2012 ah emea advanced mobility design

CONFIDENTIAL

© Copyright 2012. Aruba Networks, Inc.

All rights reserved

JOIN: community.arubanetworks.com

FOLLOW: @arubanetworks

DISCUSS: #airheadsconf

CONFIDENTIAL


All rights reserved #airheadsconf

MOBILE DEVICE FUNDAMENTALS

Keith Mataranglo

Aruba Networks Germany

May 21st, 2012

CONFIDENTIAL


All rights reserved

TODAY’S NETWORK

CONFIDENTIAL


All rights reserved 4 #airheadsconf

MOBILE DEVICE TYPES

Stationary Devices

Somewhat Mobile Devices (SMD)

Highly Mobile Devices (HMD)

Characteristics

Wireless Scale Laptop

CONFIDENTIAL



Mobile Device Fundamentals Topics

Device Characteristics

WLAN Requirements

Aruba Design Pillars

• Portability

• Applications

• 802.11 support

• Management

• Roaming

• QOS and Access Control

• Speed and capabilities

• Security

• Device Configuration

• Airtime Optimization

• Roaming Optimization

• IP Mobility Configuration

• IP Multicast Optimization

• Interference Resistance

CONFIDENTIAL


All rights reserved 6 #airheadsconf 6

Principles of Optimizing the wlan

1. Device Configuration

• Some device changes require corresponding changes to the WLAN infrastructure, e.g., basic rate support & DTIM.

2. Airtime Optimization

• Roaming devices are sensitive to RF congestion and inefficiencies. Improve performance using load balancing across APs & channels.

3. Roaming Optimization • Roaming decisions can be influenced by optimizing data rates, output

power, retry thresholds and by using the Handoff Assist feature.

4. IP Mobility Configuration • Good IP mobility design is critical to environments. Selection of layer-2 (L2)

or layer-3 (L3) roaming requires careful planning

5. IP Multicast Optimization • Reducing and optimizing multicast traffic over the air and on the wire is

vital.

6. Interference Resistance • Devices are likely to encounter and by impacted by adverse RF conditions.

4. .

CONFIDENTIAL



Principle #1 – Device Configuration

– Optimal device settings

– Shared or dedicated SSIDs

– Enable 802.11h (DFS/TPC)

– Maximize battery life

– End-to-End QoS for voice devices

– Push-to-talk (PTT)

– Security and encryption

– Mobile device management (MDM)

CONFIDENTIAL



Mobile Device RF components

antenna

Internal

Radio and

WLAN NIC

CONFIDENTIAL



Don’t do this!!

CONFIDENTIAL



Mounting APs for coverage

Ceiling

Wall

CONFIDENTIAL



Principle #2 – Airtime Optimization

– RF Optimizations • Band steering

• Spectrum load balancing

• Airtime fairness

• Mode-aware ARM

• Voice/Video-aware ARM

• Load-aware ARM

• PS-aware ARM

– Reducing broadcasts and multicasts

– Limiting “Chatty” protocols

– AP capacity planning (voice devices)

CONFIDENTIAL



Principle #3 – Roaming Optimization

• Ensuring complete Wi-Fi coverage

• VLAN pooling

• Fast roaming (802.11r & OKC)

• Device-specific roaming settings:

• ARM power adjustments (match client and AP power)

• Retry and failure settings (voice devices)

• PMK Caching results in 4x faster roaming speeds than Non-

PMK Caching.

CONFIDENTIAL



Principle #4 – IP Mobility Configuration

• Layer 2 mobility • Client maintains IP address

as it roams and is assigned

address from same IP subnet

• Layer 3 mobility • User roams from AP-Subnet

A to an AP-Subnet B

• Layer 3 network address

must change to maintain L3

connectivity on Subnet B

• Aruba L3 Mobility allows the

roaming client to maintain the

same IP address

L2 Mobility design

L3 Mobility design

CONFIDENTIAL



Principle #5 – IP Multicast Optimization

• Effects of multicast: reduce multicast traffic over the air

and the wire to improve channel efficiency

• IGMP snooping/proxy to eliminate unnecessary data

replication and controller processing

• Multicast rate optimization to increase lowest base rate

• Dynamic multicast optimization (DMO) to convert

multicast frames with unicast headers

• Use of ToS/QoS on controller and wired infrastructure,

port-based session ACL or user

• Block mDNS (if not required) with user roles

• Use bandwidth contracts to protect unicast traffic

CONFIDENTIAL



Principle #6 – Interference Resistance

• FHSS and non-802.11

interference

• Noise immunity

• Fixed frequency interference

• 802.11 co-channel (CCI) and

adjacent channel interference

(ACI)

• RX sensitivity channel

reuse

• Aruba Spectrum Monitor

CONFIDENTIAL


All rights reserved CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved

TOPIC OVERVIEW

Management Tools

Device Profiling

Policy Enforcement

CONFIDENTIAL


All rights reserved

MANAGED VS. UNMANAGED DEVICES

Overview

ANY NETWORK

DEVICES AND USERS

VPN

iOS Android Ultrabooks

ANY USER

Security

reliable & intuitive

Simplified

management

CONFIDENTIAL


All rights reserved

MANAGED DEVICES

• Primarily Windows Laptops

• Managed using Windows Active Directory Policies

• Client 802.1x Supplicant is configured by IT staff to connect securely

• Applications can be limited by user

• Machine Authentication can be enforced

• WLAN policies or VPN software can be configured by IT Staff

Overview

CONFIDENTIAL


All rights reserved

UNMANAGED DEVICES

Overview

WLAN

Network

Management

Management Mobility Access

WLAN

Controller

Network Services are needed for unmanaged devices to access the WLAN securely

Policy

Management

CONFIDENTIAL



TOPIC OVERVIEW

Policy Enforcement

Management Tools

Overview

CONFIDENTIAL


All rights reserved

DEVICE PROFILING AND ROLE

Device Profiling

Based on AOS 6.0.1 or 6.1.1

Type of Device allowed

on the WLAN Role determines access:

• Firewall policy

• Bandwidth constraints

• VLAN

• QoS

CONFIDENTIAL


All rights reserved

• OS Fingerprinting allows the Aruba Controller to classify device type and assign a role

– iOS

– Blackberry

– etc

• Two Methods

– Monitor dhcp-option (User Class Option) included in client’s request

• Browser HTTP user-agent string identification

– Watches HTTP traffic from the station looking for user-agent string

OS FINGERPRINTING PURPOSE

CONFIDENTIAL


All rights reserved

• Identify the device value of the DHCP option

• Create a firewall role

• Write and apply a user derivation rule

FINGERPRINTING PROCESS

CONFIDENTIAL


All rights reserved

IDENTIFYING THE DEVICE SIGNATURE

Enable DHCP debugging: # configure terminal

# logging level debugging network subcat dhcp

View debug output: #show log network all | include Option

Apr 23 07:01:55 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07 reqIP=192.168.1.242 Options 36:c0a80103 37:0103060f0c 0c:4e502d4b3041304458303236373936

Apr 23 07:01:55 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07 reqIP=192.168.1.242 Options 36:c0a80103 37:0103060f0c 0c:4e502d4b3041304458303236373936

CONFIDENTIAL


All rights reserved

• Inspection and role assignment enabled through User Derived Rules

– New UDR condition “dhcp-option”

• Note that 37 0103060F77FC means dhcp option 55 (hex 37)

and the value is 010306…

CREATE FIREWALL DERIVATION RULE

aaa derivation-rules user abc

set role condition dhcp-option equals 370103060F77FC set role ios

set role condition dhcp-option starts-with 0c616E64726F69645F set role android

set role condition dhcp-option equals 3C426C61636B4265727279 set role blackberry

CONFIDENTIAL


All rights reserved

CONFIGURATION IN WEB UI

CONFIDENTIAL



TOPIC OVERVIEW

Policy Enforcement

Overview

Device Profiling

CONFIDENTIAL


All rights reserved

MOBILE DEVICE ACCESS CONTROL

Management Tools

802.11n Wi-Fi

Device Fingerprinting,

Role Based Access

Security & BW policies by Device, Multimedia Grade

Web Login Server

Self-Service Device

Configuration Portal Device Authorization

Management Server

Device and OS

Visibility

Troubleshooting & Capacity Planning

CONFIDENTIAL


All rights reserved

DEVICE MANAGEMENT VS ACCESS CONTROL

Access

Control

Mobile Device

Management (MDM)

Protect the network

Restrict usage and bandwidth

Device-level visibility

Configure net/sec settings Remote wipe & remote

control Manage applications and

firmware

Management Tools

CONFIDENTIAL


All rights reserved

WHEN TO USE MDAC & MDM

Management Tools

Email, Intranet Business-specific

Apps

Use MDAC Only

• Remotely configure network

access

• Protect network

• Device visibility

• Cost-effective

Use MDAC + MDM

• Remotely configure net

access AND applications

• Protect network AND device

data

• Device troubleshooting

Employee Liable Corporate Liable

CONFIDENTIAL


All rights reserved

Tolerated

(Employee Liable)

• Employee Owned (BYOD)

• Partially secured and controlled

• Limited to safe interactions

IT POLICY

Management Tools

Trusted

(Corporate Liable) • Corporate Issued

• Fully Controlled and

secured

• Unrestricted

CONFIDENTIAL


All rights reserved

✔ Zero IT touch,

context aware access

✔ Auto-identification of

user, device, application

✔ Monitoring, reporting

per user and per device

Active Directory

Amigopod

2. Device

Fingerprinting

4. Context Aware

Access Control 3. iPad Self

Registration

1. User

Fingerprinting

Mobility Controller

802.11n AP

MOBILE DEVICE PROVISIONING

Management Tools

Bring Your iPad to Work

CONFIDENTIAL



TOPIC OVERVIEW

Management Tools

Overview

Device Profiling

CONFIDENTIAL


All rights reserved

AUTOMATE DEVICE CONFIGURATION

Policy Enforcement

Configures 802.1x, VPN & e-mail and provisions device

credentials

1. Connects to web portal

3.

Access Network

2. VPN

Policy

Manager

Server

Application installer *Windows only at launch

CONFIDENTIAL


All rights reserved

CONTROL COMPROMISED DEVICES

Policy Enforcement

Detect unsecure

devices

• Block access to network resources

across wired, wireless & remote

• Auto-Remediate the device

• Minimal Risk to Network

Access Network

Policy Manager

CONFIDENTIAL


All rights reserved

AUTOMATE ACCESS

Policy Enforcement

1. 3.

Access Network

2. Sponsor prompted

to confirm that

guest is valid

Policy Manager

Account enabled,

visitor notified via

screen, SMS, or email Collect visitor

information

New Visitor

Sponsor

CONFIDENTIAL


All rights reserved

ACCESS POLICY

Policy Enforcement

Policy

VPN

Allow personal devices into

a limited access zone (LAZ)

BYOD Policy

Deliver executive traffic with

higher priority

Executive Class Policy

Optimize delivery of Lync

traffic over the air

Multimedia Policy

Disable Rogue AP,

Blacklist User

Unauthorized Use Policy

Disable device access, not

user access, if stolen/lost

Device Revocation Policy

Quarantine unhealthy

devices for remediation

Device Quarantine Policy

CONFIDENTIAL



New Certification!

CONFIDENTIAL


All rights reserved 40

Aruba Certifications

• Become one of the few

experts on secure mobility.

• Make a good move for your

career, get certified.

Product Training

• Mobility and Mesh certifications

End-to-End, Solutions Based

• Aruba Certified Solutions Professional (ACSP) Certification

• Open to all IT engineers

• Practical training on RF, secure network access and mobile devices

ACMA ACMP

ACSP

CCxx

MCxx

CWxx

ACMX

ACDX

CONFIDENTIAL


All rights reserved 41

ACSP Training Classes

Module 1

802.11 RF Fundamentals

Module 3

Mobile Device Wi-Fi Best Practices

Module 2

Wi-Fi Authentication & Encryption

April, 2012

Part 1

Module 5

Centralized WLAN Design

Module 4

RF Design in Challenging

Environments

Module 6

Mobile Device Management &

Security August, 2012

Part 2

Module 8 WLAN Security for

Compliance

Module 7 Advanced Topics in

Wi-Fi Design

Module 9 Multimedia and UC Services over Wi-Fi

January, 2013

Part 3

2012 ah emea advanced mobility design

Technology

confidential copyright

rights reserved join

roaming optimization

airheadsconf principle

rights reserved todays

subnet b aruba l3 mobility

device changes

l3 roaming