Aruba Networks News

Subscribe to Aruba Networks News feed
Technology Blog articles
Updated: 15 hours 36 min ago

Building Controller Resiliency

Thu, 12/14/2017 - 03:00

As discussed in my last blog, here at the University of Cambridge we have a large and complicated network. The wireless is one, albeit hefty, part of that network. I previously mentioned that we have a large fibre optic network that connects University buildings together all over Cambridge. In these buildings, all our access points connect via department or College local area networks (many not directly under our control). What I would like to talk about in this blog is related to how we manage all that centrally, and talk about what we are changing with our Aruba controller setup.


If you had asked me that question five to six years ago, I would have answered that we had a couple of controllers and around 700 to 800 access points. At this point, we had just dipped our toe into Aruba’s product range having switched from another major vendor. The fact that we are still using Aruba all this time later tells you all you need to know about the product.


So, since then, what has changed? To answer that properly I need to take you back in time again to about 12 to 18 months ago. At this stage in development, we had grown the network to about 4000 access points and we had evolved to a master-standby master and five local controller architecture (2 x 7210 and 5 x 7220). However, relevant to the title of this blog one of these five local controllers was acting as our N+1 standby controller. That is if any one of the local controllers were to fail this controller would take over its role. At this time, we also began deploying AirWave to monitor our wireless estate, which, by the way, is a fantastic tool, especially for large networks.


So where are we now? Well, we have grown the network by another 1000 access points, taking us to just under 5000 but we now have fourteen controllers (2 x 7210 and 12 x 7220). “Fourteen controllers?!” I hear you say! So, why do we need so many when each 7220 controller can handle up to 1024 APs? The answer is 2N resiliency.


2N resiliency is the logical upgrade to N+1 resiliency, simply put it means having a complete second set of controllers in a disparate location to take over if the first set should fail. In our case, using backup LMS as the mechanism to fail-over (we previously used VRRP). This is important to us, as the wireless is critical to University business. This and the scale of our deployment means that it must be resilient and the N+1 model wasn’t robust enough. Building this resiliency, especially on our complicated network is far from easy. As mentioned, we have a pan-city fibre network, with fifteen distribution routers and three core routers. Our Aruba equipment is located away from the centre of this network, geographically and logically in our main Data Centre, which lies at the edge of the City.


So, when we were working out a plan for all this we had to draw up aims for the upgrade. A high-level synopsis of this plan was:


Phase One

  • Provide 2N resiliency in two disparate, geographically diverse data centre locations
  • Rearrange the underlying network and addressing scheme
  • Prepare the network for AOS 8 (The importance of this is noted below)

Phase Two

  • Move the Aruba equipment to the centre of the University network (the distribution layer) for efficiency which is closer to the main user base and egress point to the internet (recall the main Data Centre is at the geographic and logical edge of our network)
  • Place the whole Wireless Service on dedicated routers with 2 x 10 Gbit connections to each controller.
  • Makes sure phase two arrangements are prepared for AOS 8

Planning for Aruba AOS 8 was a large part of this project. We wanted to ensure that the major immediate changes we were making remained compatible with AOS 8. We made sure that the network design we came up with, not only solved our short-term needs but also made the adoption of AOS 8 much easier. Why are we worried about this? At the moment we run AOS 6.5, which is great but 8 is better, no, actually it’s a step change and I’ll name a couple of benefits that stand out for us. Firstly, AirMatch will make a big difference to our deployment, which, as mentioned, spans the city and is subject to all sorts of inconsiderate or badly deployed Wi-Fi networks. Having this improved system dynamically optimise the channel and power management of the entire WLAN network will be amazing. Secondly, controller clustering is another key benefit to us. The immediate advantage is the entire system works as one, so no more logging into each local controller separately! However, more seriously, it also facilitates hitless failover (within the cluster) and most crucially provides seamless roaming. That is great because it stops our users having to re-authenticate if they cross into a different zone that is served by a different controller (our controllers each serve distinct areas of the City).



The planning and initial work on this project took 12 months. We completed the migration in about 2-3 months, which sounds like a lot, but if we could turn the system off, we reckon we could have completed all the work in a few days - which simply was not an option. We had to make all the underlying changes while keeping the system running and with minimal downtime. So we worked on the system where we could while it was "live" but crucially only where we were very confident it would not be service affecting. In addition to this, we had a set of out of hour’s planned system outages. However, these had to be kept to a minimum level given that the Wi-Fi is used 24 hours a day seven days a week. (I kid you not - we have up to 35K unique devices connected during the day but still have at least 10K devices connected overnight).  Consequently, overall we were limited to one to two hours of advertised downtime per week.



We completed phase one work a couple of weeks ago and last week we did a full failover test by powering off one bank of controllers. This was a nervous moment but thankfully, it all worked. This was a noteworthy and complex piece of work and it says much about the Networks Team here that no one felt we were being too ambitious to do this on a working system rather than build a new system in parallel. That is not to say we were not worried about it, we all care deeply about the service we offer, but I have the privilege to work with some very clever and capable people whose contribution make all the difference when undertaking this type of project.

Onion Approach to WiFi Troubleshooting Basics - Device or Application

Wed, 12/13/2017 - 17:40

We’ve all been in this situation. Users are complaining about a wireless drop or problem when they use a specific application. As you sort it out you face the problem - device or application? Since it’s on the wireless it’s your problem until you sort through it. Here are some guidelines you can consider.


1. Are other devices working on the same WLAN and frequency?

2. Is this application used on wired? If so, is the application on wired having problems?

3. Are other applications on the mobile device having problems or just this application?

4. Build another model device without the corp load and conduct comparison testing.

5. Can you run this application on another device?

6. TAP the connection between the application server and wireless with wireshark. Compare a working connection with a connection that is not. 

7. See the issue for yourself. 

8. Speak to the application folks to see if they know of any application issues. 

9. Is the issue happening on a single device and is it perceived the issue is more wide spread?


I’ve been in situations where a single voice handset, particularly when used by a charge nurse, goes bad and everyone on the unit thinks they have issues. I’ve also had issues where a single device is loaded with multiple layers of security and applications. As you peel away the onion you identify one of the layers is the culprit. It can be tricky to diagnose. The key is to focus on one side at a time and not become overwhelmed. 

Aruba Instant Takes the Sting Out of Outdoor Wi-Fi Deployments

Wed, 12/13/2017 - 10:00

Outdoor wireless seems simple in theory, but the reality is complicated. But with the new Aruba Instant mode, it’s never been easier for small and midsize businesses (SMBs) to deliver a great Wi-Fi experience outdoors—whether that’s in campus quads, courtyards, walkways, restaurant patios, service bays, pools or other outdoor spots.


People expect Wi-Fi connectivity anywhere and that includes the outdoors. If you are looking to extend Wi-Fi connectivity across your entire campus, the Aruba 360 Series Wave 2 access points (APs) are a cost-effective, high-performance outdoor Wi-Fi solution. Easy for smaller organizations to deploy and manage, these ruggedized APs are designed to withstand harsh outdoor weather conditions and are completely waterproof and dustproof.



Easy setup and management


With Aruba, deploying and configuring your outdoor Wi-Fi network is easy. No need to install a dozen components; you simply select the AP model and the mounting bracket. The Aruba 360 Unified APs can be deployed in Instant or controller-managed mode. Using Instant’s zero-touch, self-provisioning capabilities, a single “master” AP communicates configurations to all other similar APs on the network.


The Instant-based solution simplifies and streamlines wireless networking while reducing deployment and management costs. And if your WLAN network requirements change, Aruba Instant allows you to easily migrate to a WLAN that is centrally managed by a Mobility Controller, providing full investment protection.


Cost-effective and reliable outdoor Wi-Fi


With aggregate data rates of up to 1.27 Gbps and MU-MIMO support, the Aruba 360 APs deliver the throughput necessary to support a growing mix of mobile devices and applications.


Integrated Aruba ClientMatch™ technology optimizes client roaming across the campus and enhances Wave 2 WLAN performance. The enhanced ClientMatch technology enables the 360 Series to automatically detect, classify and group 802.11ac Wave 2-capable mobile devices under a single Wave 2 radio, increasing network capacity and efficiency.


Make the most of the 360 Series mesh capability to cost-effectively extend Wi-Fi access in areas where it’s not practical to roll out Ethernet cables. Or use point-to-point or backhaul mesh Wi-Fi links to interconnect buildings, while simultaneously providing secure Wi-Fi access to your users.


Built-in security


With a built-in firewall and integrated wireless intrusion detection and prevention (WIPS), the Aruba 360 Series provides role-based access and 24/7 protection from all types of wireless threats to satisfy PCI compliance for restaurants, hotels or other industries taking payment cards.


Customizable web content filtering further protects the network from online threats and malicious websites.


An enhanced guest experience


Like all Aruba Wave 2 access points, the outdoor 360 Series APs offer an integrated Bluetooth Aruba Beacon for proximity-based push notifications and advanced location-based services for BLE-enabled mobile devices. This enables you to create applications to deliver personalized offers to enhance the guest experience.


Outdoor Wi-Fi gets Lexus drivers back on the road faster


Focusing on upscale customers, reliable Wi-Fi connectivity was a top priority for Eskeridge Lexus in Oklahoma City. In addition to brisk sales traffic, the dealership services over 27,000 vehicles annually and technicians rely on wireless access to perform their work efficiently and effectively. Any delays impact customer service; however, the existing Eskeridge wireless network was unable to handle the increased load.




To modernize its network, Eskeridge needed an easy-to-deploy Wi-Fi solution that included both high-performance indoor APs and rugged APs for its service bays that would withstand conditions similar to the outdoors.


Aruba Instant provided Eskeridge with a simple and powerful Wi-Fi solution that streamlined implementation while reducing administration and build-out costs. Most importantly, sales and service staff now can access the resources they need to close a deal or get a customer’s vehicle ready on time, delighting customers and employees alike.


Go deeper


Learn more about Aruba Instant.

Get the details on the Aruba 360 Series outdoor access points.


Did you like this blog? Share it on social media or give it a thumbs up using the buttons below.


What’s the most challenging aspect of delivering outdoor Wi-Fi at your organization? Tell us in the comments below.


Building an Engaging Mobile App: Meridian AppMaker

Tue, 12/12/2017 - 16:49

Lately, I have been getting questions about how to build an app that adds value, and that people will download and keep using. This leads to a discussion about Meridian AppMaker and what it can provide to customers. Meridian AppMaker enables our customers (without any mobile app development experience) to build a full-featured, custom mobile application that is specifically for their venue.



This includes the ability to add custom maps of their venue, complete with specific points of interests.  The end result is fully-featured apps that work on both iOS and Android mobile devices. The price point makes it a more attractive way to get started compared to some alternatives.  AppMaker also allows customers to work on an accelerated timeline.



At a minimum, the app includes static maps and wayfinding that are customized for each venue.  With the addition of Aruba Beacons, blue dot navigation is an option for turn-by-turn directions to points of interest. Also, location sharing enables friends and co-workers to locate each other in real-time within a venue.


In addition to the core mapping and the wayfinding features, Meridian AppMaker supports custom location-based campaigns that can be used to push information to the mobile app based on location.  To control app access, AppMaker supports Single-Sign-On (SSO) for enterprise-class customers that want to secure employee access to the app. Integration with sources like Microsoft Active Directory makes it easy to ensure that only valid employees can access the app, relevant maps, and other features.


If you have any questions about the capabilities that Meridian AppMaker can provide, please start a conversation below.


Learn more about Meridian AppMaker.


Aruba 8400 Earns a University New Product Award!

Mon, 12/11/2017 - 10:00

The Aruba 8400 is on a winning streak! Recently, the switch won 2017 CRN Tech Innovator Award (read more about that win here) and now, it has won the School Planning & Management and College Planning & Management Gold award in theNew Products Award network category! 


The School/College Planning & Management New Product Award honors companies that have developed products and services that help the learning environment. So how does a core switch help learning?  Let’s first take a look at university environment challenges and then look at the benefits that the Aruba 8400 provides.


University Challenges from Edge to Core

Students are mobile and want personalized learning. Additionally, cloud solutions and IoT mean that infrastructure needs have grown inherently more complex. Not too long ago, teaching environments were supported by static, closed networking solutions that provided necessary performance and security. But today, in the era of users who demand always-on experiences, university IT departments need a robust, flexible approach that can keep up with the surge in traffic and complexity on their networks. There is also an increasing need for security, visibility, and insights, but more than anything, there is a need for quick remediation of network troubles. People, especially those age 18 – 22, would rather tweet an issue than call a helpdesk. Always-on connectivity is not a luxury; it is an expectation not only to support teaching and learning but also amenity-driven users.


Aruba 8400 Core Switch Series Benefits

The carrier-grade Aruba 8400 Core Switch Series is based on the new ArubaOS-CX software. This fully programmable software system automates and simplifies many critical and complex network tasks while supporting always-on demands from users. Its unique Aruba Network Analytics Engine (NAE) monitors and troubleshoots network, system, application and security-related issues easily, all critical to supporting learning, providing timely and intelligent troubleshooting information to overburdened and understaffed IT groups. It is like having a 24-hour-a-day staffer who continually monitors the network and provides insights to fix issues. The NAE capability comes with a built-in time series database that enables historical troubleshooting and analysis of trends. Knowing history empowers developers to predict and avoid future problems due to scale, security and performance bottlenecks. In summary, the university gains:

  • Automated visibility for early detection of issues
  • Faster resolution with network insights
  • Programmability simplified to help IT scale and customize processes
  • Significantly less time spent on network maintenance and management, with time to focus on other critical activities
  • Enablement of seamless upgrades to scale as bandwidth needs increase


Learn More

The Aruba 8400 switch series is a game-changing breakthrough campus core switch that extends intelligence from the edge of the network, where users and devices are, to the core. Its smarts and automation have a direct impact on users, environments, teaching, and learning! I encourage you to learn more about the Aruba 8400.





Did you like this blog? Share it on social media or give it a thumbs up using the buttons below.


How are cloud, mobile, and IoT changing the demands on your campus network? Tell us in the comments below.


Cybercriminals Increasingly Target K-12 Student Data

Mon, 12/11/2017 - 10:00

Schools are under cyberattack. Last year, K-12 school districts experienced an average of two cyber incidents a week, and 2017 is on pace to see double the number of cyber incidents according to CoSN.


Criminals are targeting schools here in the U.S. as well as globally. Disruption is always a goal, but recently, criminals are holding student and family information for ransom. Many schools have added student health information to their systems in an effort to broaden outreach for Medicaid and Children’s Health Insurance Program (CHIP) benefits. The value of stolen student health information is rising rapidly on the dark web.  


The stories are many. The school district in Dorchester County, SC was a victim of ransomware, which affected the information on 26,000 students. It got away with paying only $2,900 in ransom. Across the country, the schools in Columbia Falls, MT were targeted with extremely violent threats and demands for more than $150,000 in payments. More than 30 schools across the county were closed for three days until the FBI could investigate and identify the overseas criminals. It’s no surprise that in October, the US Department of Education issued a warning about these types of cyberthreats.


A Broader Attack Surface


Schools have largely dealt with the challenges of mobile devices in classrooms, but a newer attack vector is coming from the Internet of Things (IoT). Facilities departments are installing rain sensors for automated irrigation, integrated access control systems and IP surveillance cameras to enhance physical security, automated sensor controls overheating and cooling, and smart lighting. In the classrooms, tablets, laptops and interactive whiteboards are everywhere, and increasingly, kids use augmented reality headsets to bring lessons to life, build their own computers using Raspberry Pi, and design robots and drones as class activities. The Internet of (School) Things changes how students do experiments and learn.   


There’s often a specialist who oversees educational technology, but that’s not necessarily the case when the facilities department embraces IoT. It’s not uncommon for the manager of the maintenance department to use his personal credentials to give the smart irrigation control system access to the school’s network.  That’s not a problem until attackers compromise the system. Security systems don’t set off alarms because the device appears to be used by a legitimate employee with valid credentials, but meanwhile, an attacker is sniffing around the network for data to sell or hold for ransom.


Get Visibility and Control


You can’t protect what you don’t know you have. Oftentimes, network administrators simply don’t know what user and IoT devices are on the network. You need to know about unknown devices as well as known devices that start acting strangely.


With Aruba ClearPass, IT can identify what devices are being used on the school’s network, whether it’s wired or wireless. IT will know how many devices are connected, where they’re connected from, and which operating systems are supported. Visibility is the foundation of security. From there, IT can enforce policies that govern the proper user and device access, regardless of user, device type or location. Finally, IT can protect your resources with dynamic policy control and remediation of actual threats.


Now, when the smart irrigation system logs on at 3 am and begins to act like a server, using valid credentials from the head of maintenance, the IT team will know about it right away. IT can cut off network access for that device immediately until they can investigate further. The plants will survive the mini-drought, and the deluge of data on the dark web is stopped.


Find Threats Faster


Artificial intelligence-based machine learning and user entity behavioral analytics can also help schools find threats faster. Aruba IntroSpect uses machine learning to spot changes in user behavior that often indicate inside attacks that have evaded perimeter defenses. Risks are scored and consolidated, putting hours' worth of investigation available at administrators’ fingertips.


Step up Defenses


The challenges of dealing with the rising threat from well-organized criminals are compounded by IT resources that are already stretched thin. In fact, 43% of school IT managers said they didn’t have enough staff to implement new technology, according to CoSN. Now factor in the high demand—and stratospheric salaries—of cybersecurity experts. It’s predicted that 3.5 million cybersecurity jobs will go unfilled by 2021—and school districts are competing with well-funded enterprise IT departments for that talent.


That’s why it’s never been more important to use solutions like ClearPass and IntroSpect to more effectively and efficiently protect schools against these escalating threats.  


Go Deeper


Learn more about ClearPass can prove secure network access control.


Learn more about how IntroSpect can spot changes in user behavior that indicate insider attacks.  


Did you like this blog? Share it on social media or give it a thumbs up using the buttons below.


Free Wi-Fi Training Resources

Fri, 12/08/2017 - 13:00


Would you believe that free training abounds for Wi-Fi? There are a lot of resources available online for merely the exchange of bandwidth and time. These are a few of my favorite resources and I use them frequently.


The Wireless LAN Professionals Conference (WLPC) is a yearly conference for WLAN pros with conferences in several regions. I attend the US event every February. There is also one in Europe during October and one in Latin America during August that is in Spanish. If you have the opportunity to go, this is a great way to meet other WLAN pros and have some great conversations along with learning a lot from the presentations. However, one of the best things about this conference is that all the sessions are recorded and viewable for free, even if you didn't go. Myself, I watch all the sessions from the European conference online and even though I've been fortunate to make all the US WLPC events so far, I sometimes watch sessions again. There's a lot of great Wi-Fi learning to be had!


The videos are found at the WLPC Video Library and cover a wide range of wireless topics. You'll find practical topics like Securing your WLAN By Thinking Like A Hacker and fun, yet educational topics like The Science of Bad-Fi. There are highly technical deep dive sessions like these from Aruba's own Chuck Lukaszewski, Under the Hood with MU-MIMO and the complex Next Gen Wi-Fi Preview covering what 802.11ax is doing. There are even sessions on soft skills and thinking about your career, such as Integrity and the WLAN Professional and this session what it means to be a Mobility Architect.


I realize that's a lot of videos, but it's just a sampling of the over 200 videos already online that are presentations given by WLAN professionals for WLAN professionals; your peers sharing with you. The SNR on these sessions is excellent and I'm sure that if you browse through the library you will find plenty more sessions that are valuable. Another great thing about all these videos is that you can download them for offline viewing. No Wi-Fi required, as it were.


Perhaps you don't have the time to go through all the videos or perhaps you just want to consume them more efficiently. One of the ways I find that helps me watch them more quickly is to download them and use the VLC player to watch them at an accelerated speed. I recommend starting at 1.25x normal speed and you can adjust from there based on what works for you. This saves time, but make sure you still comprehend the ideas being shared!


Ekahau has been hosting Wi-Fi design webinars for quite a while now. Once a month they have a recorded webinar with a guest presenter who covers a topic in wireless network design. For example, in Gigabit Wi-Fi: Not So Fast, they discuss the design factors impacting real world performance and the need for multi-gig Ethernet. You can find the list of upcoming and recent webinar sessions at the Ekahau website.


Certified Wireless Network Professional is a vendor-neutral wireless certification organization that is well respected in the industry. They run monthly training webinars on all topics related to Wi-Fi and sometimes cover topics related to certification. All their past webinars and a few other useful recordings are posted on their YouTube page. One great thing about YouTube is that it has accelerated playback features built in, at least when you aren't on a mobile device. One session I found particularly helpful was learning about Using ZeroShell in the Lab. It's a great tool for experimenting with authentication infrastructure, check it out!


These are my favorites. I try not to miss these if I can help it and I will watch the video later if I must. You don't have to spend a lot of time to learn a lot about Wi-Fi. An hour here and an hour there and you'll suddenly realize you are turning into a Wi-Fi expert. If you know of great Wi-Fi resources I didn't cover, please leave a comment. We'd all love to hear about it!


ClearPass Operator Login with Active Directory

Thu, 12/07/2017 - 05:35

When you setup ClearPass, you always need to authenticate your operator. In this post, I will describe an easy way to use Active Directory for ClearPass operator login. I use AD here because most of my customers use AD. So, we can work with it and do not have to set up something new or use the admin database in ClearPass. This will only create a shadow database with separate passwords and a separate structure.

ClearPass Operator Login - Copy the Existing Service

ClearPass use itself for authentication as well. This means when you hit the login button on the ClearPass login page, ClearPass create a TACACS request and authenticate the user with a service. This service is the default "[Policy Manager Admin Network Login Service]":

To remove or to disable this service make it impossible for ClearPass to authenticate the operator. So, the best option is to adjust the service to use AD as well. But, this is a default service and you cannot change it. The only option is to copy the service and modify the copy. To copy the service, select the service (check the checkmark at the beginning of the row) and hit the "Copy" button at the below the table. This creates a new service in the last row. Open this service to modify the service:

The service is the same as the original one. But we change this soon.

ClearPass Operator Login - Modify the Copy of the Default Service

Select the second tab, "Service" and change at least the name:

You can also change the description, but actually, the default description is pretty good.

Go to "Authentication":

Add the AD to the list of "Authentication Sources". I also set it to top of the list as this is my main repository for users. Leave the existing sources in the list.

My users use "user@domain.tld" as authentication name. To strip the "@domain.tld" from the name enable the "Strip Username Rules" and add "user:@".

Go to the "Roles" tab:

You do not have to use roles mapping. But it makes life easier if you do. I have a default role mapping profile. Every group in my active directory, which is used for authentication and/or authorization has a role in ClearPass. This role mapping profile maps the group from AD to a role in ClearPass. The benefit of role mapping comes on the next tab:

This is the default enforcement policy. There are many conditions for default roles. I simply match my AD groups to those roles and so I can use the "[Admin Network Login Policy]". This saves me a lot of time. But, as always, you can, of course, create your own rules and policies. But remember, to have a fallback plan, include the conditions from above in your policy. This makes sure, you can use the local admin account in the condition of disaster. so, change the default password for the admin account to something safe and complicated and hide it somewhere.

ClearPass Operator Login - Activate the Service

To use the new service, you have to move it in front of the old one. Go back to the "Services" list and click the "Reorder" button:

Move it to position one. And now, finger crossed that it works. Logout from ClearPass and use an AD account to log in again. To make it, even more secure, use a different browser to test the login without logging out before.

If you are in again, we did it correctly. You can now disable the old service. Just click the green light at the end of the row. It turns red.

Also, test the login with the built-in account, to make sure that the fall back plan is working.

If you find this post interesting, leave me a comment and share it with your friends.

Onion Approach to WiFi Troubleshooting Basics - Best Practice Considerations

Wed, 12/06/2017 - 12:17

The topic of best practice comes up from time to time. Just because a “configuration” made be best practice list doesn’t necessary mean it is a best practice for all deployments. Best practice is a great starting point, a guide of sorts. Folks may have to deviate from some best practices because of their unique installation.


I always share with folks just getting started in WiFi, be sure to read and understand the best practices prior to any and all installations and configurations. This may pertain to the controller configuration or access point installation, for example. If you find yourself deviating from best practices ask yourself, “Why am I deviating?” and document the reason. You may get questioned later why this or that was done. Documentation, documentation and documentation! 


The same is true if you blindly ignore best practices for reason of ignorance. Suppose there is a problem and the root cause is found to be a specific configuration which so happens to be a best practice. You now need to wiggle your way out of that conversation.


101 - Start with best practice. In any documentation specific to installation or configuration, note what best practices were adhered too and what best practices were not along with the reasons why. 


Before you start a configuration or installation your first thought should be: BEST PRACTICES.

Three Ways Great Wi-Fi Can Make You a Better Retailer

Wed, 12/06/2017 - 10:00

You know you need great Wi-Fi to support store operations. You know your customers want great Wi-Fi when they browse. But what you may not know quite as well as how great cloud-managed networks can help you deepen customer loyalty and increase sales.  


Many retailers prefer cloud-managed networks because it allows you to deliver enterprise-grade Wi-Fi to support store operations and guests with a minimum of hassle. With cloud-managed networking, you still deploy access points and wired switches in the stores, and then your network administrative team can centrally manage them from anywhere using a mobile app or web browser. You always have the latest and greatest networking capabilities, and your team doesn’t have to worry about late-night upgrades. Plus, cloud-managed networking shifts costs from large, upfront capital investments to monthly operational costs.


With great cloud-managed networks, retailers can:


  1. Get a more nuanced, complete sense of what your foot traffic looks like. You can tap into your wireless LAN to see your customers’ digital footprints as they move through the store. You can see the busiest and slowest times of day for foot traffic. Were they just browsing, or did they spend a lot of time in one department?


Tapping into the network to glean presence analytics can help you build a complete view of your customers. For instance, a supermarket can determine if it’s a person’s first visit to the store, or if she shops here often. Merchandisers can determine which are the most popular paths through the store—and if shoppers are pausing at the new digital displays. Marketers can compare data from different stores to get deeper visibility into the effectiveness of coupons and offers or to compare return rates.


  1. Provide Wi-Fi to shoppers without a sweat. With cloud-managed networks, you can provide branded Wi-Fi connectivity to shoppers with a simple username and password. You can be assured that guest wireless LAN traffic will stay separate from payment transactions and operational traffic to ensure security and compliance. And you don’t have to worry about being inundated with customer complaints that they can’t log onto the Wi-Fi. For instance, Aruba Clarity, part of Aruba’s cloud-managed network solution, helps you foresee and fix client connectivity problems. That makes it a lot easier for, say a regional bookstore chain, to offer Wi-Fi without forcing sales associates to provide tech support.


  1. Drive customer engagement. A cloud-based, mobile engagement solution like Aruba Meridian lets you take the next step in personalized marketing. When a customer walks into a sandwich shop, you can use the Bluetooth on his device to engage in real time. If he’s using your app, you can send a push notification with a special offer for a roast beef sandwich. Or, because the analytics reveal that it’s his third visit to the store in two weeks, you can send a push notification asking the customer to join your loyalty program and get a free bag of chips with his next purchase.


You can also tap into a cloud-managed network to help shoppers find their way to their intended destinations faster. With location-powered apps, you can provide context-sensitive navigation and give them turn-by-turn directions. If you’re an entertainment venue, for example, knowing their location also opens up possibilities for delivering food right to their seats.


Delivering personalized experiences by tapping into insights hidden in the store network isn’t only for big retailers. With cloud-managed networks, small and midsize retailers can deliver great experiences for their shoppers, as can museums, entertainment venues and other public spaces.


Learn more about Aruba Central.


Learn more about using mobile to engage shoppers and help them find their way.  


Did you like this blog? Share it on social media or give it a thumbs up using the buttons below.

Aruba 8400 Wins CRN Product of the Year Award

Wed, 12/06/2017 - 08:05

We are honored that CRN®, a brand of The Channel Company, has recognized the new Aruba 8400 Core and Aggregation Switch with a 2017 CRN Product of the Year Award in the Revenue and Profit Sub Category for its demonstrated ability to help solution providers drive new revenue and profit margins.

In November 2017, CRN also recognized the 8400 with the 2017 Tech Innovator Award.


What are the CRN Products of the Year Awards?


CRN’s annual Products of the Year Awards are given to standout products and services that represent best-in-breed technological innovation, a financial opportunity for partners and customer demand. Winners are determined through a combination of editorial selection and a survey fielded to solution providers to accurately capture real-world satisfaction among partners and their customers.


The CRN editors selected five finalist products in each category and then asked more than 4,000 solution providers to score their experiences with those products using criteria in three categories:


  • Technology - Product quality and reliability; richness of product features/functionality; technical innovation; and compatibility and ease of integration
  • Revenue and Profit - Demonstrated ability to drive new revenue; resulting profit margins; and demonstrated ability to attach services revenue
  • Customer Demand - Demonstrated ability to meet a market or customer demand; demonstrated ability to create new customer relationships or improve existing ones. 

What makes the 8400 switch so special?


The 8400 series switch is a game-changer for solution providers and enterprises alike. The 8400 offers a more flexible, innovative approach to dealing with the new application, security and scalability demands on today’s campus networks. With ArubaOS-CX, a modern, fully programmable OS running on a carrier-grade chassis, the 8400 switch effectively addresses the demands driven by mobility and IoT.


The 8400’s award-earning capabilities include:


  • Faster, more advanced visibility – An on-box, time series database for event and correlation history and real-time access make it easier for network operators to gain insights into the network. 
  • Faster time to detect, diagnose and resolve – Rules-based, real-time monitoring and intelligent notifications with automatic correlation to configuration changes simplify troubleshooting. 
  • Easier automation and integration – Business policy-based automation and the ability to use scripting to program the network makes it easier to deliver the experience the business expects. 
  • Improved network assurance – The switch’s carrier-grade reliability supports growing traffic demands and eliminates bottlenecks with multi-terabit performance and high speed, high port density. 

ArubaOS-CX—the winning formula


ArubaOS-CX sets the 8400 series switches apart from legacy ways and meets the intense mobility, cloud and IoT demands of today’s enterprises.  The brains of the switch, ArubaOS-CX automates and simplifies many critical and complex network tasks, delivers enhanced fault tolerance, and facilitates zero-service disruption during planned or unplanned control-plane events.  


ArubaOS-CX includes the powerful Aruba Network Analytics Engine, which allows IT teams to easily monitor and troubleshoot the network, system, application and security-related issues activities with simple rules-based monitoring and automatic correlation of network activities using simple Python scripts and REST APIs. The Network Analytics Engine capability comes with a built-in time series database that enables customers and developers to develop software modules that enables IT operators to easily perform historical troubleshooting and analyze historical trends to predict and avoid future problems due to scale, security and performance bottlenecks.


Award-winning capabilities in a compact form factor


For organizations looking for a solution that’s more ideally suited for slightly smaller deployments, we recently announced Aruba 8320 Switch Series—a new high availability campus core and aggregation switch provides 8400-like capabilities in a compact 1U form factor. The 8320 has 2.5Tbps switching capacity, line-rate 10GbE and 40GbE ports and redundant power and fans. It also runs ArubaOS-CX with Network Analytics Engine. 

Go deeper

Learn more about how Aruba’s award-winning 8400 Core and Aggregation Switch Series and compact 8320 Switch Series bring intelligence and automation to the campus core, giving network operators the ability to see more, know more and act faster.  


Read the blog The 8400: A Core Switch that Makes Every Network Device Better, by Aruba CTO, Partha Narasimhan.


Read the blog ArubaOS-CX: A Modern, Programmable Network for the Mobile and IoT Age by Tom Black, vice president and general manager of the Aruba Campus Switching business unit.  


Read why the CRN editors recognized the 8400 with the 2017 Tech Innovator Award.

Aruba ClearPass 6.7 – Simplification, Security and Success.

Tue, 12/05/2017 - 17:17

The standout changes occur around licensing. Companies are changing their business practices, and we’ve taken measures to securing them. We are most successful when foster collaboration in the workplace and enterprises are increasingly hiring consultants, temporary employees and contractors. It’s incumbent on the business to permit engagement, collaboration and infrastructure sharing without risk to the business. To that end, the full functions and features of ClearPass Guest are now included in ClearPass Policy Manager with no additional fee. We have also made changes to improve user experience and operational efficiency.


Additionally, we’ve moved from an “average usage” solution to a “concurrent usage” license. This makes planning and deployment more straightforward. We’ve also separated the acquisition of the virtual (VM) or hardware ClearPass appliances from the software “access” enabling license. Moving forward, we have a single VM, and Small, Medium and Large Hardware devices. Clustering capabilities continue to be supported for performance, resilience and scalability – and performance figures and deployment guides are published separately here


“Access” licenses are now available either as perpetual or subscription licenses in 100, 500, 1000, 2500, 5000, and 10,000 concurrent device licenses. These access licenses include 802.1X, MAC Auth, TACACS, OnConnect, Secure Exchange, Endpoint Profiling and of course Guest.


In addition to simplifying the conventional access solution, we also wanted to reflect the change in culture towards BYOD. To that end, we’ve changed OnBoard from a per device license to per-user licenses. Gartner states an average of 3.5 devices per person, and this change in licensing is to ensure that the increasing number of devices connecting to the enterprise does not become an operations or security burden. Enabling a certificate authority and 802.1X in ClearPass is one of the quickest and simplest ways to secure mobile devices in the enterprise.


Here is an example between then and now:


Imagine an organization with the following characteristics for a given business day:


  • 6,000 endpoints using a mix of username/password and certificate (Corp/BYOD) based authentication
  • 2,000 IoT endpoints that use MAC address authentication
  • 1,000 guest endpoints that use self-registration or social logins

Given that all authentication methods are now equal in the new model, we have 9,000 endpoints to consider.


  • 3,000 endpoints that have OnGuard installed
  • 500 users that can onboard their devices as per the BYOD policy
  • We’ll exclude the number of appliances needed in this example from a performance perspective for simplicity. In the old model, the number of appliances was part of licensing count. In the new model, it is NOT!
  • However, we are only concerned with the maximum number of users concurrently authenticated/authorized.
  • If we believe that ALL the endpoints will be concurrently authenticated/authorized in a given day, we will need to license for 9,000 but given the network data available (e.g. DHCP max pool size and lease times, max firewall session usage), we are able to determine that only 6,000 endpoints are ever concurrently authenticated/authorized therefore we only need 6,000 Access licenses.
  • OnGuard is going to be installed on 3,000 endpoints so we just need 3,000 OnGuard licenses.
  • Onboard is going to be used by 500 users so we just need 500 Onboard licenses irrespective of the number of endpoints.


The licensing changes are significant, but we’ve also added:


  • Endpoint profiling improvements
  • Enhanced support for IPv6
  • Support for new virtualization platform, Amazon AWS
  • Improved internalization support for Guest workflows
  • Client support improvements for OnGuard
  • Insight custom reporting and alerting options
  • ClearPass Extensions and API enhancements.


Most importantly, these changes came because we listened to you, our customers and partners – its part of the Aruba culture – Customer First, Customer Last, and Partner Always


If you are, thanks for being a customer, a channel partner, a colleague.


If you not, but want to learn more, get in touch


Jon Garside

Security Aruban

CISO’s Guide: Principles of Machine Learning

Tue, 12/05/2017 - 10:00

In our previous blog, CISO’s Guide:  Introduction to Machine Learning for Cyber Security, we discussed why machine learning is one of the most powerful tools at a CISO’s disposal to more quickly detect today’s insidious cyberattacks. In this blog, we’ll dive into the principles of machine learning so you can more effectively introduce machine learning into your security operations. 


Three Pillars of Machine Learning


To properly plan for the successful use of machine learning, it’s important to move beyond the standard marketing claims and descriptions to understand the key technical concepts.


The three pillars of machine learning are: 



  • Use Case – What type of attack am I trying to find and at what stage in the kill chain will I be looking? 
  • Model – Given what I am looking for, what model (algorithm) is most appropriate? 
  • Source/Data – Now that I have the model, what data—the raw feedstock, if you will—is best suited to provide the model with the most meaningful and actionable information? For security machine learning, the input can be packets, flows, logs, alerts and text, such as performance reviews and external threat intelligence. 

Once these variables are defined, the next question is: Can the model scale with the amount of data and the scope of the use case? Machine learning solutions are based on a set of well-researched and well-documented mathematical models. While the basic algorithms and processes are not secret, how they are used and implemented in an end-to-end system will determine the value they deliver.


What’s the Difference: Unsupervised vs. Supervised Machine Learning


The usage and implementation of machine learning—the “how”—generally fall into two main categories: unsupervised and supervised machine learning. 


Unsupervised machine learning – To more effectively detect the behavioral changes missed by alternative security strategies such as pattern matching or rules, machine learning requires a backdrop of “normal” so it can then detect deviations from that norm. Once a baseline is determined and in place, abnormal behaviors are then flagged as possible indicators of an attack in progress.


By looking at each user’s demographic and IT activity profile (such as which organization am I in, who is my boss, what systems and applications do I access, and when do I access them), an unsupervised machine learning model automatically builds a baseline of normal activity.


For unsupervised machine learning models, no rules are created to deliver results. The model may take a period of time (say, 10 to 14 days) to build up a reliable baseline.


Supervised machine learning Once an anomaly (a change in behavior) is discovered, how do you determine if it is part of an attack?  That’s where supervised machine learning comes in. If unsupervised models are self-learning, supervised models must be “taught” to detect a specific condition. Researchers identify attack methodologies and collect datasets to “train” algorithms to recognize specific attack elements. Once trained, these algorithms can then predict “good” or “bad” on new, unseen datasets.


Consider a bag of marbles that are either all white, all black, or shades of gray. Think of it as a proxy for whether something is “good” or “bad” or “inconclusive.” The closer a marble is to white, the more likely it’s “good” and marbles closer to black are likely “bad.” Using supervised machine learning, a data scientist can take a bag of marbles and “train” the model by categorizing each marble as either “white” or “black,” and even categorize marbles that are shades of gray.


Once the model is trained, it can look at new marbles and put them in the “black” or “white” bucket, with a probability assigned to designate how confident it is in the result. For gray marbles that are mostly black or mostly white, the confidence will be high. For marbles in the middle where they can be put in either category, confidence will be low.


An example in the security domain would be a supervised machine learning model looking a command-and-control connection to an attacker from a compromised system. The data for this model comes from DNS requests. The model is trained by exposing it to a large dataset of “good” (such as Alexa top 1 million domains) and “bad” domains (such as from different botnets), enabling it to automatically find the equivalent of “black” marbles in standard DNS data. For example, is a good domain, while would be a bad domain.


Learn More

In our next blog, explore how to get started machine learning and user entity behavioral analytics.


Ready to learn more? Download the CISO’s Guide to Machine Learning and User Entity Behavioral Analytics e-book now. 


Like this blog? Give it a thumbs-up or share it on social media using the buttons below.


Join the discussion: Tell us your biggest concerns about using machine learning to detect cyber threats.

Mastering Mobility: ArubaOS 8

Mon, 12/04/2017 - 09:46

Sometimes, when you think life’s handing you lemons, it’s really serving you lemonade.


That’s how we felt at Swarthmore College when refreshing our Aruba network introduced us to the many streamlining and automation advantages in ArubaOS 8, the backbone of Aruba’s Mobile First Platform.


A Familiar Story, With a Twist


Like so many organizations, we embarked on our Aruba wireless network update a couple of years ago to meet the challenges of rising device densities and always-on mobility at our 425-acre Philadelphia-area campus. Given the excellence expectations of our discerning students and faculty for our Top 10 institution, it was time to upgrade to 802.11ac-enabled Gigabit Wi-Fi.


Our plans included redesigning our coverage-based network to become density-based and replace our mixture of 100-series APs with a mixture of AP-205, AP-215 and AP-225 units for indoors. Outdoors, we were adopting AP-275 and AP-277s.


We already were, and still are, enthusiastic users of AirWave, for network optimization, and ClearPass, which we’ve historically deployed to manage our guest access.


But, when the initiative began, we’d not yet determined whether to continue using our existing 6000 series controllers and ArubaOS 6.x or upgrade our controllers and operating system, too.


As we proceeded, a decision to deploy Aruba’s AP-315 Wave 2 access points in three newly-constructed academic buildings changed our course. We learned modernized controllers were required, which led to purchasing three 7220 Mobility Controllers. At this point, adopting ArubaOS 8 just made sense.


This is where the lemonade comes in. The elegance of ArubaOS 8’s re-designed UI and hierarchical architecture for improved WLAN control, RF management, resiliency and other benefits were immediately apparent as we began our operating system refresh, which went live last August.




ArubaOS 8 Supplies Automation from the Start


To gain high availability, our environment includes a clustered deployment of three 7220 controllers for seamless failover along with a MobilityMaster virtualized appliance deployed using VMWare ESXi.


But, during testing, we used a smaller 7030 Mobility Controller to develop our WLAN environment. During that process, we discovered that every single configuration we completed in testing and, with just a few clicks, could be promoted into production. Then, MobilityMaster would automatically apply all of them to the new controllers – even though we hadn’t installed the new controllers yet.


Not only did ArubaOS 8 eliminate the tedious and error-prone process of re-keying test configurations into the production environment, it also provides a streamlined and centralized view of our entire controller environment. In addition, with configurations managed centrally, we can make production changes at the top of the hierarchy and MobilityMaster flows them throughout.


Manual Load Balancing? Gone.


As if this weren’t exciting enough, the latest Aruba operating system solves another long-standing problem: How to load balance Wi-Fi controllers when building utilization fluctuates dramatically from day to night.


If you work in higher education, particularly on residentially centric campuses like ours, you understand the magnitude of the issue. Unless you dedicate a staff person to load balancing controllers 24/7, no amount of manual configuration can completely compensate.


The best you can hope for is pairing certain academic buildings with certain residence halls, which still requires reviewing and tweaking the configurations on a regular basis. It’s by no means a difficult assignment, but it certainly saps productivity and reduces the amount of time that can be spent on mission-critical projects.


With ArubaOS 8, that’s all gone because the AP and user load balancing capabilities in MobilityMaster automatically balances the load for us. Now, instead of one controller getting hammered, while another is underutilized, each controller is maximized with plenty of bandwidth to spare.


In addition, Aruba’s new AirMatch capability uses machine learning to dynamically optimize our entire WLAN, across all of our 80 buildings, for vastly improved performance management.


Dramatic Performance Gains, Everywhere


Of course, the proof is in the lemonade tumbler, so to speak.


In addition to expected gains in facilities updated to Gigabit Wi-Fi, the positive effects of the operating system are even being experienced in buildings where we’ve yet to upgrade. In such locations, we’re seeing a minimum of double the performance over ArubaOS 6.x.


That’s right. Double the performance in buildings with the same APs, and the same AP density, as before.


Most importantly, our educational gains are numerous. One that stands out is the improvements to AirGroup, which smooth the operation of wirelessly connected devices.


For example, our faculty members and students rely on Apple TVs for presentations along with Solstice Pods for screen sharing. AirGroup’s enhancements make using both technologies seamless, ensuring participants can focus on collaborative education rather than getting the technology to work.


In residence halls, AirGroup assists us with easily limiting access to personal gear, IoT and otherwise, to a specific device’s owner. We’ve received a wealth of positive feedback from students for sparing them the heartburn of opening up their equipment to everyone on the network.


Our Management Go-Tos: ClearPass & AirWave


We also appreciate how ClearPass and AirWave work hand-in-hand with ArubaOS 8. This trifecta provides us with the ability to granularly determine, manage and troubleshoot every AP, Chromecast, PlayStation and a botanical sensor connected to our network.


In addition to securing our guest network, ClearPass enforces policies around the various IoT devices our students and faculty bring to campus. In the future, we’ll definitely consider deploying other ClearPass network access control capabilities.


Reducing Downtime, Increasing Security & Adding Engagement


What’s ahead for us with ArubaOS 8 is easily as impressive.


To start, we’re looking forward to the ArubaOS 8’s Live Upgrade capability, which enables upgrading to the latest OS with minimal downtime. As faculty and students use our Wi-Fi around the clock for education, research and leisure, anytime there’s downtime, someone is affected.


With Live Upgrade, we can accommodate everyone’s always-on connectivity needs and get some sleep at night, too.


Further, we’re eyeing ArubaOS 8’s MultiZone feature for creating a separate environment to help manage and secure the exploding number of IoT devices on campus.


In addition to student-owned devices, our professors are developing various research projects that will incorporate IoT as critical to their work. This could make segregating such devices with MultiZone a use case for us.


Beyond infrastructure operations, we can now consider extending new experiences to our community and guests by leveraging the BLE Beacons incorporated into Aruba’s latest generation of APs.


With our entire campus renowned for doubling as an arboretum, Aruba’s mobile engagement technologies could enable us to provide self-service information about botanical, geological and other features with our own app. It’s definitely a capability that’s on our radar screen.


The Sky’s the Limit


Most importantly, our institution is no longer constrained by legacy connectivity, which means we can deliver on our community’s continuously escalating expectations.


This includes supporting any device that anyone brings to campus. Unlike institutions with WLANs that require publishing lists of compatible and incompatible gear, we take great pride in saying all devices are welcome here.


In short, if your organization is lagging in the adoption of ArubaOS 8, we’ve only one question for you. What are you waiting for?


Ready to go deeper?

Watch ArubaOS 8 - The Smartest Operating System for Today's Mobile Workplace


Michael Hushen is the Network Engineer at Swarthmore College, an elite liberal arts intuition recognized for its tradition of co-educational and social justice leadership since its founding in 1864. Approximately 95% of the institution’s 1600 students live on its 425-acre arboretum campus, which features a creek, woodlands and hiking trails located 11 miles from Philadelphia. Notable Swarthmore alums include the first American woman Ph.D. holder Helen Magil, contralto singer Marian Anderson, Hull House founder Jane Addams, U.S. presidential nominee Michael Dukakis and entrepreneurs like Eugene Lang, founder of REFAC Technology Development.

Six Questions to Ask When Choosing a Cloud-Managed Network

Wed, 11/29/2017 - 10:00

There are a lot of reasons why so many organizations are moving to cloud-managed networks. It not only reduces the burden on IT staff but also allows businesses to shift from a CapEx model to an OpEx model so costs are spread out over time. Plus, you always have the latest network capabilities, and someone else is responsible for performing those late-night upgrades.


But which cloud-managed network solution is the best fit for your business? Here are the key considerations.  


  1. What’s included in the cloud-managed network solution? Your users expect anywhere, anytime connectivity from all of their mobile devices, without fail. Plus, organizations are increasingly using security cameras, smart thermostats and other Internet of Things (IoT). You need a cloud-managed network solution that will stand up to today’s unrelenting demands of mobility and smart devices.

    With cloud-managed networks, you still have access points (APs) and wired switches in your offices, but all of the setup and ongoing management is done from a web browser or mobile app.
  • Access points: You should be able to mix and match different APs in your offices, schools or campus to meet your performance, density and budget requirements, both indoors and outdoors. More importantly, be sure to ask if the APs automatically optimize the RF performance so that all smartphones, tablets and other wireless devices get the excellent service they need.
  • Switches: You should be able to select business-quality wired switches designed for digital workplaces and optimized for mobile users that make the most sense for you. Don’t get locked into a bundle with consumer-grade or legacy switches.
  • Management: Once you choose the right APs and switches, you can manage your network from any device using a browser or mobile app. Either way, the user interface should not only be intuitive and visually appealing but also easy for people with different levels of tech expertise to use. More importantly, can it give you detailed information about AP health and CPU utilization when needed for faster troubleshooting?


  1. Is your investment protected? Business priorities change fast these days, and you need to be prepared for the inevitable. What happens if your company gets acquired—or if you are acquiring a company? Your cloud-managed network solution should have a flexible architecture that easily adapts to your needs. Make sure the APs you choose can operate either in a controller-less architecture or be managed by a mobility controller, with a simple software change. And that both your APs and switches can be managed by an onsite management tool if your business or a new CTO dictates changing the architecture—without having to rip and replace all your hardware investment.


  1. How reliable is the cloud-managed service? Business continuity is a prime reason to move to cloud-managed networks. But the harsh reality is that outages happen—even to the best providers. What happens to your business when your internet’s down? You have bigger problems to chase, don’t let network management be one of them. Also, what happens when your subscription expires? Ask your prospective vendors probing questions to determine if—and how much—of your network could be compromised. Will your offices still have Wi-Fi, or will they go completely dark?


  1. How are users protected from inappropriate content and malicious threats? Content filtering and firewall capabilities should be built into the cloud-managed network. You shouldn’t need to buy extra appliances or licensing to gain control over which applications are allowed on the network and to prevent users from viewing inappropriate web content. Dig deeper into the application filtering capabilities to ensure that they’re intuitive and don’t leave you sorting through hundreds of unidentified applications.


  1. Is it easy to remedy the “the Wi-Fi is broken” complaint? Users get frustrated when they can’t get to their cloud apps or a website. Your cloud-managed network should give you immediate insight into what’s causing the problem. Maybe there are problems with DHCP or DNS queries, client association with the APs or the captive portal isn’t working. Knowing where to start troubleshooting helps you resolve incidents faster—and keeps people productive and happy.


  1. Does the network provide presence analytics? Wi-Fi can reveal insights that help you run your business better. A retailer, for example, can use presence analytics to shed light on how many shoppers are entering the store at different times of the day and where they go to the store. They can use that data to make decisions about merchandising, staffing, store layout and marketing offers. A cloud-managed network should be able to detect the presence of mobile devices and analyze traffic patterns (while ensuring the users’ full privacy, of course).



Ready to Go Deeper?


Aruba Central is a simple, secure and cost-effective way to manage and monitor Aruba Instant APs and switches. You can get your wired and wireless networks up and running in minutes with Zero Touch Provisioning. And you can manage it all from the intuitive Aruba Central mobile app. Plus, Aruba Central has advanced capabilities like customizable guest Wi-Fi, Aruba Clarity so you can foresee connectivity issues and presence analytics for smarter decision-making.


Watch the Aruba Central video.


Read “3 Reasons Cloud-Managed Networks are in Your Immediate Future” by my colleague Ed Wright.


Already convinced that Aruba Central is right for your business? Test drive Aruba Central for 90 days.

The Keys To Why Aruba Central Makes Sense Today

Tue, 11/28/2017 - 10:00

Why now? Well, for one, a cloud-managed network allows you to cut the unnecessary time and resources spent on running your network. Think about it, no servers to buy, and no need to perform upgrades or install bug fixes. You get a reliable business-grade network without the complexity, and users experience the coverage expected, without the stress of being short-staffed. Finally, you can help improve business processes by tapping into valuable network analytics that can help everyone from marketing to the facilities team.


What it comes down to is an understanding of why cloud-managed networking is right for you. Let’s take a look at those key benefits.


  1. Simple zero-touch provisioning. It’s an efficient way to cut infrastructure configuration, ensure accuracy and speed deployment.


  • Pre-shipment efficiency: An infrastructure that has been tested to ensure error-free deployment configurations.


  • Worry-free downloads: When it’s time to deploy the equipment, manual intervention is eliminated with the use of wired and Wi-Fi configurations pulled from the cloud.


  • Fast and cost-effective deployments: Allows the business to use Tier 1 network engineers or less experienced staff to rack and stack equipment.


  1. Simple-to-use dashboard. A GUI that’s intuitive allows for the monitoring of infrastructure, clients, apps and rogue wireless access points, with reliability and ease. The best part, this reduces the time sitting in front of a screen. We’ve designed Central for varied levels of expertise and when you run into a problem, the contextual help per page provides the visibility to get the job done. Central also supports dual-factor authentication, for the ability to tightly control administrative rights and user visibility based upon roles.


  1. Wi-Fi equipment that performs. Indoor and outdoor access points that offer enterprise features without the need for controllers, whether there’s cloud access or not. Features that include built-in RF management, stateful firewalls, traffic shaping, smart endpoint roaming, and Microsoft Skype for Business prioritization. And flexible performance and price range options that fit any business need. Aruba Instant APs fit the bill.


  1. Services for improving IT and user experiences. Guest Wi-Fi that provides visually appealing captive portals, registration choices, and control options. And a service for measuring connectivity analytics, which includes live monitoring of wireless access and authentication, along with health score trending and the ability to automatically identify root cause issues. Lastly for now, Wi-Fi-based presence monitoring, with customizable conversion metrics, insights across locations and times, and no requirement for devices to actually connect to an AP.


Ready to Take the Next Step?


Aruba Central offers a simple, secure and cost-effective way to manage and monitor Aruba Instant APs and Aruba switches. You end up with all of the enterprise-grade management and monitoring you’ll need, along with analytics for helping the business make smarter business decisions, and guest Wi-Fi that’s mobile and IT-friendly.


And since the goal is not to sit in front of network management monitor, you can also get to your network from anywhere with the Aruba Central mobile app.


Listen to the webcast for more - Key Benefits of Moving to a Cloud Managed Network.


And check out the Aruba Central datasheet for solution details.


Already convinced that Aruba Central is right for your business? Test drive Aruba Central for 90 days.

What’s New in Aruba Instant? More Predictability, Better Visibility, More Choices

Mon, 11/27/2017 - 17:42

With our most recent Aruba Instant OS releases, customers now have the ability to make the network more predictive, offer asset tracking, and deliver a better user experience with end-to-end connectivity monitoring and a unified communications and collaboration (UCC) health dashboard. We also have expanded our Instant portfolio with new competitively priced Unified APs for hospitality, branches and outdoor deployments. Let’s take a deeper look.


More predictability for always-on connectivity


Today, when users are connected to Wi-Fi and can’t access a web page or the guest portal, they automatically assume it is a Wi-Fi problem. The reality is that mobile connectivity issues might not be related to wireless or RF issues at all. Being able to quickly identify where the issues lie goes a long way in keeping your users happy. 


With Clarity Live monitoring, IT staff now has visibility into non-RF metrics. Not only do IT staff have end-to-end visibility into a wireless user’s experience, but also they can foresee connectivity issues before users are impacted.


The new Connectivity Analytics dashboard in Aruba Central gives customers valuable insights into how quickly clients associate, authenticate and roam on the network, and whether DHCP or Radius server response times are slow causing user connectivity issues.


Asset tracking for high-value assets


Aruba Instant can now monitor Bluetooth Low Energy (BLE) asset tags to track the location of time-sensitive, high-value assets embedded with BLE tags.


Using tags to track and find high-value assets is quick and easy. BLE-based Aruba Tags work with your existing Aruba BLE-enabled Instant APs, so there’s no need for a dedicated network of tag readers.


Configuring the tags with the Aruba asset tracking mobile app is easy. Simply scan the QR code on the back of the tag and enter the relevant data to create a real-time database of assets. The Aruba Tags will periodically report their location via the BLE beacons in the Wi-Fi access points. Best of all, with an Aruba Wi-Fi infrastructure and standard mobile devices, customers can have a solution working in days.


Better visibility for enhanced mobile collaboration


More app control and visibility is a popular topic for IT administrators. With built-in AppRF, Aruba Instant leverages heuristics to differentiate Skype for Business voice, video and desktop sharing from other application streams to prioritize Skype for Business voice and video traffic and ensure a superior end-user experience. In addition, Instant now supports SDN OpenFlow protocols, which enables the Instant APs to send heuristics, clickstream and location information to Aruba Central (currently in beta) to provide UCC visibility.


More choice with new Unified APs for hospitality branch and outdoor environments

The Aruba AP-303H, AP-203H, AP-203R and AP-360 Series are new Unified APs that support both controller-less (Instant) and controller-managed modes. Unified APs offer enhanced flexibility by allowing customers to choose one mode first and switch to the other as network requirements change.


The Aruba AP-203H and AP-203R provide a cost-effective wireless solution for hospitality, branches or remote workers. They are software configurable to operate in 2X2 single radio or 1X1 dual-radio mode, offer Gigabit Ethernet ports for secure wired connectivity and have a USB port for BLE location-based services.


The Aruba AP-303H combines wireless and wired access in a single compact device. It offers three local Gigabit Ethernet ports to securely attach wired devices and can supply Power over Ethernet (PoE) for IP-enabled devices. An integrated Bluetooth Aruba Beacon simplifies the remote management of a BLE Aruba Beacons network for advanced location and indoor wayfinding applications


The Aruba AP-360 Wave 2 APs offers cost-effective outdoor wireless connectivity for harsh outdoor environments offering 2x2 MIMO and an integrated built-in Bluetooth Low-Energy (BLE) radio for location-based services. 


Learn more about Aruba Instant and Aruba solutions for SMB.


Like this blog? Share it on social media or like it using the buttons below.










Corporate Campus Mobile App Checklist

Mon, 11/27/2017 - 10:17


Are employees and management asking for a mobile experience? With almost everyone tied to a smartphone today, more and more corporate organizations are considering employee-only mobile apps. The idea is to put the Intranet and more in the palm of an employee’s hand so that wherever they are, they’re always connected. But, along with the benefits, come challenges. 


Limiting Access to Just Internal Staff


There are a number of ways to distribute an app, but I’ll cover what I think are the best two methods. At Aruba, we’ve published our app to the public Apple and Google stores for employees to download. Once downloaded and started, employees, are expected to enter their login and password in the app to actually use it. Because we’re using single sign-on (SSO) that leverages Aruba ClearPass (yes, you can use something similar) and Microsoft Active Directory, this ensures that only active employees have, and continue to have access.


Other companies distribute their app directly to employees via mobile device management (MDM) like MobileIron, Intune, or AirWatch. Using MDM with a corporate app has the added benefit of keeping the app securely out of public view, but it creates an additional step when deploying the app to a large number of employees.


Securing the Data within an App


The second thing to consider is what data, like the maps of a location, you will allow someone to potentially see. Most organizations prefer not to share the maps of their buildings with non-employees. The goal is to ensure that your mobile app supports a secure HTTPS method for accessing sensitive data. In addition to maps, this extends to internal information like employee contact lists, product information, and more.


Adding Location Services


Speaking of maps, the ability to build in dynamic wayfinding and opted-in location sharing within an app can greatly increase its value and use. A majority of users will keep Bluetooth running on their devices, which lets you leverage our Meridian AppMaker and SDKs, Bluetooth Low Energy (BLE) Beacons in our APs and standalone versions.


Getting Started


In summary, make sure your corporate campus app has:


  • Limited access via SSO linked to Active Directory
  • HTTPS transmission of all map and internal data
  • Indoor location with turn-by-turn directions to placemarks
  • The ability to find coworkers that have opted to share their location

Meridian AppMaker supports all of these capabilities and can be deployed in a matter of weeks for both iOS and Android devices. Alternatively, if a company wants to build its own custom app, the Meridian SDK supports these capabilities. Using this approach opens the door to unlimited possibilities like conference room booking or location-aware notifications in emergency situations.



With either approach, employee-facing mobile apps that put the power of a location-aware Intranet in the palm of employees’ hands will soon become ubiquitous. If your company decides to offer one, make sure you take the above steps to ensure it’s secure and provides significant value.


Learn more about Meridian AppMaker.


Is your organization considering creating a mobile app for employees? Tell us in the comments below.


Change the Management VLAN for Aruba Instant

Thu, 11/23/2017 - 02:51

Aruba Instant is a very simple and easy to use WLAN solution. In some projects, I have the situation, that users are placed in VLAN 1. Which is easy with Aruba Instant. But unfortunately, VLAN 1 is the default management VLAN and the AP itself should not be placed in VLAN 1. This was impossible in the past but is very easy now. You can change the management VLAN for Aruba Instant and you can use VLAN 1 for your users.

Change the Management VLAN: Untagged on the Uplink

In the past, you configured the management IP for the Instant AP. This IP was always in VLAN 1 untagged. This is fine when you do not need VLAN 1 for clients. If you do, you need to have the management IP in a different VLAN. This is possible in Instant for some time now. I did this test with the latest and greatest version available. But the feature is included in Instant since version 4.3.0.

The first step is to change the uplink VLAN. The IAP consider VLAN 1 as the native (untagged) VLAN for the uplink. To change this, log into the IAP and go to "System":I changed the "Uplink switch native VLAN" to 10. VLAN 10 is my management VLAN in this scenario. And with the default settings, you are done so far, as the IAP assume the management VLAN untagged with default settings. From Wireshark, you can see that the "Virtual Controller IP" is untagged on the uplink:I'm doing a ping from the switch to the controller. No VLAN tags at all.

Change the Management VLAN: Tagged on the Uplink

Now, let's assume, you need the management VLAN tagged on the uplink. This is possible as well. In the scenario above, I have used VLAN 10 for the management and put this untagged on the uplink.

This time, I use VLAN 100 for the management. VLAN 10 is still untagged on the uplink. To change the management VLAN to VLAN 100 and get the VLAN tagged on the port log into the IAP and select one of the IAP's in the cluster. Click the "Edit" link and select the "Uplink" for the IAP:You can define the management VLAN with the "Uplink management VLAN" setting. If this setting is different to the "Uplink switch native VLAN", the management VLAN is tagged on the uplink. In my case, it is VLAN 100. After adopting the switch configuration you can see the use of VLAN 100:As you can see from the screen above, the ping from the switch to the IAP is now tagged in VLAN 100. Let's recap where we are so far. The IAP use VLAN 10 native on uplink and VLAN 100 tagged on the uplink for management. VLAN 1 is not used at all. Which is always my recommendation. But for a complete picture, I use VLAN 1 as an egress network for an SSID.  I do the same for VLAN 10. Just to make sure, it is still untagged. VLAN 1:If a client connects to this SSID, the traffic is tagged with VLAN 1 on the Uplink:As you can see, the DHCP request is tagged with VLAN 1. And the same for VLAN 10:And the Wireshark trace:No VLAN tag for the DHCP request. This is the expected behavior as VLAN 10 is the native (untagged) VLAN on the uplink.

From the post above you see that it is very simple to change the management VLAN for the IAP and change the untagged VLAN to a different VLAN than VLAN 1.

Do you use VLAN 1 in your environment? Please let me know why or why not. Other questions or feedback is highly appreciated as a comment below.

CISO’s Guide: Introduction to Machine Learning for Cybersecurity

Tue, 11/21/2017 - 10:00

Cybersecurity has long been a boardroom discussion, and the potential use of artificial intelligence to detect attacks that have evaded traditional security defenses should be added to the agenda. This blog is the first in a series to introduce chief information security officers (CISOs) and other security leaders to the possibilities of using machine learning and user entity behavioral analytics (UEBA) to detect cyber attacks faster—and before lasting damage is done. In this first blog, we explain the overall situation and why machine learning can help.


In days past, threats to the business most often came from the outside through a perimeter that could easily be defended. But things have changed. Organizations face challenging new threats coming from attacks that have reached inside— compromised users, negligent employees and malicious insiders. This, in turn, makes it much more challenging for CISOs and security leaders to successfully protect the organization.


Nuance Matters


One of the central problems is that most of the security products used by the vast majority of companies look at the world in binary terms: Traffic is bad or good, files are infected or not, users are authorized or blocked. While these approaches have historically proved effective in many circumstances, today, these “black and white“ checkpoints are becoming more and more permeable.


Once inside an organization, free from fears of being readily caught, targeted attacks can leisurely surveil, probe and exploit an organization by bypassing the traditional defenses. To identify these “low and slow” threats, security approaches have to deal with the world of “gray”—small signals that must be detected, put in context over time and added up to indicate pending harm. These targeted attacks may pace themselves, taking tiny steps. Most attackers are all too aware of the arsenal of tools designed to find telltale attack signatures.

Adding to this nuanced puzzle is that CISOs must keep in mind that detecting these attacks requires the ability to not only understand what is different but also to make a decision about whether “different” means “deadly.” Anomalous doesn’t always mean malicious. Employees change jobs, locations and work habits all the time. Analysts already see too many false positives, and to alert on every small change is overwhelming and impractical.


Choosing the Best Tool


So, what to do? How can CISOs stand a fighting chance? Enter machine learning. Machine learning is one of the most powerful tools a company can use to detect these types of inside attacks before they do damage.


Machine learning is a form of artificial intelligence (AI) that learns and makes judgments without needing to be explicitly programmed for every scenario. Unlike signature-based products, machine-learning models learn from data. They are capable of providing a probabilistic conclusion, which can then be converted into a binary signal of “good or bad.” The likelihood of a decision being accurate can be interpreted as a measure of confidence in that conclusion.


Machine learning is a core capability in the product category that Gartner calls user and entity behavioral analytics (UEBA) and forecasts a healthy 48% compound annual growth rate from 2015 to 2020.


UEBA solutions can be used on their own or add value across the security ecosystem. UEBA leverages the same logs that a security information enterprise management (SIEM) like ArcSight, Splunk or QRadar collects, which means that the investment a company made for IT operations and compliance can be easily extended to produce additional value in terms of precision attack detection and accelerated incident response.


Learn More


In our next blog, we’ll dive into the principles of machine learning.


Ready to learn more? Download the CISO’s Guide to Machine Learning and User Entity Behavioral Analytics e-book now. 


Like this blog? Give it a thumbs-up or share it on social media using the buttons below.


Join the discussion: Tell us your biggest cybersecurity challenges in the comments below.