Previous enterprise Aruba operating environments AOS 6.5 and AOS 8 were controller-based. Controller-based access points are the product of a time when APs were radio heads, capturing and producing wireless packets and ferrying them to a central controller. Little data processing was done at the access point—particularly in tunnel mode. Radio management, authentication and encryption were all performed centrally, at the controller.
Because of the increasing complexity of wireless networking protocols, the increasing speeds of wireless connections, and the increasing capability of access points, it is becoming advantageous to let the AP perform all of the processing and bridge traffic to the network at wire speed.
This is giving controllers the diminutive role of configuration and reporting. Configuration and reporting are less demanding than wireless network termination, and require much less bandwidth. Accordingly, it is possible to place portal anywhere, including out on the Internet.
Under Aruba AOS10, each access point is a controller. It gets it configuration from Aruba AOS10 Central. It acts in tandem with its neighboring access points to create a seamless wireless experience.
The picture above shows the components of an Aruba AOS10 network.
Access points (and switches) communicate with Aruba Central for configuration and logging. Each AP bridges traffic directly onto the network natively, via VLANs or both. Each AP communicates with its neighbors as far as several hops away. This enables roaming and forwarding of firewall state.
ClearPass, when in use, provides advanced authentication and security services, role-based access, network awareness and UEBA. ClearPass Policy Manager communicates with the access points directly, implementing RADIUS-based user access and Aruba firewall policies.
Controllers are not required, but they can be included in AOS10 for users who wish to have tunneled SSIDs or tunneled node 802.1x-based switch port access. The benefits of tunneled traffic are that data traverse the network fully encrypted and tunnels make it possible to extend access to remote layer-2 networks. Central on Prem(ises) duplicates the cloud-based AOS10 Central management capability onsite. It is offered particularly for those enterprises that, by choice or regulation, prefer to manage the network from within their own network.
- Kevin Dowd