Architecture - Avaya WLAN 8100 Technical Configuration Manual

are capable of the latest security standards, i.e. WPA2 with 802.1x for authentication, so you don't have
to create special SSIDs just for BYOD devices.
Multiple VLANs
It is a common security practice to segment devices into different VLANs, such as voice and data. It is
also common to map different SSIDs to different VLANs. However, many products, including Avaya's
WLAN 8100, are capable of using AAA to assign different devices and/or users to separate VLANs, even
though they are part of the same SSID. Avaya recommends that you have separate VLANs for guest,
secure, and insecure devices and assign users and devices to them as appropriate based on AAA policy.
The guest SSID should map to a VLAN that is separated from the rest of the corporate LAN by a firewall.
Throughput
One of the issues with any Wi-Fi network is how to offer high performance for devices that can support it,
while also offering legacy support for slower devices. One common approach is to separate devices by
channel, for example, using 5 GHz for high performance, and 2.4 GHz for low performance. BYOD
devices have a wide array of radio capabilities, from 802.11g to 802.11n support. Even when devices
appear to support the latest capabilities, such as advertising 802.11n support, capabilities still vary widely.
For example, Apple iPads do offer 802.11n support, but what is not mentioned is that they are only
capable of single stream MIMO. Avaya recommends that you thoughtfully consider BYOD device
capabilities used within your organization and try to separate them into high performance and low
performance groups. High performance should use 5 GHz and low performance should use 2.4 GHz.
Further recommendations on how to segment devices into different bands is beyond the scope of this
document.

1.3 Architecture

Avaya's BYOD architecture, illustrated in Figure 1, has three discrete levels of access: guest and two
categories of authorized users using either secure (aka managed) devices or insecure (aka unmanaged)
devices. In this architecture, Avaya's Identity Engines product performs the authentication and
authorization services required to handle guest, employee, and device authentication, and Avaya's WLAN
8100 provides the Wi-Fi services and implements security.
This Technical Configuration Guide is based on Identity Engines release 7.0 and does not

leverage the new BYOD capabilities introduced by Identity Engines release 8.0 provided by the
Ignition Access Portal, BYOD Device Profiling, and BYOD VSAs introduced to provide even
greater flexibility for BYOD access control, on-boarding and management.
Guest
It is assumed that your organization offers "guest" Wi-Fi services to customers and/or business partners.
If your organization does not, then you can skip this option. The "guest" SSID will be unencrypted in most
cases, and should map to a VLAN that is outside the corporate firewall or in a DMZ. There are many
options for managing a "guest" Wi-Fi service, ranging from a simple open SSID with no portal, to a simple
portal with simple username/password access, to dynamically created guest accounts for each user that
expire at the end of a specified time period. Avaya's Identity Engines supports best in class capabilities
for guest account creation and access management, but configuration of Identity Engines Ignition Guest
Manager and these options is beyond the scope of this document. The configuration examples will only
show a simple portal-based authentication for guest authentication.
August 2011
Avaya Inc. –External Distribution
avaya.com
9