In the past, a chief concern of college IT departments was students arriving in the fall wanting to connect a single desktop or notebook computer to campus networks. Today, students arrive with multiple devices. Faculty, staff and visitors likewise seek access for the personal devices they'd like to use on those same networks.
The bring-your-own-device trend has also ramped up considerably, creating the potential for all manner of security holes.
Aruba Networks' family of managed switches — the S3500 Mobility Access Switches — can help campus network administrators address these security concerns by providing role-based network access control. Each S3500 can handle up to 32 wireless access points, making it an ideal way to create and enforce access policies for both wired and wireless devices on the network.
The switches authenticate any device attached to any port before allowing network access. If a device fails to authenticate correctly, the switch can prevent the device from connecting or can limit its access — for example, limiting access to the Internet only or to a demilitarized zone hosting servers and applications intended only for visitors.
The S3500 allows for a multitiered approach to controlling devices roaming the network. After authentication, devices can be restricted to specific assets depending on the user's needs. This process works even if a device connects to the switch via a wireless access point; the switch still authenticates each device separately.
The Aruba switches handles these processes using the Generic Routing Encapsulation (GRE) protocol. Any data received over a secured port is forwarded to the mobility controller in the S3500 that strips the GRE information away, then authenticates and routes the traffic according to the policies on the controller. Each switch can function as a Dynamic Host Configuration Protocol server to provide IP addresses to devices once they are authenticated. Authentication is based on the IEEE 802.1X standard, which means the switch will be interoperable with most recent operating systems and devices.
Why It Works for IT
The Aruba S3500 switches are available in 24- or 48-port models, with Power over Ethernet and an optional uplink module that supplies 4- or 10-Gigabit Ethernet uplink ports. Up to eight switches can be stacked using the uplink ports.
The S3500s also sport dual power supplies and hot-swap fan trays. A small LCD panel on each switch provides status details and lets the IT team set basic configuration items, such as the IP address of the management console port. Each switch also has a dedicated Ethernet management port and serial console port.
The switches can authenticate through a variety of protocol servers: Lightweight Directory Access Protocol, Remote Authentication Dial-In User Service and Terminal Access Controller Access-Control System Plus. Alternately, separate access control lists can be created for each switch.
The switches also allow for variations in the port settings. Each port can be assigned distinct security settings, if desired.
In addition to user credentials, the S3500 validates the Media Access Control (MAC) and IP addresses associated with each device seeking access. Because a connected device is assigned to a policy group based not only on the port to which it is attached but also on the MAC address, IP address and user credentials, multiple devices connected to the same port can be assigned to separate virtual LANs or access control groups.
Although the price is greater than for an unmanaged switch, the security and flexibility the S3500 allows cannot be easily achieved any other way. Other mobile device management solutions require that software be installed on each endpoint. But with this family of Aruba switches, all the activity takes place on the switches themselves — transparent to end users.