Weitere ähnliche Inhalte Ähnlich wie Enabling the Virtual Enterprise (20) Mehr von Aruba, a Hewlett Packard Enterprise company (20) Kürzlich hochgeladen (20) Enabling the Virtual Enterprise1. Enabling the Virtual Enterprise
Dave Blank
Network Engineer
Facebook
Michael Wong
Product Manager
2. CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
2 #AirheadsConf
Wireless @ Facebook
• 6,337 employees*
• Approximately 10,000 wireless
clients every day
• 35 offices globally (11 US offices,
24 international)
• EVERYONE is mobile (open
floorplan… employees work from
anywhere)
• 1.23 billion monthly active users*
*as of Dec 2013
3. CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
3 #AirheadsConf
Agenda
Facebook Lighthouse @ Home
RAP Zero Touch Provisioning
Configuring Zero Touch Provisioning
With Activate and CPPM
Demo
5. 5
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Controller: Provisioning Whitelist
• Controller Provisioning Steps
– Add AP to Whitelist on each controller
– Defines a list of APs allowed to connect to controller
– RAP Whitelist Definition
• AP mac address
• AP Group
• AP Name
– CLI: whitelist-db rap add mac-address [mac-addr] ap-group [ap-grp] ap-name [ap-
name]
6. 6
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Facebook Requirements
• Zero Touch Deployment
– Easy for a non-techie to deploy
• Performance
• Form Factor
• Standardize Global Deployment
• Deploy in Challenging RF Environments
• Support Latest Technology including IPv6
• Extend Corporate Service
– Wired IP Phone
– Wired Video Conference Endpoint
7. 7
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Facebook: HelpDesk Provisioning Tool
• Custom Portal to Adapt to Business Workflow
9. 9
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
To Datacenters
Client
VPN
WAN
Plug-Play Client
Enterprise
Secure
Wi-Fi
LAN
Local Connectivity
Enterprise
Secure
Wired
Remote Access Points
LAN/WAN/Internet
Access Forwarding Priority
Per User/Device/Session
Dynamic Policies via Controller
PEF
Distributed
Policy Enforcement
Firewall Engine
10. 10
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
RAP Bootstrapping Process
• RAP obtains wired IP address using DHCP
• RAP contacts master controller using
FQDN or static IP
• RAP attempts to form IPsec connection
– Certificate (name = mac address)
• IPsec SA is established between RAP and
controller
11. 11
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Goal: Zero Touch Provisioning
• Activate
• Device info is recorded on shipment
• Device type, serial number, mac
address
• AP-Name, AP-Group and Controller-IP
are defined
• JSON API available
• ClearPass Policy Manager
• Synchronize inventory list
• Maintains central whitelist for all
controllers
• Authorizes RAP
• Controller
• Authentication RAPs
ClearPass
Policy Manager
Cluster
Activate
http://activate.arubanetworks.com
Controller sends
auth’n requests
and
CPPM provides
auth’z info
Controller Instant AP
Instant AP
Controller
Mr. IT
JSON api
Instant AP will check
Activate at boot for
provisioning info
13. 13
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Aruba Activate Service
What: Activate is a free Cloud Service that enables customers to
deploy Aruba infrastructure more efficiently
• http://activate.arubanetworks.com
How: Enhances a device’s ability
to find its configuration master
Model: Device centric DB correlating
various attributes
Activate’s Inputs
14. 14
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Activate: Define Rules
•Activate (https://activate.arubanetworks.com)
1. Identify Configuration
IAP-to-RAP
2. Define Rules
Controller IP
AP-Group
15. 15
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Activate: AP Attributes
1. Select Device
Devices are initially assigned
the default folder
2. Assign Devices to Folder
Define AP-Name
17. 17
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass Policy Manager
• Authentication, Authorization, Accounting
(AAA) with Policy Management
• Guest Management
• Device Onboarding
21. 21
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
CPPM: Endpoint Info
• EndPoint Info
– Orange
• Attribute for Authorization
– Yellow
• Attributes sent to Controller
22. 22
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
CPPM: Service
• Allows ClearPass Policy Manager to test Requests
• Provide differentiation by access method, location or other
network vendor-specific attributes
23. 23
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
CPPM: Authentication
• Controller will perform mac authentication to CPPM
– Note: RAP will still use certificate to establish IPSec tunnel
27. 27
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Controller Configuration
• Define Authentication Server
• Define Server Group
• Assign Server Group for
RAP / IAP authentication
aaa authentication-server radius CPPM_01
host [CPPM_IP_ADDRESS]
key PASSPHRASE
!
aaa server-group CPPM_WHITELIST
auth-server CPPM_01
!
aaa authentication vpn default-iap
server-group CPPM_WHITELIST
!
aaa authentication vpn default-rap
server-group CPPM_WHITELIST
!
• Controller perform whitelist lookup on CPPM instead of local-db
28. 28
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Goal: Zero Touch Provisioning
• Activate
• Device info is recorded on shipment
• Device type, serial number, mac
address
• AP-Name, AP-Group and Controller-IP
are defined
• JSON API available
• ClearPass Policy Manager
• Synchronize inventory list
• Maintains central whitelist for all
controllers
• Authorizes RAP
• Controller
• Authentication RAPs
ClearPass
Policy Manager
Cluster
Activate
http://activate.arubanetworks.com
Controller sends
auth’n requests
and
CPPM provides
auth’z info
Controller Instant AP
Instant AP
Controller
Mr. IT
JSON api
Instant AP will check
Activate at boot for
provisioning info
Hinweis der Redaktion To understand more, let’s take a look at the RAP architecture:On one side, the RAP looks like a VPN client-in-a-box. Plug in to any network, it gets an address, then “dials” up a VPN tunnel to the data center so you don’t have to. VPN-in-a-box is not new – “hard clients” have been around for a while. But they usually stop at a simple connectivity model of attaching one or more wired ports to a VPN tunnel. The RAP is much more than that.On the LAN side that faces the end user, we provide wired and wireless connectivity options. The wireless side delivers the full enterprise-grade security, management, and control that Aruba is known for in its campus WLAN deployments. The wireless also provides full wireless intrusion prevention services to control rogue APs and misconfigured clients.In the middle is the most important part - our “secret sauce” – a technology we call PEF, or policy enforcement firewall. PEF is a technology we developed originally for our wireless LAN platform. It is a per user/device/session state access forwarding engine. What it does is function as a policy enforcement switch, controlling who/what can get in, who can do what, and even controls prioritization. Best of all it does this based on users and dynamic policies versus ports and subnets, thus dramatically simplifying and virtualizing service delivery and security policies to users. PEF is the key feature that makes the RAP different than simple “VPN-in-a-box.” 21:44 – 24:16