HPE7-A02 Secure WLAN

Secure WLAN Detailed Explanation

1. Authentication & Encryption

Enterprise Networks

In enterprise environments (e.g., schools, hospitals, corporations), wireless security must be strong enough to protect sensitive data like patient records or financial transactions. Aruba recommends:

WPA3 Enterprise with 192-bit Suite B ciphers

• What is WPA3 Enterprise?
  It's the latest Wi-Fi security standard that improves upon WPA2. It requires stronger encryption algorithms and better protection against attacks like brute-force or dictionary attacks.

• 192-bit Suite B ciphers
  These are a collection of encryption standards approved by the U.S. government for high-security systems. Aruba uses algorithms like:

  • AES-GCM-256

  • ECDHE for key exchange

  • SHA-384 for integrity

  These ciphers provide a much stronger level of protection compared to WPA2.

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)

• Used with 802.1X authentication to validate devices before they connect to the network.

• Each device or user presents a digital certificate instead of a password.

• Aruba ClearPass Policy Manager acts as the RADIUS server and validates certificates.

Why certificates matter

• They are more secure than passwords.

• They can be centrally issued and revoked.

• CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) are used to check if a certificate has been revoked before trusting it.

Guest & IoT Onboarding

Aruba offers several ways to securely connect guests and IoT (Internet of Things) devices without weakening overall network security.

ClearPass Guest Captive Portal

• A web-based login page is shown when a guest connects to the Wi-Fi.

• Guests can self-register, use a sponsor approval process, or get a one-time password (OTP).

• Credentials are often short-lived, expiring after a few hours or days to minimize risk.

Multi-PSK (MPSK)

• Aruba supports multiple pre-shared keys (PSKs) for a single SSID.

• Each device or group of devices (e.g., smart TVs, printers) can have its own PSK.

• If one PSK is compromised, only the device or group using it is affected — not the whole network.

Enhanced Open (OWE)

• Used for unencrypted SSIDs, but it provides encryption without authentication.

• Better than traditional open Wi-Fi, because OWE still encrypts the data even if there's no login.

2. RF & Wireless Threat Defense

AirMatch and ClientMatch

AirMatch

• A background service in Aruba WLAN controllers.

• Automatically optimizes RF settings such as:

  • Channel selection

  • Transmit power

  • Channel width

• Prevents co-channel interference, especially in dense Wi-Fi environments.

ClientMatch

• Actively monitors connected devices.

• If a device is stuck to a weak AP, it gets moved (steered) to a stronger one.

• Helps fix "sticky client" problems.

Wireless IDS/IPS

Aruba APs and controllers can detect and defend against wireless threats:

• Evil Twin: A rogue AP mimics a real SSID to trick users into connecting.

• Karma attacks: Attackers respond to probe requests from devices looking for known SSIDs.

• KRACK: A Wi-Fi attack that exploits flaws in WPA2 handshake.

• De-authentication flood: Flooding clients with disconnect messages.

• Beacon flood: Overwhelms devices by simulating many fake APs.

Response actions:

• Automatically contain rogue APs (by jamming their channels).

• Send alerts to Aruba Central or ClearPass for action.

Spectrum Analysis

Not all wireless problems are caused by Wi-Fi. Other devices can interfere.

• Microwave ovens: Can disrupt the 2.4GHz band.

• Bluetooth devices: Share the 2.4GHz band.

• Zigbee (used in smart home devices): Also runs on 2.4GHz.

Aruba APs can run real-time spectrum analysis to detect and identify these non-Wi-Fi interferers, helping with RF troubleshooting.

3. Policy Enforcement Path

Once a client connects, Aruba enforces granular security policies across multiple layers.

Step 1: 802.1X / EAP-TLS Authentication

• Client connects to the Wi-Fi.

• Sends its certificate to ClearPass using 802.1X.

• ClearPass validates the certificate (checks signature, expiration, revocation).

Step 2: ClearPass Returns a Downloadable Role (dRole)

• Instead of a static VLAN, ClearPass sends a custom security policy.

• The role may include:

  • VLAN

  • Access Control Lists (ACLs)

  • QoS settings

  • Bandwidth limits

Step 3: Aruba Gateway Applies L3–L7 Policies

• Layer 3 (IP): Controls which subnets or servers the device can reach.

• Layer 4 (TCP/UDP ports): Allows/block specific services like HTTP, FTP, SSH.

• Layer 7 (Application): Uses AppRF and DPI (Deep Packet Inspection) to detect and control apps like Skype, Dropbox, YouTube, etc.

This multi-layer enforcement ensures:

• Guests can only access the internet.

• IoT devices can only talk to their control server.

• Employees have full access to corporate apps — but not more than needed.

Secure WLAN (Additional Content)

1. Comparison of Aruba-Supported EAP Types

Why it matters

Different Extensible Authentication Protocol (EAP) types are used based on security requirements, deployment scale, and device support. Aruba supports multiple EAP types in conjunction with ClearPass Policy Manager.

Common EAP Types in Aruba WLANs

EAP Type	Description	Use Cases	Strengths	Weaknesses
EAP-TLS	Mutual certificate-based authentication	Corporate laptops, MDM devices	Strongest (no passwords), mutual trust	Complex certificate deployment
EAP-PEAP	Username/password inside a secure TLS tunnel	BYOD, guest onboarding	Easier to deploy, user-friendly	Susceptible to weak passwords
EAP-TTLS	Similar to PEAP, supports legacy PAP/MSCHAPv2	Legacy systems, printers	Flexibility in inner authentication	Less secure than EAP-TLS

Recommendation:

• Use EAP-TLS for corporate-managed endpoints

• Use EAP-PEAP or MPSK + MAC filtering for guest/IoT scenarios

Aruba ClearPass can authenticate all EAP types and return downloadable roles for dynamic access control.

2. 802.11w – Management Frame Protection (MFP)

What is 802.11w?

802.11w, also called Protected Management Frames (PMF), secures Wi-Fi management frames like:

• Disassociation

• Deauthentication

• Action frames

These are typically unauthenticated in legacy Wi-Fi and are vulnerable to:

• Deauth floods

• KRACK attacks

• Evil twin disconnections

Aruba Implementation

• Aruba supports 802.11w (PMF) on both WPA2 and WPA3 networks.

• Can be set to:

  • Required: Clients must support PMF

  • Optional: Use PMF if supported

  • Disabled: Legacy compatibility (not recommended)

Exam Relevance

• If a question refers to preventing deauth spoofing or protecting management traffic, 802.11w is the correct mechanism.

3. MPSK and Role Integration for IoT Control

What is MPSK?

Multi Pre-Shared Key (MPSK) allows Aruba APs to support multiple pre-shared keys under one SSID. Each PSK can be uniquely tied to:

• A single device

• A group of devices (e.g., all security cameras)

Benefits

• Per-device keying without requiring 802.1X

• Reduces risk: if one PSK is compromised, only one device/group is affected

• Simplifies onboarding for IoT devices with limited UI

Aruba Role-Based Enforcement

• Aruba ClearPass can map each MPSK to a specific role

• Role includes:

  • VLAN assignment

  • ACLs (e.g., IoT-to-server-only access)

  • QoS shaping

  • Logging and monitoring

Example Use Case

• Three different IoT devices (thermostat, printer, surveillance camera) connect to the same SSID:

  • Each gets a unique PSK

  • ClearPass maps each to a distinct role with specific VLAN and ACL

  • Traffic is tunneled or firewalled based on device function and trust level

Summary

Topic	Description
EAP Type Comparison	Helps choose between EAP-TLS, PEAP, TTLS for various device types
802.11w (Management Frame Protection)	Protects Wi-Fi control frames from spoofing or denial-of-service attacks
MPSK + Role Assignment	Enables granular IoT segmentation under a shared SSID using ClearPass roles