enabling the virtual enterprise
TRANSCRIPT
Enabling the Virtual Enterprise
Dave Blank
Network Engineer
Michael Wong Product Manager
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved2 #AirheadsConf
Wireless @ Facebook
• 6,337 employees*
• Approximately 10,000 wireless clients every day
• 35 offices globally (11 US offices, 24 international)
• EVERYONE is mobile (open floorplan… employees work from anywhere)
• 1.23 billion monthly active users*
*as of Dec 2013
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved3 #AirheadsConf
Agenda
Facebook Lighthouse @ Home
RAP Zero Touch Provisioning
Configuring Zero Touch Provisioning
With Activate and CPPM
Demo
4CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Remote AP Provisioning
• AP Provisioning
.. Need I say more?
5CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Controller: Provisioning Whitelist
• Controller Provisioning Steps
– Add AP to Whitelist on each controller
– Defines a list of APs allowed to connect to controller
– RAP Whitelist Definition
• AP mac address
• AP Group
• AP Name
– CLI: whitelist-db rap add mac-address [mac-addr] ap-group [ap-grp] ap-name [ap-
name]
6CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Facebook Requirements
• Zero Touch Deployment
– Easy for a non-techie to deploy
• Performance
• Form Factor
• Standardize Global Deployment
• Deploy in Challenging RF Environments
• Support Latest Technology including IPv6
• Extend Corporate Service
– Wired IP Phone
– Wired Video Conference Endpoint
7CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Facebook: HelpDesk Provisioning Tool
• Custom Portal to Adapt to Business Workflow
8CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Facebook LightHouse@Home
9CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
To Datacenters
Client
VPN
WANPlug-Play Client
Enterprise
Secure
Wi-Fi
LANLocal Connectivity
Enterprise
Secure
Wired
Remote Access Points
LAN/WAN/Internet
Access Forwarding Priority
Per User/Device/Session
Dynamic Policies via Controller
PEF
Distributed
Policy Enforcement
Firewall Engine
10CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
RAP Bootstrapping Process
• RAP obtains wired IP address using DHCP
• RAP contacts master controller using
FQDN or static IP
• RAP attempts to form IPsec connection
– Certificate (name = mac address)
• IPsec SA is established between RAP and
controller
11CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Goal: Zero Touch Provisioning
• Activate• Device info is recorded on shipment
• Device type, serial number, mac
address
• AP-Name, AP-Group and Controller-IP
are defined
• JSON API available
• ClearPass Policy Manager
• Synchronize inventory list
• Maintains central whitelist for all
controllers
• Authorizes RAP
• Controller
• Authentication RAPs
ClearPass
Policy Manager
Cluster
Activatehttp://activate.arubanetworks.com
Controller sends
auth’n requests
and
CPPM provides
auth’z info
Controller Instant AP
Instant AP
Controller
Mr. IT
JSON api
Instant AP will check
Activate at boot for
provisioning info
12CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Use Activate to Provision AP Info
13CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Aruba Activate Service
What: Activate is a free Cloud Service that enables customers to deploy Aruba infrastructure more efficiently
• http://activate.arubanetworks.com
How: Enhances a device’s ability
to find its configuration master
Model: Device centric DB correlating
various attributes
Activate’s Inputs
14CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Activate: Define Rules
•Activate (https://activate.arubanetworks.com)
1. Identify Configuration
IAP-to-RAP
2. Define Rules
Controller IP
AP-Group
15CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Activate: AP Attributes
1. Select Device
Devices are initially assigned
the default folder
2. Assign Devices to Folder
Define AP-Name
16CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Define ClearPass Policy for Central Whitelist
17CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
ClearPass Policy Manager
• Authentication, Authorization, Accounting
(AAA) with Policy Management
• Guest Management
• Device Onboarding
18CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
CPPM: Activate Configuration
• Provide Activate credentials in CPPM
19CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
CPPM: Add Controller
20CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
CPPM: Endpoint List
• Validate that CPPM is receiving info
21CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
CPPM: Endpoint Info
• EndPoint Info
– Orange
• Attribute for Authorization
– Yellow
• Attributes sent to Controller
22CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
CPPM: Service
• Allows ClearPass Policy Manager to test Requests
• Provide differentiation by access method, location or other
network vendor-specific attributes
23CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
CPPM: Authentication
• Controller will perform mac authentication to CPPM
– Note: RAP will still use certificate to establish IPSec tunnel
24CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
CPPM: Enforcement
• Define Authorization Conditions
25CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
CPPM: Enforcement Profile
• Define Radius Attributes (Aruba VSA)
26CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Controller Configuration
27CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Controller Configuration
• Define Authentication Server
• Define Server Group
• Assign Server Group for
RAP / IAP authentication
aaa authentication-server radius CPPM_01
host [CPPM_IP_ADDRESS]
key PASSPHRASE
!
aaa server-group CPPM_WHITELIST
auth-server CPPM_01
!
aaa authentication vpn default-iap
server-group CPPM_WHITELIST
!
aaa authentication vpn default-rap
server-group CPPM_WHITELIST
!
• Controller perform whitelist lookup on CPPM instead of local-db
28CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Goal: Zero Touch Provisioning
• Activate• Device info is recorded on shipment
• Device type, serial number, mac
address
• AP-Name, AP-Group and Controller-IP
are defined
• JSON API available
• ClearPass Policy Manager
• Synchronize inventory list
• Maintains central whitelist for all
controllers
• Authorizes RAP
• Controller
• Authentication RAPs
ClearPass
Policy Manager
Cluster
Activatehttp://activate.arubanetworks.com
Controller sends
auth’n requests
and
CPPM provides
auth’z info
Controller Instant AP
Instant AP
Controller
Mr. IT
JSON api
Instant AP will check
Activate at boot for
provisioning info
29
Thank You
#AirheadsConfCONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
30