of this writing, common examples includes the following devices:
encryption levels. As of this writing, common examples includes the following devices:
z
Portable barcode scanners
z
Active RFID tags
z
All but the latest WiFi phones
z
IP video cameras
In this case, the Mobility Controller uses an SSID such as ‘Acme Corp-Application’ and uses the
strongest authentication and encryption suite supported by the devices; in this case, WPA-PSK (pre-
shared key).
strongest authentication and encryption suite supported by the devices; in this case, WPA-PSK (pre-
shared key).
The final SSID is used to provide guest access to the network. This SSID will not run any encryption and
will require guests to authenticate using the Captive Portal capability that is built into the Aruba
Mobility Controller. The guest users can authenticate against a centralized authentication server or the
built-in Local Database on the Mobility Controller; which is common when combined with the guest
provisioning role on the controller.
will require guests to authenticate using the Captive Portal capability that is built into the Aruba
Mobility Controller. The guest users can authenticate against a centralized authentication server or the
built-in Local Database on the Mobility Controller; which is common when combined with the guest
provisioning role on the controller.
VLANs
At the controller, users who successfully authenticates via an Aruba AP into any of these three SSIDs
are treated very differently in the Role Derivation process according to the Configuration Profiles in the
AP Group assigned to that AP. The Employee user is most likely placed on a VLAN with access to
internal network resources, although this can be further refined with sophisticated ACLs applied on a
per-packet basis. The dual-mode WiFi phone is placed on a voice-only VLAN and only permitted to
contact a SIP server and transmit RTP traffic. Any attempt by the device to do something else would
automatically ‘blacklist’ that device from the network. Finally, the Guest user would be placed onto a
guest-only VLAN that only has access to the default gateway leading to the internet.
are treated very differently in the Role Derivation process according to the Configuration Profiles in the
AP Group assigned to that AP. The Employee user is most likely placed on a VLAN with access to
internal network resources, although this can be further refined with sophisticated ACLs applied on a
per-packet basis. The dual-mode WiFi phone is placed on a voice-only VLAN and only permitted to
contact a SIP server and transmit RTP traffic. Any attempt by the device to do something else would
automatically ‘blacklist’ that device from the network. Finally, the Guest user would be placed onto a
guest-only VLAN that only has access to the default gateway leading to the internet.
arun_055
Employee
SSID
Application SSID
Guest
SSID