Key Features

• – Support for new Wi-Fi 6 (802.11ax), WPA3 and Enhanced Open – and all existing standards
• – Advanced AI-powered closed-loop wireless/RF optimization
• – Enhanced AP utilization and client roaming
• – SLA-grade application assurance with Air Slice (AOS 8.7+)
• – Automated deployment with ZTP and hierarchical configuration
• – Dynamic Segmentation enforces wired and wireless access policies to simplify and secure the network
• – Application awareness for 3,000+ applications without additional hardware
• – Live Upgrade and Seamless Failover.

Performance

Adaptive Radio Management (ARM)

ARM maximizes an AP’s Wi-Fi stability and predictability by dynamically choosing the best 802.11 channel and transmit power. This capability helps ensure optimal performance for all clients and applications, especially in environments with a large number of mobile users and performance-stringent applications that can cause network contention and interference. (See Table 5)

Centralized tunneling

To improve AP utilization (e.g. memory, processing and bandwidth) for networks with complex Layer 2 and Layer 3 requirements, AP licenses enable individual APs to forward all traffic, policy, management and control decisions to a controller. AOS 8 and later releases also allow HPE Aruba Networking access switches to mimic the role of an AP (e.g. wired AP) – switch configuration and management is delivered through HPE Aruba Networking Management Software (AirWave). (See Table 6)

ClientMatch

A patented RF optimization technology, ClientMatch is a feature of ARM that boosts Wi-Fi client performance by alleviating sticky client issues. Client devices associate with the best-performing AP and can also be grouped based on its supported Wi-Fi standards (e.g. downlink or uplink MU-MIMO) to improve system capacity. This is ideal for environments with complex roaming requirements.

Context-aware controls

Support for 802.11e and Wi-Fi Multimedia (WMM) ensures wireless QoS for delay-sensitive applications with mapping between WMM tags and internal hardware queues. Mobility Controllers enable mapping of 802.1p and IP DiffServ tags to hardware queues for wired-side QoS and can be instructed to apply certain 802.1p and IP DiffServ tags to different applications on demand.

AOS also includes device fingerprinting, which allows network managers to assign policies based on device type and firmware (e.g. iPhone, Android, etc). This allows the network to regulate which devices are provided access to the network and how these devices can be used. (See Table 7)

Seamless Layer 2 and Layer 3 roaming

AOS includes proxy mobile IP/DHCP functions to provide seamless connectivity as users move between floors, buildings or across the entire network – even while using video and voice applications. Roaming handoff times of just 2-3 milliseconds, without reauthentication, changes to IP addresses or loss of firewall state. When AOS runs on Mobility Conductor, roaming is enabled through Controller Clustering. (See Table 8)

VLAN pooling

Instead of configuring VLANs on every network edge switch, something in AOS centralized in Mobility Controllers and tunneled to APs. Major advantages include reduced network configuration complexity and max spanning tree diameter. User membership of VLANs is load-balanced to maintain optimal network performance as large groups of users move about the network.

Security and Visibility

Dynamic Segmentation

For each wireless client, wired port or user on a wired port, traffic can be forwarded to a Mobility Controller or Gateway and then securely segmented based using the Policy Enforcement Firewall. Port-based Tunneling (PBT) can be used to forward all traffic from a wired port, while user-based tunneling (UBT) can forward role-specific traffic – completely eliminating the need for network administrators to locally configure ACLs, VLANs and subnets.

Policy Enforcement Firewall (PEF)

As a key component of Dynamic Segmentation, PEF is an AOS license that enables user and application visibility. It delivers full policy enforcement based on user role, application, device and location awareness over WLAN, LAN and remote VPN connections for Remote APs, Instant APs and VIA VPN client services. Policies can be manually created within AOS, or centrally managed by HPE Aruba Networking ClearPass Policy Manager and applied to multiple networks simultaneously.

Application visibility and control

Application visibility is a feature within PEF that provides extensive visibility and control into over 3,000 apps using Deep Packet Inspection (DPI) for classification. Optimizing and limiting traffic per application is simple, and intuitive via an easy-to-use dashboard. Unrecognized applications and categories can also be defined through application customization*. (See Figure 2 and Table 9)

Remote Access Point (RAP) capabilities

With the same AOS AP license, HPE Aruba Networking RAPs can be deployed in disparate locations such as small offices/home offices (SOHO) or temporary work sites. Each builds a hybrid IPSec/SSL VPN connection to a Mobility Controller, which takes on a dual-role as a VPN concentrator (VPNC) as well. (See Figure 3 and Table 10)

Virtual Intranet Access (VIA) VPN support

A VIA add-on license lets remote users securely connect to an HPE Aruba Networking network through a hybrid IPSec/SSL VPN client without the need for a dedicated VPNC in an enterprise DMZ. Users devices adhere to the same policies and service definitions used at headquarters or a branch. AOS supports Windows, Mac, iOS, Android, and Linux, using split- or full-tunnel connections. (See Table 11)

Advanced Cryptography (ACR)

Fully FIPS 140-2 validated and Common Criteria-certified, the ACR add-on license provides Suite B cryptography which enables secure access to remote users who handle controlled unclassified, confidential and classified information.

Enhanced Wi-Fi authentication security

The addition of WPA3 support brings stronger encryption and authentication methods, and Enhanced Open provides per user encryption on open networks. New MPSK feature enables simpler passkey management for WPA2 devices – should the Wi-Fi password on one device type needs to be changed; no key changes are needed for other types of devices on the network. (See Table 1)

Web classification (WebCC)

With an optional subscription, AOS provides a cloud- based web content classification, policy and reputation service for URL filtering, IP reputation and geolocation filtering – which can be used to block and rate-limit connections based on HPE Aruba Networking’s identity-based controls. (See Figure 4 and Table 12)

WIPS/WIDS and rogue AP protection

To protect against ad hoc networks, man-in-the-middle attacks, denial-of-service attacks and to distinguish between Wi-Fi and non-Wi-Fi sources, the AOS RFProtect module provides integrated WIPS/WIDS/rogue AP containment and classification without requiring a separate system of RF sensors and security appliances. HPE Aruba Networking’s rogue AP classifi ation algorithms accurately differentiate between rogue APs connected to the network versus nearby interfering APs.

Third-party integration

REST-based APIs allow for integration with security vendors such as Palo Alto Networks and Check Point Software to ensure end-to-end security. Policies can be pre-defined for specific types of traffic and forwarded to an on-premises security firewall for additional inspection.

Microsoft Features

HPE Aruba Networking’s integration with Microsoft enables unique application intelligence that detects Office 365, Teams and Skype for Business traffic and then prioritizes them over less critical applications. For Skype for Business/Lync traffic, IT can also prioritize specific media such as video, voice, and messaging.

Unified Communications and Collaboration

Integrated dashboards

With an integrated UCC dashboard, AOS provides call quality metrics (latency, jitter, packet loss) for Microsoft Skype for Business/Lync, Alcatel Lucent New Office Environment (NOE), Microsoft Teams*, Apple Facetime, Cisco Jabber, Cisco Spark, Cisco Skinny Call Control Protocol (SCCP), Spectralink Voice Priority (SVP), SIP, H.323, and Vocera. This provides network managers with enhanced application visibility, as well as key Wi-Fi troubleshooting capabilities. HPE Aruba Networking’s application fingerprinting technology also enables AOS to follow encrypted signaling protocols and postpone ARM scanning and ClientMatch roaming to optimize user experience during active call sessions. (See Figure 5)

Wi-Fi Calling support

Wi-Fi Calling is used by carriers to offload cellular voice traffic on Wi-Fi networks to improve their reach inside buildings and areas of poor cellular coverage. AOs treats Wi-Fi Calling as a UCC voice application and applies quality of service, blocks and throttles calls through an integrated UCC dashboard. HPE Aruba Networking also offers visibility on a per-user, per-device and a per-carrier basis.

WAN Performance

Routing and metrics

AOS uses features such as Policy-based Routing, Dynamic Path Steering and compression to improve WAN health with intelligence that spans WLAN and WAN. An integrated dashboard also helps visualize key WAN metrics such as latency, jitter and packet loss across public and private uplinks. (Figure 6)

Operation

Integrated captive portal

For headless client devices or those without WPA, VPN or other security software, AOS supports a web browser-based captive portal that provides secure web-based authentication. Captive portal authentication is encrypted using SSL, and can support both registered users with a login and password or guest users who supply only an email address. For advanced guest access needs, refer to HPE Aruba Networking ClearPass Guest.

MDNS and DLNA support (AirGroup)

HPE Aruba Networking improves Apple, Google, and third-party services like AirPlay, AirPrint, and Google Cast through AirGroup, a unique capability that optimizes IP multicast video traffic, prioritizes services, and adds policy controls.

Simple configuration options ensure that these client devices can see each other, while advanced options limi access to certain devices based on physical location, time of day, and user/role based details.

Point-to-point and mesh capabilities

AOS supports a flexible, wire-free design for AP uplinks in the absence of fiber or cable runs. Most commonly deployed for point-to-point wireless backhaul, security camera use cases and for network access in on-premises locations, wireless mesh provides the same enterprise network services as standard wire-based design. HPE Aruba Networking uses an intelligent link management algorithm between each AP to automatically adjust and optimize traffic paths and links. Network managers can repurpose any HPE Aruba Networking indoor or outdoor AP, or utilize new 802.11ad technology for high-performance and extended range requirements. (See Figure 7 and Table 13)

IPv6 support

AOS supports IPv6 environments as well as dual-stack interoperability of IPv6 within an IPv4 network. This is ideal for organizations that have nearly depleted available IPv4 addresses and need to transition from IPv4 to IPv6 (which adds a much larger address space). (See Table 14)

Multivendor network management

HPE Aruba Networking Management Software (AirWave) provides unified network management for HPE Aruba Networking controller managed APs and multivendor wireless, wired and WAN environments. AirWave can be used for planning and deployment to monitoring, analysis and troubleshooting. It also provides long-term trending and reporting, helpdesk integration tools and customizable alerts.

Network analytics and assurance

AOS integration with HPE Aruba Networking NetInsight offers automated network optimization and performance enhancements. AI-powered machine learning algorithms gather data from AOS, benchmarks the network against similar peer networks and recommends configuration changes as needed for RF, authentication and DHCP request performance.

Advanced policy management

AOS integrates with HPE Aruba Networking ClearPass for policy management, AAA functions, advanced guest access and onboarding of devices across multivendor wired, wireless, and distributed remote networks. ClearPass addresses the security requirements for enterprises with increasing IoT, BYOD, and segmentation challenges. (See Table 1)

IoT and location-ready wireless support

AOS includes integration with HPE Aruba Networking Meridian, ALE, and third-party Wi-Fi, BLE, Zigbee and USB-based vendor solutions. Each HPE Aruba Networking AP serves as an IoT and location-ready gateway with no additional AS software required.

Enhanced Mobility Conductor Capabilities

AI-powered RF management (AirMatch)

An RF management innovation, AirMatch automates network-wide RF channels, channel width and radio power assignment. By utilizing machine learning algorithms, AirMatch proactively learns and acclimates the network based on changing environmental conditions and system capacity. (See Table 15)

Hierarchical configuration and improved visibility

AOS running on the Mobility Conductor, uses a centralized, multi-tiered architecture that consolidates all deployment models (e.g. all-conductor, single-conductor/multiple-local, and multiple-conductor/local) through a dedicated management console. Network configurations can be implemented and distributed from the Mobility Conductor through zero-touch provisioning (ZTP) to all Mobility Controllers. The Mobility Conductor also allows for licensing pools that can allocate licenses to individual controllers based on site requirements.

Hitless Failover and automated load balancing

Using controller clusters, user sessions and AP traffic are load balanced to optimize network utilization during peak periods and maximize availability during unplanned outages (Figure 1). This means that users will not notice any impact to voice calls, video streaming or data transfers in an unlikely event that a controller loses connectivity.

Live Upgrade and multiple version support

With Mobility Conductor, AOS can be upgraded while supporting active user sessions – eliminating the need for planned maintenance windows or downtime. Each Controller Cluster or individual service modules (AppRF, AirGroup, ARM, etc.) can be selectively upgraded without impacting the rest of the network.

Multi-tenancy Wi-Fi support (MultiZone)

Different controllers can be used with the same AP infrastructure to terminate different SSIDs on different HPE Aruba Networking controllers while maintaining complete segmentation and security for all networks, policies, management and visibility. This is ideal for multi-tenancy requirements where multiple organizations are housed in a single office space, or for a single organization that requires separate secure networks. For more information, refer to the MultiZone technical brief.

Northbound APIs (NBAPI)

The Mobility Conductor includes a full set of NBAPIs that enable deep visibility into the network. NBAPIs provide RF health metrics, app utilization, device type and user data in an easy-to-integrate format. 3rd party applications can receive this information for improved visibility and monitoring.

Enterprise Security Framework