ArubaOS Operating System Software Aruba Data Sheet

ArubaOS Operating
System Software
Designed for Scalable Performance

Enabling a unified access architecture

Access layer networks of the past fifteen years were not built
for the mobility and security requirements of todays distributed
enterprises. Traditionally, networks were built with a focus on
Ethernet ports and physical locations, rather than the user or
device connecting to the network. Consequently, the addition of
secure mobility to such networks becomes overly complex and
costly, often requiring large-scale equipment upgrades.

Arubas Mobile Virtual Enterprise (MOVE) architecture allows any

user regardless of physical location, whether wired or wireless,
to securely access the enterprise network with an always-on,
consistent experience. Uniform security and access control
policies are applied to users in headquarters, branch offices,
ArubaOS is the operating system and application engine for home offices, or on the road. Users and devices join the enterprise
all Aruba Mobility Controllers and wireless LAN (WLAN) access network through simple lightweight access devices or software,
devices. The software architecture of ArubaOS is designed for which securely and automatically connect to an Aruba Mobility
scalable performance, and is built using three core components. Controller installed in the enterprise network core. The Mobility
Controller, powered by ArubaOS, directly controls Aruba access
First, a hardened, multicore, multithreaded supervisory kernel devices and access software, managing their software image,
manages administration, authentication, logging and other configuration, user connection state, and policy enforcement.
system operation functions. Second, an embedded real-time The entire network is managed by Aruba AirWave, which
operating system powers dedicated packet-processing hardware, provides IT staff with unmatched visibility and control of network
implementing all routing, switching and firewall functions. Third, users and infrastructure.
a programmable encryption/decryption engine built on dedicated
hardware delivers client-to-core encryption for wireless user data Flexible and adaptable architecture
traffic and software VPN clients. Network design with Aruba is not a one size fits all approach.
Some organizations need pervasive Wi-Fi, while some are purely
ArubaOS comes with an extensive set of capabilities. Arubas wired. Branch offices have different requirements than corporate
Adaptive Radio Management (ARM) technology employs headquarters. And even within a corporate campus, some
infrastructure-based controls to optimize Wi-Fi client behavior and organizations value a centralized traffic forwarding model where all
automatically ensures that Aruba access points (APs) stay clear network traffic flows to the data center, while other organizations
of interference, resulting in a more reliable, higher performance need a more distributed approach. The unparalleled flexibility enabled
WLAN infrastructure. by ArubaOS permits all these permutations and more, adapting the
network to the requirements of the organization rather than dictating
To protect wired network resources from wireless threats, rigid design specifications.
ArubaOS delivers the industrys leading integrated rogue AP
classification and containment solution.

Optional software modules are also available for added

functionality and are enabled through license keys. Optional
modules include the Aruba Policy Enforcement Firewall (PEF),
RFProtect wireless security and spectrum analysis capabilities,
Advanced Cryptography for military-grade Suite B encryption, and
xSec advanced Layer 2 encryption. Arubas Virtual Intranet Access
(VIA) software client enables secure IPSec VPN connectivity back
to corporate resources for road-warriors when they are away from
the office.

Unified Access Architecture

ArubaOS Operating System Software Aruba Data Sheet

User Connectivity Enterprise-grade secure Wi-Fi controls. PEF enhances access security by adding full identity-based
Method Wired Ethernet security with integrated firewall controls applied on a per-user basis.
VPN remote access This allows ArubaOS to create a security perimeter around each
Access Point Private or public IP cloud user or device, tightly controlling how that user or device may access
Connection Method -- Ethernet enterprise network resources.
-- Wireless WAN (EVDO, HSDPA, etc.)
Wi-Fi mesh (point-to-point or Governments and other organizations that require additional security
point-to-multipoint) may add the optional ArubaOS Advanced Cryptography (ACR)
Traffic Forwarding Centralized All user traffic flows to module. ACR brings military-grade Suite B cryptography to Aruba
Mobility Controller Mobility Controllers, enabling user mobility and secure access to
Locally bridged All user traffic bridged by networks that handle classified information. Approved by the U.S.
access device to local LAN segment National Security Agency (NSA), Suite B improves performance,
Policy-routed User traffic selectively eliminates unwieldy workflows and strict handling requirements, allows
forwarded to Mobility Controller or bridged interoperability, and supports commercially available devices all at a
locally, depending on traffic type/policy fraction of the cost of previous-generation cryptographic methods.
Wi-Fi Encryption Centralized All user traffic encrypted
between client device and Mobility Controller
Distributed User traffic encrypted between Authentication Types IEEE 802.1X (EAP, LEAP, PEAP, EAP-TLS,
client device and access point EAP-TTLS, EAP-FAST, EAP-SIM, EAP-
Open No encryption POTP, EAP-GTC, EAP-TLV, EAP-AKA, EAP-
Integration with L2 or L3 integration Mobility Controllers can Experimental, EAP-MD5)
Existing Networks switch or route traffic on a per-VLAN basis RFC 2548 Microsoft Vendor-Specific
Rapid Spanning Tree enables fast RADIUS Attributes
L2 convergence RFC 2716 PPP EAP-TLS
OSPF enables simple integration with RFC 2865 RADIUS Authentication
existing routing topologies RFC 3579 RADIUS Support for EAP
RFC 3580 IEEE 802.1X RADIUS Guidelines
RFC 3748 Extensible Authentication Protocol
enterprise security framework MAC Address authentication
Web-based captive portal authentication
To secure the enterprise network, ArubaOS performs authentication,
access control, and encryption for users and devices. Network Authentication Servers Internal database
authentication delivers greater access security, but retrofitting LDAP/SSL Secure LDAP
authentication onto existing wired networks is often extremely RADIUS
complex and expensive. In Arubas MOVE architecture, TACACS+
authentication is a standard component and can be implemented for Authentication Server Tested Interoperability:
Microsoft Active Directory, Microsoft IAS
both wired and wireless networks. For wired networks, 802.1X is the
RADIUS Server, Microsoft NPS RADIUS
industry-standard method of authentication. For wireless networks, Server, Cisco ACS Server, Juniper/Funk Steel
802.1X authentication is one component of the WPA2 and 802.11i Belted RADIUS Server, RSA ACEserver,
protocols widely recognized as state-of-the-art for wireless security. Infoblox, Interlink RADIUS Server,
FreeRADIUS
ArubaOS uniquely supports AAA FastConnect, which allows the Encryption Protocols CCMP/AES
encrypted portions of 802.1X authentication exchanges to be WEP: 64 and 128 bit
terminated on the controller where Arubas hardware encryption TKIP
engine dramatically increases scalability and performance. Supporting Secure Sockets Layer (SSL) and TLS:
PEAP-MSCHAPv2, PEAP-GTC, and EAP-TLS, AAA FastConnect RC4 128-bit and RSA 1024- and 2048-bit
removes the requirement for external authentication servers to be L2TP/IPsec (RFC 3193)
802.1X-capable and increases authentication server scalability by XAUTH/IPsec
permitting hundreds of authentication requests per second. PPTP (RFC 2637)
Programmable Yes permits future encryption standards to be
For clients without WPA, VPN, or other security software, Aruba Encryption Engine supported through software updates
supports a Web-based captive portal that provides secure Web-based Captive Yes
browser-based authentication. Captive portal authentication is Portal (SSL)
encrypted using Secure Sockets Layer (SSL), and can support Integrated Guest Yes
both registered users with a login and password or guest users Access Management
who supply only an email address. Site-to-Site VPN Yes IPsec tunnel establishment between
Mobility Controllers and other IPsec-compliant
The optional ArubaOS Policy Enforcement Firewall (PEF) license may devices. Authentication support for X.509 PKI,
be added for enhanced user-centric security. Without the PEF license, IKEv2, IKE PSK, IKE aggressive mode.
a user or device may be mapped to a particular VLAN based on the
port or wireless SSID from which a user connects to the network.
Once the user has been mapped to a particular VLAN, external
firewall systems or routers are typically used to provide basic access
ArubaOS Operating System Software Aruba Data Sheet

an architecture for Seamless Mobility Protection, which prevents slower clients from bringing down
performance of the entire network. Where dense user populations
Enterprise users increasingly require network access while moving
exist, ARMs Airtime Fairness provides equal RF access across
from location to location, whether that be from a classroom to a
multiple client types and across multiple client operating systems.
library, a cubicle to a conference room, from headquarters to a
Finally, in areas with dense AP coverage, ARM ensures the optimal
branch office, or from the office to a users home. Mobility should
use of each channel through automatic channel load balancing and
be a seamless experience for the user, whether it is Wi-Fi roaming
co-channel interference mitigation.
without loss of voice sessions or roaming from the office to home
with no change in logon procedures or access experience. When
the access network is unified under Aruba infrastructure, users ARM can be used in conjunction with the optional Aruba
experience consistent network services that just work. RFProtect module spectrum analyzer. While ARM optimizes
client behavior and ensures that APs stay clear of interference, the
spectrum analyzer utilizes Aruba 802.11n APs to remotely identify
For Wi-Fi networks, ArubaOS provides seamless connectivity as
and classify Wi-Fi and non-Wi-Fi sources of interference.
users move throughout the network. With roaming handoff times of
2-3 milliseconds, delay-sensitive and persistent applications such as
voice and video experience uninterrupted performance. ArubaOS Using Aruba 802.11n APs to scan the spectral composition of
integrates proxy Mobile IP and proxy DHCP functions letting users 2.4-GHz and 5-GHz radio bands, the Aruba RFProtect spectrum
roam between subnets, ports, APs, and controllers without special analyzer remotely identifies RF interference, classifies its source and
client software. And with VLAN pooling, user membership of VLANs provides real-time analysis at the point of the problem.
is load-balanced to maintain optimal network performance as large
groups of users move about the network. Data collected by the Aruba RFProtect spectrum analyzer is used
to quickly isolate packet transmission problems, ensure over-the-air
Arubas unified access architecture also extends the enterprise to QoS and mitigate traffic congestion caused by RF contention with
remote locations, over private WANs or using the public Internet, other devices operating in the same band or channel. Appropriate
giving users the same access experience regardless of location. remediation measures can then be put in place to optimize
And to address users who are away from enterprise network network performance.
infrastructure, Aruba Mobility Controllers also operate as standard
VPN concentrators, linking remote users into the same access and Once the network is deployed, the Aruba system provides
security framework as other enterprise users. With Aruba, there is no a real-time, color heatmap display of the RF environment
longer any need to build separate access networks for each work showing signal strength, coverage and interference. Through tight
location a unified access architecture treats all locations the same. integration with AirWave VisualRF, WLAN coverage and capacity
planning can be automated, precluding the need for frequent and
expensive manual site surveys.
Fast Roaming 2-3 msec intra-controller
10-15 msec inter-controller
ArubaOS collects aggregate and raw wireless statistics on a
Roaming Across Sessions do not drop as clients roam through- per station, per channel and per user basis. All statistics can be
Subnets and VLANs out the network recorded and analyzed through AirWave, and are also available
Proxy Mobile IP Establishes home agent/foreign agent relation- via SNMP for easy integration into third-party management or
ship between controllers automatically analysis applications. Live packet capture is available that can turn
Proxy DHCP Prevents clients from changing IP address any Aruba AP or Air Monitor into a packet capture device, able to
when roaming stream real-time 802.11 frames back to monitoring stations such as
VLAN Pooling Load balances clients across multiple available WireShark or WildPackets OmniPeek. With this detailed information,
VLANs automatically administrators can quickly troubleshoot user problems, determine
top wireless talkers and diagnose congested APs.

enterprise-grade adaptive wireless lans To protect against unsanctioned wireless devices, Arubas rogue AP
Arubas ARM technology takes the guesswork out of AP classification algorithms allow the system to accurately differentiate
deployments. Once APs are brought up, they immediately begin between threatening rogue APs connected to the network and
monitoring their local environment for interference, noise, and signals nearby interfering APs.
being received from other Aruba APs. This information is reported
back to the controller, which is then able to control the optimal Once classified as rogue, these APs can be automatically disabled
channel assignment and power levels for each AP in the network through the wireless and wired network. Administrators are also
even where 802.11n has been deployed with mixed HT20 and HT40 notified of the presence of rogue devices, along with their precise
channel types. physical location on a floorplan, so they can be promptly removed
from the network. Rogue AP classification and containment is
Advanced ARM features dynamically adapt the infrastructure to ensure available within base ArubaOS and does not require additional
optimal network performance in todays challenging heterogeneous Mobility Controller licensing.
client environments. With 802.11n in widespread use, users have
an expectation of high performance, even in crowded areas such as For comprehensive wireless intrusion protection (WIP), the RFProtect
lecture halls. ARM ensures high performance and multi-media QoS module for Aruba Mobility Controllers enables protection against ad
through techniques such as band steering, which moves dual-band hoc networks, man-in-the-middle attacks, denial-of-service (DoS)
clients out of the crowded 2.4 GHz band, and Airtime Performance attacks and many other threats, while enabling wireless intrusion
signature detection.
ArubaOS Operating System Software Aruba Data Sheet

TotalWatch, an essential part of the RFProtect WIP capability,

delivers the industrys most effective WLAN threat mitigation. Branch/Telecommuter
Ofce
It provides visibility into all 802.11 Wi-Fi frequencies at 5-MHz Enterprise
Datacenter
increments, including in between channels, monitors the 4.9-GHz Internet
Services

frequency band and automatically adapts wireless security scanning

intervals on APs based on data availability. Guest/Local
Network
Enterprise
Network
Internet Exit Point
Tarpit containment is another vital RFProtect WIP feature. With
tarpit containment, Aruba APs respond to probe requests from Enterprise
Mobility Controller

rogue devices with fake BSSIDs or channels. The rogue device Network

then associates with that fake info and fails to push any traffic. User
interaction is then required to get the rogue device connected again. Remote AP
(RAP)
Internet
Firewall

Voice Voice
Network
ArubaOS includes advanced location visualization and tracking of
802.11 devices. RF signature-based location triangulation allows
administrators to physically locate any 802.11 user or device within Aruba RAPs are ideally suited for providing secure
one meter of accuracy. With Arubas real time location tracking mobile connectivity to branch and home offices.
(RTLS) capabilities, multiple devices can be continuously located and
tracked simultaneously. The location of devices can be displayed on remote networking for branch offices and
building floorplans to network administrators through the AirWave teleworkers
Management Platform, or linked to outside systems through a simple
application programming interface (API). Arubas remote networking solutions provide a simple, secure,
and cost-effective way to extend the corporate network to branch
offices, clinics, SOHOs, stores and telecommuters. Traditional
Adaptive Radio Automatically manages all RF parameters to remote networking solutions replicate routing, switching, firewall, and
Management (ARM) achieve maximum performance other services at each remote location. Managing and controlling
802.11n HT20 and Manages spectrum for all 802.11n networks user access to network services, applications, and resources
HT40 Support requires proliferating ports, subnets, and VLANs effectively creating
multiple networks at each site. This is costly and complex to deploy
Client Band Steering Keeps dual-band clients on optimal RF band
and maintain.
Self-Healing Around Automatically adjusts power levels to compen-
Failed APs sate for failed APs Whether supporting branch offices of one or one hundred users,
Airtime Fairness Guarantees performance in high-density Arubas remote networking solution delivers full-service networking
environments without compromises. As the head-end component of the remote
RF-Spectrum Load Evenly distributes clients across all available networking solution, data center-based Aruba Mobility Controllers
Balancing channels handle all complex configuration, management, software updates,
Airtime Performance Prevents low-speed clients from slowing down authentication, intrusion detection, and remote site termination
Protection high-speed clients tasks. Branch office network services are virtualized in the data
Single-Channel Ensures optimal performance even with nearby center controllers and then extended over any public or private IP
Coordinated Access APs on the same channel network to affordable Remote Access Points (RAPs) that provide
RF Plan Automatic pre-deployment modeling, planning secure connectivity and services to end users.
and placement of APs and RF monitors based
on capacity, coverage and security requirements
Coverage Hole and Detects clients that cannot associate due to
Interference Detection coverage gaps
Timer-Based AP Shuts off APs outside of defined operating
Access Control hours
Remote Wireless Remotely captures raw 802.11 frames and
Packet Capture streams to protocol analyzer
Plug-Ins for Third- WireShark, OmniPeek, Air Magnet
Party Analysis Tools
Rogue AP Detection Detects unauthorized access points and auto-
and Containment matically shuts them down
Real-Time Location Yes
Tracking and Monitoring
Location Tracking API Yes
for External Integration
ArubaOS Operating System Software Aruba Data Sheet

Zero-Touch Administrators can deploy RAPs without any ArubaOS is compatible with several popular VPN clients and the
Provisioning pre-configuration. Simply ship it to the end user VPN clients built into major client operating systems. In addition,
(RAP-2, RAP-5 series only) ArubaOS also provides the optional Aruba VIA agent, which can
Wired and Wireless Users connect to RAPs via wired Ethernet, be installed on iOS, Mac OS X and Windows mobile devices and is
Wi-Fi, or both ordered via the PEF-V license for the corresponding Aruba Mobility
Controller. By merging access networks together, policy and access
Flexible Authentication 802.1X, Captive Portal, MAC address authenti-
cation per-port and per-user
configuration is unified, the user experience is improved, helpdesk
calls are reduced, and IT expenses are lowered.
Centralized No local configuration is performed on APs all
Management configuration and management done by
Mobility Controller
3G WWAN RAP-5 series support USB wireless WAN
adapters (EV-DO, HSDPA, etc.) for primary or
backup Internet connection
FlexForward Traffic Centralized All user traffic flows to
Mesh
Forwarding Mobility Controller Point
WLAN RF Mesh Link
Locally bridged All user traffic bridged by Coverage
Mesh Path
access device to local LAN segment Mesh
Point
Mesh
Portal
Policy-routed User traffic selectively
forwarded to Mobility Controller or bridged Mesh Mesh RF Mobility Controller(s)
locally, depending on traffic type/policy Point Coverage

(requires PEF license)

Mesh
Enterprise-Grade RAPs authenticate to to Mobility Controllers Mesh
Point Portal

Security using X.509 certificates, then establish secure Root Mesh Portal
Redundant Mesh Portal
IPsec tunnels Mesh
Point
Uplink Bandwidth Defines reserved bandwidth for loss-sensitive
Reservation application protocols such as voice
Local Diagnostics In the event of a call to the help desk, local
users can browse to a pre-defined URL to
access full RAP diagnostics
Remote Mesh Portal A RAP may also act as a mesh portal, providing
wireless links to downstream Aruba access
points (except RAP-2WG) Tested Client Support Aruba VIA agent on Windows
Supported Access RAP-2WG, RAP-5WN, RAP-5, AP-105, Cisco, Nortel VPN clients
Points AP-120/121, AP-124/125, AP-60/61, AP-65, OpenVPN, Apple/Windows native client
AP-70, AP-85 VPN Protocols L2TP/IPsec (RFC 3193)
Minimum Required 64 kbps per SSID XAUTH/IPsec
Link Speed PPTP (RFC 2637)
Encryption Protocol AES-CBC-256 (inside IPsec ESP) Authentication Username/password, X.509 PKI, RSA SecurID,
(RAP to Mobility Smart Card, Multi-factor
Controller)

integrating road warriors into a single

access architecture
Users who need access to enterprise resources while away from
their office typically rely on VPN client software, which connects to a
VPN concentrator located in an enterprise DMZ.

With Aruba, remote VPN users are treated just like any other user.
They leverage the same access policies and service definitions used
on a campus Wi-Fi network or a branch office RAP deployment.
Because any Aruba Mobility Controller can act as a VPN concentrator,
a parallel access infrastructure need not be deployed or maintained.
ArubaOS Operating System Software Aruba Data Sheet

Secure Enterprise Mesh network Management AND High-Availability

Arubas Secure Enterprise Mesh solution provides a flexible, wire- Controller configuration, management, and troubleshooting
free design allowing access points to be placed wherever they are is provided through a browser-based GUI and a command
needed indoors and outdoors. The absence of fiber or cable runs line interface that will be familiar to any network administrator.
significantly reduces network installation costs and requires fewer ArubaOS also integrates seamlessly with the AirWave
Ethernet ports. The solution fully integrates with the Aruba unified Management Suite which eases management during all stages of
access architecture, enabling a single, enterprise-wide network the WLAN lifecycle from planning and deploying to monitoring,
wherever users may roam. Arubas Secure Enterprise Mesh is analyzing and troubleshooting. AirWave provides long-term
based on programmable software and does not require specialized trending and analysis, help desk integration tools, and extensive
hardware; virtually any Aruba indoor or ruggedized outdoor access customizable reporting.
can function as a mesh access point.
All APs and controllers, even those distributed in branch or regional
The Aruba Secure Enterprise Mesh can support all enterprise offices, can be centrally configured and managed from a single
wireless needs including Wi-Fi access, concurrent Wireless Intrusion console. To ease configuration of common tasks, intuitive task-
Protection, wireless backhaul, LAN bridging, and point-to-multipoint based wizards guide the network administrator through every step of
connectivity, all with a single common infrastructure. Arubas Secure the process.
Enterprise Mesh is an excellent solution for connectivity applications,
including inter-building connectivity, outdoor campus mobility, wire- Controllers can be deployed in 1:1 and 1:n VRRP based redundant
free offices, and wireline back-up; security applications, such as configurations with redundant data center support. When deployed
video and audio monitoring, alarms and duress signals, and industrial in Layer-3 topologies, the OSPF routing protocol enables automatic
applications and sensor networks. route learning and route distribution for fast convergence.

Through cooperative control technology, Arubas mesh solution Web-Based Allows any administrator with a standard web
uses an intelligent link management algorithm to optimize traffic Configuration browser to manage the system
paths and links. Mesh access points communicate with their
Command Line Console, SSH
neighbors and advertise a number of RF and link attributes (e.g.,
Syslog Yes supports multiple servers, multiple levels,
link cost, path cost, node cost, loading) that allow them to make
and multiple facilities
intelligent selection of the best path to take for the application. Mesh
paths and links automatically adjust in the event of high-loads or SNMP v2c Yes
interference. Further, application tags for voice and video traffic are SNMP v3 Yes enhances standard SNMP with crypto-
shared to ensure latency sensitive traffic is prioritized over data. The graphic security
cooperative control technology also provides self-healing functionality Centralized Configura- A designated master controller can config-
for the mesh network in the event of a blocked path or AP failure. tion of Controllers ure and manage several downstream local
controllers
VRRP Supports high availability between multiple
Broad Application Wi-Fi access, concurrent wireless intrusion
controllers
Support protection, wireless backhaul, LAN bridging,
and point-to-multipoint connectivity Redundant Data Yes Access devices can be configured with IP
Center Support addresses for backup controllers
Unified Access Integrates mesh networks with campus WLAN
Architecture and branch office networks. Users seam- OSPF Yes Stub mode support for learning default
lessly roam between campus Wi-Fi and mesh route or injecting local routes into an upstream
networks. router
Cooperative Control Intelligent RF link management determines Rapid Spanning Tree Yes Provides fast L2 convergence
optimal performance path and allows the Protocol
network to self-organize
Self Healing Resilient self-healing mesh automatically over-
comes a block path or AP failure
ArubaOS Support for IPv6
Mesh Clustering Supports scalability by allowing a large mesh to With the depletion of available IPv4 addresses, organizations are
be segmented into highly available clusters now planning for or have already begun deployments of IPv6
Centralized Encryption Data encrypted end-to-end, from client to core, within their networks. While IPv4 and IPv6 both define how data is
protecting the network even if a mesh access transmitted over networks, IPv6 adds a much larger address space
point is stolen than IPv4 and can support billions of unique IP addresses.
Centralized All mesh nodes are configured and controlled
Management centrally by Mobility Controllers. No local man- As organizations transition from IPv4 to IPv6, network equipment
agement required. must support dual-stack interoperability of IPv6 within an IPv4
Extensive Graphical Full network visualization includes coverage network or full deployments within a pure IPv6 environment.
Support Tools heat maps, automatic link budget calculation, ArubaOS supports deploying Aruba Mobility Controllers and Access
floorplans, and maps with network topology Points (APs) in todays IPv6 and dual-stack environments.
Standards-Based Secure Enterprise Mesh is designed using prin-
Design ciples from draft IEEE 802.11s and will be able to
easily migrate to this standard once it is ratified
ArubaOS Operating System Software Aruba Data Sheet

Management over IPv6 802.1p Support Yes

SSH FTP
802.11e Support Yes
Telnet TFTP
SCP Syslog T-SPEC/TCLAS Yes
WebUI
WMM Yes

WMM Priority Mapping Yes

Captive Portal over IPv6 Yes
U-APSD (Unscheduled Yes
Support IPv6 VLAN Interface Address on Mobility Controller Yes Automatic Power Save
Support AP-Controller Communication over IPv6 Yes Delivery)
802.11k Improves call quality and rapid handoff for voice
ICSA IPv6 Certified Firewall Yes and other quality-sensitive devices
USGv6 Certified Firewall Yes 802.11r Fast BSS Yes
Transition
IGMP Snooping for Yes
context aware controls for mission- Efficient Multicast
critical networking Delivery
Support for 802.11e and Wi-Fi Multimedia (WMM) ensures wireless Application and Device Yes
QoS for delay-sensitive applications with mapping between WMM Fingerprinting
tags and internal hardware queues. Mobility Controllers enable
mapping of 802.1p and IP DiffServ tags to hardware queues for
wired-side QoS and can be instructed to apply certain 802.1p and IP
Certifications
DiffServ tags to different applications on demand. Wi-Fi Alliance Certified (802.11a/b/g/n/d/h, WPA Personal,
WPA Enterprise, WPA2 Personal, WPA2 Enterprise,
With the addition of the Aruba PEF module, voice-over-IP WMM, WMM Power Save)
protocols including SIP, SVP, Alcatel NOE, Vocera and SCCP are ICSA Firewall, Corporate v4.1 (with optional Policy Enforcement
followed within the Aruba Mobility Controller. Arubas Application Firewall module), ICSA IPv6 Firewall
Fingerprinting technology enables Mobility Controllers to follow FIPS 140-2 Validated (when operated in FIPS mode)
encrypted signaling protocols. Common Criteria EAL-2
RSA Certified
Once these streams are identified, Aruba WLANs can prioritize them Polycom/Spectralink VIEW Certified
for delivery on the wireless channel as well as trigger voice-related USGv6 Firewall
features such as postpone ARM scanning for the duration of a call
and prioritize roaming for clients that are engaged in an active call. STANDARDS SUPPORTED
These capabilities are critical to enabling the large-scale deployment
of enterprise voice communications over Wi-Fi. General Switching and Routing
RFC 1812 Requirements for IP Version 4 Routers
Additionally, ArubaOS now includes Device Fingerprinting RFC 1519 CIDR
technology, allowing network administrators to assign network RFC 1256 IPv4 ICMP Router Discovery (IRDP)
policies on device types in addition to applications and users. RFC 1122 Host Requirements
Device Fingerprinting delivers greater control over which devices RFC 768 UDP
are allowed to access the network and how these devices can be RFC 791 IP
used. ArubaOS can accurately identify and classify mobile devices RFC 792 ICMP
such as the Apple iPad, iPhone, or iPod as well as devices running RFC 793 TCP
the Android or BlackBerry operating systems. This information can RFC 826 ARP
be shared with the AirWave Management Platform for enhanced RFC 894 IP over Ethernet
network visibility for all network users, regardless of location or
RFC 1027 Proxy ARP
mobile device.
RFC 2236 IGMPv2
RFC 2328 OSPFv2
RFC 2338 VRRP
RFC 2460 Internet Protocol version 6 (IPv6)
RFC 2516 Point-to-Point Protocol over Ethernet (PPPoE)
RFC 3220 IP Mobility Support for IPv4 (partial support)
RFC 4541 IGMP and MLD Snooping
IEEE 802.1D-2004 MAC Bridges
IEEE 802.1Q 1998 Virtual Bridged Local Area Networks
IEEE 802.1w Rapid Spanning Tree Protocol
Quality of Service and Policies
IEEE 802.1D 2004 (802.1p) Packet Priority
IEEE 802.11e Quality of Service Enhancements
RFC 2474 Differentiated Services
ArubaOS Operating System Software Aruba Data Sheet

Wireless RFC 2869 RADIUS Extensions

IEEE 802.11a/b/g 5 GHz, 2.4 GHz RFC 3576 Dynamic Authorization Extensions to
IEEE 802.11d Additional Regulatory Domains Remote RADIUS
IEEE 802.11e Quality of Service RFC 3579 RADUIS Support For Extensible Authentication
IEEE 802.11h Spectrum and TX Power Extensions for 5 GHz Protocol (EAP)
in Europe RFC 3580 IEEE 802.1X Remote Authentication Dial In User
IEEE 802.11i MAC Security Enhancements Service (RADIUS)
IEEE 802.11k Radio Resource Management (partial support) RFC 2548 Microsoft RADUIS Attributes
IEEE 802.11r Fast Basic Service Set (BSS) Transition RFC 1350 The TFTP Protocol (Revision 2)
IEEE 802.11n Enhancements for Higher Throughput RFC 3164 BSD System Logging Protocol (Syslog)
IEEE 802.11v Wireless Network Management (partial support) RFC 2819 Remote Network Monitoring (RMON) MIB
Management and Traffic Analysis Security/Encryption
RFC 2030 SNTP, Simple Network Time Protocol v4 IEEE 802.1X Port-Based Network Access Control
RFC 854 Telnet client and server RFC 1661 The Point-to-Point Protocol (PPP)
RFC 783 TFTP Protocol (revision 2) RFC 2406 IP Encapsulating Security Payload (ESP)
RFC 951,1542 BootP RFC 2661 Layer Two Tunneling Protocol L2TP
RFC 2131 Dynamic Host Configuration Protocol RFC 3193 Securing L2TP using IPsec
RFC 1591 DNS (client operation) RFC 2451 The ESP CBC-Mode Cipher Algorithms
RFC 1155 Structure of Mgmt Information (SMIv1) RFC 2403 The Use of HMAC-MD5-96 within ESP and AH
RFC 1157 SNMPv1 RFC 2401 Security Architecture for the Internet Protocol
RFC 1212 Concise MIB definitions RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH
RFC 1213 Management Information Base for Network RFC 2408 Internet Security Association and Key Management
Management of TCP/IP-based internets MIB-II Protocol (ISAKMP)
RFC 1215 Convention for defining traps for use with the SNMP RFC 2409 The Internet Key Exchange (IKE)
RFC 1286 Bridge MIB RFC 2405 ESP DES-CBC cipher algorithm with explicit IV
RFC 3414 User-based Security Model (USM) for v.3 of the RFC 2403 Use of HMAC-SHA1-96 with ESP and AH
Simple Network Management RFC 3602 The AES-CBC Cipher Algorithm and Its Use
RFC 1573 Evolution of Interface with IPsec
RFC 2011 SNMPv2 Management Information Base for the RFC 4017 Extensible Authentication Protocol (EAP) Method
Internet Protocol using SMIv2 Requirements for Wireless LANs
RFC 2012 SNMPv2 Management Information RFC 3706 A Traffic-Based Method of Detecting Dead Internet
RFC 2013 SNMPv2 Management Information Key Exchange (IKE) Peers
RFC 2578 Structure of Management Information Version 2 RFC 3748, 5247 Extensible Authentication Protocol (EAP)
(SMIv2) RFC 3079 Deriving Keys for use with Microsoft Point-to-Point
RFC 2579 Textual Conventions for SMIv2 Encryption (MPPE)
RFC 2863 The Interfaces Group MIB RFC 4137 State Machines for Extensible Authentication
RFC 3418 Management Information Base (MIB) for the Simple Protocol (EAP) Peer and Authenticator
Network Management Protocol (SNMP) RFC 2716 PPP EAP TLS Authentication Protocol
RFC 959 File Transfer Protocol (FTP) RFC 2246 The TLS Protocol (SSL)
RFC 2660 The Secure HyperText Transfer Protocol (HTTPS) RFC 2407 Internet IP Security Domain of Interpretation
RFC 1901 1908 SNMP v2c SMIv2 and Revised MIB-II for ISAKMP
RFC 2570, 2575 SNMPv3 user based security, encryption RFC 3948 UDP encapsulation of IPSec packets
and authentication RFC 4793 EAP-POTP
RFC 2576 Coexistence between SNMP Version 1, Version 2 Internet Draft draft-ietf-ipsec-nat-t-ike-00
and Version 3 Internet Draft draft-ietf-ipsec-nat-t-ike-01
RFC 2233 Interface MIB Internet Draft draft-ietf-ipsec-nat-t-ike-02
RFC 2251 Lightweight Directory Access Protocol (v3) Internet Draft EAP-TTLS
RFC 1492 An Access Control Protocol, TACACS+ Internet Draft EAP-PEAPv0
RFC 2865 Remote Access Dial In User Service (RADIUS) Internet Draft XAuth for ISAKMP
RFC 2866 RADIUS Accounting

www.arubanetworks.com

1344 Crossman Avenue. Sunnyvale, CA 94089

1-866-55-ARUBA | Tel. +1 408.227.4500 | Fax. +1 408.227.4550 | [email protected]

2013 Aruba Networks, Inc. Aruba Networks, Aruba The Mobile Edge Company (stylized), Aruba Mobilty Management System, People Move. Networks Must Follow., Mobile Edge Architecture,
RFProtect, Green Island, ETIPS, ClientMatch, Bluescanner and The All Wireless Workspace Is Open For Business are all Marks of Aruba Networks, Inc. in the United States and certain other
countries. The preceding list may not necessarily be complete and the absence of any mark from this list does not mean that it is not an Aruba Networks, Inc. mark. All rights reserved. Aruba Networks,
Inc. reserves the right to change, modify, transfer, or otherwise revise this publication and the product specifications without notice. While Aruba Networks, Inc. uses commercially reasonable efforts to
ensure the accuracy of the specifications contained in this document, Aruba Networks, Inc. will assume no responsibility for any errors or omissions. DS_AOS_US_102913