Tuesday, October 14, 2014

Solving 802.1x for Small Business Wireless

We all know that network security is an issue that needs to be addressed when deploying wireless. How do you keep corporate devices connected securely to the infrastructure while allowing BYOD policies?  We will be looking at the Aruba IAP-225 in this blog post to solve the question, "How do I implement 802.1x on my wireless network?"

If you've wondered about a more secure wireless network you've probably Google searched "how to setup radius server" or "wireless with radius setup".  These results can be complex referring to NPS on Windows Server 2008 and up, and FreeRadius tied to your AD server.  You may have even found an SaaS that can host your RADIUS for a monthly fee.  There is a better way for small setups...

The Aruba IAP-225 is a 3x3 MIMO 802.11ac access point.  As of today, its the fastest AP you can buy from Aruba.  The IAP means that it's an "Instant Access Point", so you can run one or more in standalone mode, or link it to an Aruba Central account.  You can also convert the IAP models to work as campus APs for a controller based network.  But, enough about the AP, lets setup an 802.1x secure network.

First, login to the network.  Go to https://instant.arubanetworks.com.  The default username is admin and the password is admin.  Change the login password before completing the setup of the network.  These settings can be found under System -> Admin -> Local Authentication.

Aruba Instant Login

Create a new wireless network using the new network wizard found on the left.

Aruba IAP WLAN Settings Wizard

Choose your VLAN assignment.  If your network supports VLANs we recommend non-default for business networks.


Next, select Enterprise security and pick which options you'd like.  Some people may think some of these options may be cumbersome or annoying for the user, but which is more secure?  A device that will always be authenticated to a network, or one that needs to be re-authenticated?

Aruba IAP WLAN Security Setup

Now click on the users button and add some accounts that can be authenticated to the wireless network.  Each user will be able to use the same login with multiple devices.  It should be noted that you can add guest users for authentication as well.  This is a good option for contractors or anyone that needs Internet access only.  

Aruba IAP 802.1x Users Setup

Finally, choose the type of access you'd like the Employee network to have.  This is where you can firewall users or groups to deny or allow access to areas of the network like switches, servers, printers and just about any service you can think of.  We will leave the network unrestricted for our employees on the network.

When a user tries to access the network, they will be prompted for a user name and password that you have given them.  Once entered, they will be authenticated on the 802.1x Internal Aruba Database without the need for an external Active Directory/Radius setup or FreeRadius server.  Less hardware and more security built directly into the AP's code.

These settings are only recommended for a small number of users.  External RADIUS servers for authentication and adoption of group policies can be a very powerful tool as your business grows. Make sure your wireless network grows with you.