Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
nulldev1ce
Aug 16, 2002
Shiny Globule
We deployed 32 Aruba 105s and a 3400 controller in a high school last year, and expanded 20 more 105's to the middle school this year. It has been the most set-it-and-forget-it system I've ever dealt with. The reseller we used has an Aruba expert who spent the day with us getting it set up; without his help, I would've slit my own throat. I find the admin interface pretty intimidating. But, boy, once it's going, it Just Works.

When I started five years ago, the school's wireless ran on Airport Extremes (the saucer kind, B/G only) and no security whatsoever. Then we got BlueSocket (before they were acquired by AdTran), but our budget was so tight, we did it pretty half-assed and it was a disaster. We used their free VMWare-based controller, and bought about half the APs we actually needed because we didn't have a heatmap done. Then we skimped on their support contract and tried to set it up ourselves with a bit of help from a sympathetic engineer. 802.1X was a nightmare, we had to fall back to WPA2 Personal and enter the password on every school laptop by hand, in the middle of the year. On top of everything else, it turned out that their firmware was botched (the engineer admitted "this is our fault, not yours") and when I started to make more noise about it to sales, they got pissy about our not having bought the support plan. This is all within the first year of ownership. It got ugly and I ended up selling the gear on eBay later.

Back to Aruba: We have a somewhat-unique scenario in that we're almost 100 percent OS X/iOS, using Mac servers with OD and Apple's implementation of FreeRADIUS. (Yeah, it's an exercise in pain.) We also have a very liberal BYOD "policy" -- students can bring anything to school, they are not required to register their devices with us in any way, and we have no content filter on our network. We're near a big-shot university, so lots of the families have money and almost all the students have at least a smartphone, usually a laptop or iPad as well. It's a public school, but it runs a lot like a private school, or tries to. Lot of entitlement complexes.

Anyway, we run with three SSIDs:
- One for guests, which does all the NAT/DHCP on the controller itself and cannot touch our internal stuff (SIS, fileservers, printers) -- it's *just* Internet access.

- Then there's a "trusted" network, bridged to an internal VLAN (our servers do the DHCP/DNS etc.) and with WPA2 Personal passphrase set on every school laptop, requiring administrator privileges to reveal. We don't want the trusted clients to be double-NAT'd since we use ARD (Apple's VNC with a twist) to update clients and to spy on the little darlings occasionally.

- The third network is for BYOD and uses 802.1X so the students log in as themselves and are therefore identifiable. (There is actually a fourth SSID, hidden, which is for devices that just can't cope with the 802.1X stuff -- it uses a WPA PSK and then a web captive portal to authenticate the kids. A few Windows clients have to fall back to that, but Macs and iThings seem to be coping really well with RADIUS.) The BYOD network is NAT'd on the controller like the guest network, but has some firewall exceptions to allow the students to access internal resources in limited ways (e.g. they can use the PaperCut web interface to print, but they can't do LPD/IPP directly to the printers; they can use the Rumpus web interface to get at their files on the Mac server, but they can't hammer away directly at AFP; etc.) It's cut down on the mini-DDoS attacks and other casual hacking behavior. We haven't had a DMCA complaint since we retired the Airports.

We've had to make very few adjustments to the initial configuration -- a couple of firewall exceptions on the BYOD network and that's it. The system's never gone down, and when one AP failed, Aruba shipped a new one immediately. With the recent firmware's "control plane security" feature, we don't even have to tunnel the middle school's local traffic over to the high school-housed controller and back; I'm fuzzy on the details, the reseller's expert set it up and I don't have to know every nuance. Woohoo.

tl;dr: I love Aruba.

Adbot
ADBOT LOVES YOU

  • Locked thread