Authentication and User Management. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant

Chapter 13

Authentication and User Management

This chapter provides the following information: n n n n n n n n n n n n n n

Managing IAP Users on page 146

Supported Authentication Methods on page 151

Supported EAP Authentication Frameworks on page 152

Configuring Authentication Servers on page 153

Understanding Encryption Types on page 167

Configuring Authentication Survivability on page 168

Configuring 802.1X Authentication for a Network Profile on page 170

Enabling 802.1X Supplicant Support on page 172

Configuring MAC Authentication for a Network Profile on page 173

Configuring MAC Authentication with 802.1X Authentication on page 175

Configuring MAC Authentication with Captive Portal Authentication on page 177

Configuring WISPr Authentication on page 178

Blacklisting Clients on page 179

Uploading Certificates on page 182

Managing IAP Users

The IAP users can be classified as follows: n n n n n

Administrator—An admin user who creates SSIDs, wired profiles, and DHCP server configuration parameters; and manages the local user database. The admin users can access the VC Management UI.

Guest administrator—A guest interface management user who manages guest users added in the local user database.

Administrator with read-only access—The read-only admin user does not have access to the Instant CLI. The

Instant UI will be displayed in the read-only mode for these users.

Employee users—Employees who use the enterprise network for official tasks.

Guest users—Visiting users who temporarily use the enterprise network to access the Internet.

The user access privileges are determined by IAP management settings in the AirWave Management client and

Aruba Central, and the type of the user. The following table outlines the access privileges defined for the admin user, guest management interface admin, and read-only users.

Table 32: User Privileges

User Category

Aruba Central or AMP in Management Mode

IAP in Monitor Mode or without AMP or Aruba Central administrator Access to local user database only Complete access to the IAP

No write privileges read-only administrator

No write privileges guest administrator Access to local user database only Access to local user database only

Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 146

Configuring IAP Users

The Instant user database consists of a list of guest and employee users. The addition of a user involves specifying the login credentials for a user. The login credentials for these users are provided outside the Instant system.

A guest user can be a visitor who is temporarily using the enterprise network to access the Internet. However, if you do not want to allow access to the internal network and the Intranet, you can segregate the guest traffic from the enterprise traffic by creating a guest WLAN and specifying the required authentication, encryption, and access rules.

An employee user is the employee who is using the enterprise network for official tasks. You can create

Employee WLANs, specify the required authentication, encryption and access rules, and allow the employees to use the enterprise network.

The user database is also used when an IAP is configured as an internal RADIUS server.

The local user database of IAPs can support up to 512 user entries.

In the Instant UI

To configure users:

1. Click the Security link located directly above the Search bar in the Instant main window.

2. Click Users for Internal Server . The following figure shows the contents of the Users for Internal

Server tab.

Figure 35 Adding a User

3. Enter the user name in the Username text box.

4. Enter the password in the Password text box and reconfirm.

5. Select the type of network from the Type drop-down list.

6. Click Add and click OK.

The users are listed in the Users list.

147 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide

Edit or Delete User Settings

1. To edit user settings: a. Select the user you want to modify from the Users list in the table.

b. Click Edit to modify user settings.

c. Click OK .

2. To delete a user: a. Select the user you want to delete from the Users list in the table.

b. Click Delete .

c. Click OK .

3. To delete all or multiple users at a time: a. Select multiple users you want to delete from the Users list in the table.

b. Click Delete All .

c. Click OK .

Deleting a user only removes the user record from the user database, and will not disconnect the online user associated with the user name.

In the CLI

To configure an employee user:

(Instant AP)(config)# user <username> <password> radius

(Instant AP)(config)# end

(Instant AP)# commit apply

To configure a guest user:

(Instant AP)(config)# user <username> <password> portal



Configuring Authentication Parameters for Management Users

You can configure RADIUS or Terminal Access Controller Access Control System (TACACS) authentication servers to authenticate and authorize the management users of an IAP. The authentication servers determine if the user has access to administrative interface. The privilege level for different types of management users is defined on the RADIUS or TACACS server instead of the IAP. The IAPs map the management users to the corresponding privilege level and provide access to the users based on the attributes returned by the RADIUS or TACACS server.

You can configure authentication parameters for local admin, read-only, and guest management administrator account settings through the Instant UI or the CLI.


1. Navigate to System > Admin . The Admin tab details are displayed.


Table 33: Authentication Parameters for Management Users

Type of User Authentication Options Steps to Follow

Local administrator

Internal

Select Internal if you want to specify a single set of user credentials. If using an internal authentication server:

1. Specify the Username and Password .

2. Retype the password to confirm.

Administrator with

Read-Only Access

Guest

Authentication server

Internal


Internal


Select the RADIUS or TACACS authentication servers.

You can also create a new server by selecting New from the Authentication server drop-down list.

n n n

Authentication server w/ fallback to internal —

Select Authentication server w/ fallback to internal option if you want to use both internal and external servers. When enabled, the authentication switches to Internal if there is no response from the

RADIUS server (RADIUS server timeout). To use this option, select the authentication servers and configure the user credentials for internal-serverbased authentication.

Load balancing —If two servers are configured, users can use them in the primary or backup mode, or load balancing mode. To enable load balancing, select Enabled from the Load balancing dropdown list. For more information on load balancing, see

Dynamic Load Balancing between Two

Authentication Servers on page 158

.

TACACS accounting —If a TACACS server is selected, enable TACACS accounting to report management commands if required.

Select Internal to specify a single set of user credentials.

If using an internal authentication server:



If a RADIUS or TACACS server is configured, select

Authentication server for authentication.

Select Internal to specify a single set of user credentials.

If using an internal authentication server:



If a RADIUS or TACACS server is configured, select

Authentication server for authentication.

3. Click OK .

In the CLI

To configure a local admin user:

(Instant AP)(config)# mgmt-user <username> [password]

To configure guest management administrator credentials:

(Instant AP)(config)# mgmt-user <username> [password] guest-mgmt

To configure a user with read-only privilege:

(Instant AP)(config)# mgmt-user <username> [password] read-only


To configure management authentication settings:

(Instant AP)(config)# mgmt-auth-server <server1>

(Instant AP)(config)# mgmt-auth-server <server2>

(Instant AP)(config)# mgmt-auth-server-load-balancing

(Instant AP)(config)# mgmt-auth-server-local-backup

To enable TACACS accounting:

(Instant AP)(config)# mgmt-accounting command all

Adding Guest Users through the Guest Management Interface

To add guest users through the Guest Management interface:

1. Log in to the Instant UI with the guest management interface administrator credentials. The guest management interface is displayed.

Figure 36 Guest Management Interface

2. To add a user, click New . The New Guest User popup window is displayed.

3. Specify a Username and Password .


5. Click OK .


Supported Authentication Methods

Authentication is a process of identifying a user through a valid username and password or based on the user's

MAC addresses. The following authentication methods are supported in Instant: n n n n n n n

802.1X Authentication

MAC Authentication

MAC Authentication with 802.1X Authentication

Captive Portal Authentication

MAC Authentication with Captive Portal Authentication

802.1X Authentication with Captive Portal Role

WISPr Authentication

802.1X Authentication

802.1X is an IEEE standard that provides an authentication framework for WLANs. The 802.1X standard uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1X framework include EAP-Transport Layer Security (EAP-

TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS). These protocols allow the network to authenticate the client while also allowing the client to authenticate the network. For more information on EAP authentication framework supported by the IAPs, see

Supported EAP Authentication Frameworks on page

152

.

The 802.1X authentication method allows an IAP to authenticate the identity of a user before providing network access to the user. The Remote Authentication Dial In User Service (RADIUS) protocol provides centralized authentication, authorization, and accounting management. For authentication purpose, the wireless client can associate to a network access server (NAS) or RADIUS client such as a wireless IAP. The wireless client can pass data traffic only after a successful 802.1X authentication.

For more information on configuring an IAP to use 802.1X authentication, see

Configuring 802.1X

Authentication for a Network Profile on page 170

.

MAC Authentication

MAC authentication is used for authenticating devices based on their physical MAC addresses. MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses. This authentication method is not recommended for scalable networks and the networks that require stringent security settings. For more information on configuring an IAP to use MAC authentication, see

Configuring MAC

Authentication for a Network Profile on page 173

.

MAC Authentication with 802.1X Authentication

This authentication method has the following features: n n

MAC authentication precedes 802.1X authentication—The administrators can enable MAC authentication for 802.1X authentication. MAC authentication shares all the authentication server configurations with

802.1X authentication. If a wireless or wired client connects to the network, MAC authentication is performed first. If MAC authentication fails, 802.1X authentication does not trigger. If MAC authentication is successful, 802.1X authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only role.

MAC authentication only role—Allows you to create a mac-auth-only role to allow role-based access rules when MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication


n is successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients.

L2 authentication fall-through—Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by default.

For more information on configuring an IAP to use MAC as well as 802.1X authentication, see

Configuring

MAC Authentication with 802.1X Authentication on page 175

.

Captive Portal Authentication

Captive portal authentication is used for authenticating guest users. For more information on captive portal authentication, see

Captive Portal for Guest Access on page 122 .

MAC Authentication with Captive Portal Authentication

You can enforce MAC authentication for captive portal clients. For more information on configuring an IAP to use MAC authentication with captive portal authentication, see

Configuring MAC Authentication with Captive

Portal Authentication on page 177

.

802.1X Authentication with Captive Portal Role

This authentication mechanism allows you to configure different captive portal settings for clients on the same

SSID. For example, you can configure an 802.1X SSID and create a role for captive portal access, so that some of the clients using the SSID derive the captive portal role. You can configure rules to indicate access to external or internal captive portal, or none. For more information on configuring captive portal roles for an SSID with

802.1X authentication, see

Configuring Captive Portal Roles for an SSID on page 141

.

WISPr Authentication

Wireless Internet Service Provider roaming (WISPr) authentication allows the smart clients to authenticate on the network when they roam between wireless Internet service providers, even if the wireless hotspot uses an

Internet Service Provider (ISP) with whom the client may not have an account.

If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the

Internet at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and allows the client to access the network. If the client only has an account with a partner ISP, the WISPr AAA server forwards the client’s credentials to the partner ISP’s WISPr AAA server for authentication. When the client is authenticated on the partner ISP, it is also authenticated on the hotspot’s own ISP as per their service agreements. The IAP assigns the default WISPr user role to the client when the client's ISP sends an authentication message to the IAP. For more information on WISPr authentication, see

Configuring WISPr

Authentication on page 178

.

n

Supported EAP Authentication Frameworks

The following EAP authentication frameworks are supported in the Instant network:

EAP-TLS—The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and certification authority (CA) certificates installed on the IAP. The client certificate is verified on the VC (the client certificate must be signed by a known CA) before the username is verified on the authentication server.


n n n

EAP-TTLS (MS-CHAPv2)—The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-

TTLS) method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords.

EAP-PEAP (MS-CHAPv2)—EAP-PEAP is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL/TLS tunnel between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.

LEAP—Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys for authentication between the client and authentication server.

To use the IAP’s internal database for user authentication, add the usernames and passwords of the users to be authenticated.

Aruba does not recommend the use of LEAP authentication, because it does not provide any resistance to network attacks.

Authentication Termination on IAP

IAPs support EAP termination for enterprise WLAN SSIDs. The EAP termination can reduce the number of exchange packets between the IAP and the authentication servers. Instant allows Extensible Authentication

Protocol (EAP) termination for Protected Extensible Authentication Protocol-Generic Token Card (PEAP-GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAV2). PEAP-GTC termination allows authorization against a Lightweight Directory Access

Protocol (LDAP) server and external RADIUS server while PEAP-MS-CHAV2 allows authorization against an external RADIUS server.

This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft

Active Directory (MAD) server with LDAP authentication.

n n

EAP-Generic Token Card (GTC)—This EAP method permits the transfer of unencrypted usernames and passwords from the client to the server. The main uses for EAP-GTC are procuring one-time token cards such as SecureID and using LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the IAP to an external authentication server for user data backup.

EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)—This EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.

Configuring Authentication Servers

This section describes the following procedures: n n n

Configuring an External Server for Authentication on page 159

Enabling RADIUS Communication over TLS on page 163

Configuring Dynamic RADIUS Proxy Parameters on page 165

Supported Authentication Servers

Based on the security requirements, you can configure internal or external authentication servers. This section describes the types of servers that can be configured for client authentication: n n n

Internal RADIUS Server on page 154

External RADIUS Server on page 154

Dynamic Load Balancing between Two Authentication Servers on page 158


Starting from Instant 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management users. For more information on management users and TACACS+ server-based authentication, see

Configuring Authentication Parameters for Management Users

.

Internal RADIUS Server

Each IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the IAP sends a RADIUS packet to the local IP address. The internal

RADIUS server listens and replies to the RADIUS packet. Instant serves as a RADIUS server for 802.1X

authentication. However, the internal RADIUS server can also be configured as a backup RADIUS server for an external RADIUS server.

External RADIUS Server

In the external RADIUS server, the IP address of the VC is configured as the NAS IP address. Instant RADIUS is implemented on the VC and this eliminates the need to configure multiple NAS clients for every IAP on the

RADIUS server for client authentication. Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the authentication request with an

Access-Accept or Access-Reject message, and the clients are allowed or denied access to the network depending on the response from the RADIUS server. When you enable an external RADIUS server for the network, the client on the IAP sends a RADIUS packet to the local IP address. The external RADIUS server then responds to the RADIUS packet.

Instant supports the following external authentication servers: n n n

RADIUS

LDAP

ClearPass Policy Manager Server for AirGroup CoA

To use an LDAP server for user authentication, configure the LDAP server on the VC, and configure user IDs and passwords. To use a RADIUS server for user authentication, configure the RADIUS server on the VC.

RADIUS Server Authentication with VSA

An external RADIUS server authenticates network users and returns to the IAP the vendor-specific attribute

(VSA) that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.

Instant supports the following VSAs for user role and VLAN derivation rules: n n n n n n n n n n n n n

AP-Group

AP-Name

ARAP-Features

ARAP-Security

ARAP-Security-Data

ARAP-Zone-Access

Acct-Authentic

Acct-Delay-Time

Acct-Input-Gigawords

Acct-Input-Octets

Acct-Input-Packets

Acct-Interim-Interval

Acct-Link-Count


n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n

Acct-Multi-Session-Id

Acct-Output-Gigawords

Acct-Output-Octets

Acct-Output-Packets

Acct-Session-Id

Acct-Session-Time

Acct-Status-Type

Acct-Terminate-Cause

Acct-Tunnel-Packets-Lost

Add-Port-To-IP-Address

Aruba-AP-Group

Aruba-AP-IP-Address

Aruba-AS-Credential-Hash

Aruba-AS-User-Name

Aruba-Admin-Path

Aruba-Admin-Role

Aruba-AirGroup-Device-Type

Aruba-AirGroup-Shared-Group

Aruba-AirGroup-Shared-Role

Aruba-AirGroup-Shared-User

Aruba-AirGroup-User-Name

Aruba-AirGroup-Version

Aruba-Auth-SurvMethod

Aruba-Auth-Survivability

Aruba-CPPM-Role

Aruba-Calea-Server-Ip

Aruba-Device-Type

Aruba-Essid-Name

Aruba-Framed-IPv6-Address

Aruba-Location-Id

Aruba-Mdps-Device-Iccid

Aruba-Mdps-Device-Imei

Aruba-Mdps-Device-Name

Aruba-Mdps-Device-Product

Aruba-Mdps-Device-Profile

Aruba-Mdps-Device-Serial

Aruba-Mdps-Device-Udid

Aruba-Mdps-Device-Version

Aruba-Mdps-Max-Devices

Aruba-Mdps-Provisioning-Settings

Aruba-Named-User-Vlan

Aruba-Network-SSO-Token



Aruba-No-DHCP-Fingerprint

Aruba-Port-Bounce-Host

Aruba-Port-Id

Aruba-Priv-Admin-User

Aruba-Template-User

Aruba-User-Group

Aruba-User-Role

Aruba-User-Vlan

Aruba-WorkSpace-App-Name

Authentication-Sub-Type

Authentication-Type

CHAP-Challenge

Callback-Id

Callback-Number

Chargeable-User-Identity

Class

Connect-Info

Connect-Rate

Crypt-Password

DB-Entry-State

Digest-Response

Domain-Name

EAP-Message

Error-Cause

Event-Timestamp

Exec-Program

Exec-Program-Wait

Expiration

Fall-Through

Filter-Id

Framed-AppleTalk-Link

Framed-AppleTalk-Network

Framed-AppleTalk-Zone

Framed-Compression

Framed-IP-Address

Framed-IP-Netmask

Framed-IPX-Network

Framed-IPv6-Pool

Framed-IPv6-Prefix

Framed-IPv6-Route

Framed-Interface-Id

Framed-MTU



Framed-Protocol

Framed-Route

Framed-Routing

Full-Name

Group

Group-Name

Hint

Huntgroup-Name

Idle-Timeout

Location-Capable

Location-Data

Location-Information

Login-IP-Host

Login-IPv6-Host

Login-LAT-Node

Login-LAT-Port

Login-LAT-Service

Login-Service

Login-TCP-Port

Menu

Message-Auth

NAS-IPv6-Address

NAS-Port-Type

Operator-Name

Password

Password-Retry

Port-Limit

Prefix

Prompt

Rad-Authenticator

Rad-Code

Rad-Id

Rad-Length

Reply-Message

Requested-Location-Info

Revoke-Text

Server-Group

Server-Name

Service-Type

Session-Timeout

Simultaneous-Use

State


n n n n n n n n n n n n n n n n n n n n n n n

Strip-User-Name

Suffix

Termination-Action

Termination-Menu

Tunnel-Assignment-Id

Tunnel-Client-Auth-Id

Tunnel-Client-Endpoint

Tunnel-Connection-Id

Tunnel-Medium-Type

Tunnel-Preference

Tunnel-Private-Group-Id

Tunnel-Server-Auth-Id

Tunnel-Server-Endpoint

Tunnel-Type

User-Category

User-Name

User-Vlan

Vendor-Specific fw_mode dhcp-option dot1x-authentication-type mac-address mac-address-and-dhcp-options

TACACS Servers

You can now configure a TACACS server as the authentication server to authenticate and authorize all types of management users, and account user sessions. When configured, the TACACS server allows a remote access server to communicate with an authentication server to determine if the user has access to the network. The

IAP users can create several TACACS server profiles and associate these profiles to the user accounts to enable authentication of the management users.

TACACS supports the following types of authentication: n n n n n

ASCII

PAP

CHAP

ARAP

MS-CHAP

The TACACS server cannot be attributed to any SSID or wired profile in general as the authentication server and is configured only for the IAP management users.

Dynamic Load Balancing between Two Authentication Servers

You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers. Load balancing of authentication servers ensures that the authentication


load is split across multiple authentication servers and enables the IAPs to perform load balancing of authentication requests destined to authentication servers such as RADIUS or LDAP.

The load balancing in IAP is performed based on outstanding authentication sessions. If there are no outstanding sessions and if the rate of authentication is low, only primary server will be used. The secondary is used only if there are outstanding authentication sessions on the primary server. With this, the load balance can be performed across RADIUS servers of asymmetric capacity without the need to obtain inputs about the server capabilities from the administrators.

Configuring an External Server for Authentication

You can configure RADIUS, TACACS, LDAP, and ClearPass Policy Manager servers through the Instant UI or the

CLI.


To configure an external authentication server:

1. Navigate to Security > Authentication Servers . The Security window is displayed.

2. To create a new server, click New . A window for specifying details for the new server is displayed.

3. Configure parameters based on the type of sever.

n

RADIUS —To configure a RADIUS server, specify the attributes described in the following table:

Table 34: RADIUS Server Configuration Parameters

Parameter Description

Name Enter a name for the server.

Enter the host name or the IP address of the external RADIUS server.

Server address

RadSec Set RadSec to Enabled to enable secure communication between the RADIUS server and IAP clients by creating a TLS tunnel between the IAP and the server.

If RadSec is enabled, the following configuration options are displayed: n RadSec port —Communication port number for RadSec TLS connection. By default, the port number is set to 2083.

n n n n

RFC 3576

RFC 5997

NAS IP address

NAS identifier

For more information on RadSec configuration, see

Enabling RADIUS Communication over TLS on page 163

.

Auth port

Accounting port

Shared key

Retype key

Enter the authorization port number of the external RADIUS server within the range of 1–65,535.

The default port number is 1812.

Enter the accounting port number within the range of 1–65,535. This port is used for sending accounting records to the RADIUS server. The default port number is 1813.

Enter a shared key for communicating with the external RADIUS server.

Re-enter the shared key.


Table 34: RADIUS Server Configuration Parameters


Timeout Specify a timeout value in seconds. The value determines the timeout for one RADIUS request. The

IAP retries to send the request several times (as configured in the Retry count ) before the user gets disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.

Retry count

RFC 3576

Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group, and the default value is 3 requests.

Select Enabled to allow the IAPs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters.

RFC 5997

NAS IP address

This helps to detect the server status of the RADIUS server. Every time there is an authentication or accounting request timeout, the IAP will send a status request enquiry to get the actual status of the

RADIUS server before confirming the status of the server to be DOWN.

n

Authentication —Select this checkbox to ensure the IAP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.

n Accounting —Select this checkbox to ensure the IAP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.

NOTE: You can choose to select either the Authentication or Accounting checkboxes or select both checkboxes to support RFC5997.

Allows you to configure an arbitrary IP address to be used as RADIUS attribute 4, NAS IP Address, without changing source IP Address in the IP header of the RADIUS packet.

NOTE: If you do not enter the IP address, the VC IP address is used by default when Dynamic

RADIUS Proxy is enabled.

NAS

Identifier

Dead Time

Allows you to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.

Specify a dead time for authentication server in minutes.

When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

Dynamic

RADIUS proxy parameters

Specify the following dynamic RADIUS proxy (DRP) parameters: n

DRP IP—IP address to be used as source IP for RADIUS packets.

n n

DRP Mask—Subnet mask of the DRP IP address.

DRP VLAN—VLAN in which the RADIUS packets are sent.

n DRP Gateway—Gateway IP address of the DRP VLAN.

For more information on dynamic RADIUS proxy parameters and configuration procedure, see

Configuring Dynamic RADIUS Proxy Parameters on page 165 .

Service type Sets the service type value to frame for the following authentication methods: n

802.1X

—Changes the service type to frame for 802.1X authentication.

n n

Captive Portal —Changes the service type to frame for Captive Portal authentication.

MAC —Changes the service type to frame for MAC authentication.

To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.

You can also add an external RADIUS server by selecting the New option when configuring a WLAN or wired profile.

For more information, see

Configuring Security Settings for a WLAN SSID Profile on page 96

and

Configuring Security

Settings for a Wired Profile on page 115

.


n

LDAP —To configure an LDAP server, select the LDAP option and configure the attributes described in the following table:

Table 35: LDAP Server Configuration Parameters



IP address

Auth port

Admin-DN

Enter the IP address of the LDAP server.

Enter the authorization port number of the LDAP server. The default port number is 389.

Enter a distinguished name for the admin user with read/search privileges across all the entries in the LDAP database (the user need not have write privileges, but the user must be able to search the database, and read attributes of other users in the database).

Enter a password for administrator.

Admin password

Base-DN

Filter

Key

Attribute

Timeout

Retry count

Dead Time

Enter a distinguished name for the node that contains the entire user database.

Specify the filter to apply when searching for a user in the LDAP database. The default filter string is

(objectclass=*) .

Specify the attribute to use as a key while searching for the LDAP server. For Active Directory, the value is sAMAccountName

Enter a value between 1 and 30 seconds. The default value is 5.

Enter a value between 1 and 5. The default value is 3.

Specify a dead time for the authentication server in minutes within the range of 1–1440 minutes.

The default dead time interval is 5 minutes.

When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

n

TACACS —To configure TACACS server, select the TACACS option and configure the following parameters:

Table 36: TACACS Configuration Parameters



IP address

Auth Port

Shared Key

Retype Key

Timeout

Enter the IP address of the TACACS server.

Enter a TCPIP port used by the server. The default port number is 49.

Enter a secret key of your choice to authenticate communication between the TACACS+ client and the server.


Enter a number between 1 and 30 seconds to indicate the timeout period for TACACS+ requests.

The default value is 20 seconds.


Table 36: TACACS Configuration Parameters


Retry Count

Dead time

Enter a number between 1 and 5 to indicate the maximum number of authentication attempts. The default value is 3.

Specify a dead time in minutes within the range of 1–1440 minutes. The default dead time interval is 5 minutes.

Session authorization

Enables or disables session authorization. When enabled, the optional authorization session is turned on for the admin users. By default, session authorization is disabled.

You can also add TACACS server by selecting the New option when configuring authentication parameters for management users. For more information, see

Configuring Authentication Parameters for Management Users on page 148

.

n

CPPM Server for AirGroup CoA—To configure a ClearPass Policy Manager server used for AirGroup CoA

(Change of Authorization), select the CoA only check box. The RADIUS server is automatically selected.

Table 37: ClearPass Policy Manager Server Configuration Parameters for AirGroup CoA

Parameter

Name

Server address

Description

Enter a name of the server.

Enter the host name or IP address of the server.

Air Group CoA port

Shared key

Retype key

Enter a port number for sending AirGroup CoA on a port different from the standard CoA port.

The default value is 5999.

Enter a shared key for communicating with the external RADIUS server.


4. Click OK .

The ClearPass Policy Manager server acts as a RADIUS server and asynchronously provides the AirGroup parameters for the client device including shared user, role, and location.

In the CLI

To configure a RADIUS server with DRP parameters:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <host>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name>)# port <port>

(Instant AP)(Auth Server <profile-name>)# acctport <port>

(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>

(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>

(Instant AP)(Auth Server <profile-name>)# timeout <seconds>

(Instant AP)(Auth Server <profile-name>)# retry-count <number>

(Instant AP)(Auth Server <profile-name>)# rfc3576

(Instant AP)(Auth Server <profile-name>)# rfc5997 {auth-only|acct-only}

(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>

(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan>

<gateway-IP-address)

(Instant AP)(Auth Server <profile-name>)# end

Aruba Instant 6.5.2.0 | User Guide gateway

Authentication and User Management | 162


To enable RadSec:


(Instant AP)(Auth Server "name")# ip <host>

(Instant AP)(Auth Server "name")# radsec [port <port>]

(Instant AP)(Auth Server "name")# rfc3576

(Instant AP)(Auth Server "name")# rfc5997 {auth-only|acct-only}

(Instant AP)(Auth Server "name")# nas-id <id>

(Instant AP)(Auth Server "name")# nas-ip <ip>

(Instant AP)(Auth Server "name")# end


To configure an LDAP server:

(Instant AP)(config)# wlan ldap-server <profile-name>

(Instant AP)(LDAP Server <profile-name>)# ip <IP-address>

(Instant AP)(LDAP Server <profile-name>)# port <port>

(Instant AP)(LDAP Server <profile-name>)# admin-dn <name>

(Instant AP)(LDAP Server <profile-name>)# admin-password <password>

(Instant AP)(LDAP Server <profile-name>)# base-dn <name>

(Instant AP)(LDAP Server <profile-name>)# filter <filter>

(Instant AP)(LDAP Server <profile-name>)# key-attribute <key>

(Instant AP)(LDAP Server <profile-name>)# timeout <seconds>

(Instant AP)(LDAP Server <profile-name>)# retry-count <number>

(Instant AP)(LDAP Server <profile-name>)# deadtime <minutes>

(Instant AP)(LDAP Server <profile-name>)# end


To configure a TACACS+ server:

(Instant AP)(config)# wlan tacacs-server <profile-name>

(Instant AP)(TACACS Server <profile-name>)# ip <IP-address>

(Instant AP)(TACACS Server <profile-name>)# port <port>

(Instant AP)(TACACS Server <profile-name>)# key <key>

(Instant AP)(TACACS Server <profile-name>)# timeout <seconds>

(Instant AP)(TACACS Server <profile-name>)# retry-count <number>

(Instant AP)(TACACS Server <profile-name>)# deadtime <minutes>

(Instant AP)(TACACS Server <profile-name>)# end


To configure a ClearPass Policy Manager server used for AirGroup CoA:


(Instant AP)(Auth Server <profile-name>)# ip <host>


(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-port <port>

(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-only



Enabling RADIUS Communication over TLS

You can configure an IAP to use Transport Layer Security (TLS) tunnel and to enable secure communication between the RADIUS server and IAP clients. Enabling RADIUS communication over TLS increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that RadSec protocol is used for safely transmitting the authentication and accounting data between the IAP clients and the RADIUS server in cloud.

The following configuration conditions apply to RadSec configuration: n

When the TLS tunnel is established, RADIUS packets will go through the tunnel and server adds CoA on this tunnel.


n n n

By default, the TCP port 2083 is assigned for RadSec. Separate ports are not used for authentication, accounting, and dynamic authorization changes.

Instant supports dynamic CoA (RFC 3576) over RadSec and the RADIUS server uses an existing TLS connection opened by the IAP to send the request.

For authentication between the IAP clients and the TLS server, RadSec certificate must be uploaded to IAP.

For more information on uploading certificates, see

Uploading Certificates on page 182 .

Configuring RadSec Protocol

You can configure RadSec Protocl using the Instant UI or the CLI;


To configure the RadSec protocol in the UI:

1. Navigate to Security > Authentication Servers . The Security window is displayed.

2. To create a new server, click New . A popup window for specifying details for the new server is displayed.

3. Under RADIUS Server , configure the following parameters: a. Enter the name of the server.

b. Enter the host name or the IP address of the server.

c. Select Enabled to enable RadSec.

d. Ensure that the port defined for RadSec is correct. By default, the port number is set to 2083.

e. To allow the IAPs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server, set RFC 3576 to Enabled . Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters.

f. If RFC 3576 is enabled, specify an AirGroup CoA port if required.

g. Enter the NAS IP address.

h. Specify the NAS identifier to configure strings for RADIUS attribute 32 and to send it with RADIUS requests to the RADIUS server.

4. Click OK .

In the CLI

To configure the RadSec protocol:


(Instant AP)(Auth Server "name")# ip <host>

(Instant AP)(Auth Server "name")# radsec [port <port>]

(Instant AP)(Auth Server "name")# rfc3576

(Instant AP)(Auth Server "name")# nas-id <id>

(Instant AP)(Auth Server "name")# nas-ip <ip>

(Instant AP)(Auth Server "name")# end

(Instant AP)(Auth Server "name")# commit apply

Associate the Server Profile with a Network Profile

You can associate the server profile with a network profile using the Instant UI or the CLI.


To associate an authentication server in the Instant UI:

1. Access the WLAN wizard or the Wired Settings window.

n

To open the WLAN wizard, select an existing SSID on the Network tab, and click edit .


n

To open the wired settings window, click More > Wired . In the Wired window, select a profile and click

Edit .

You can also associate the authentication servers when creating a new WLAN or wired profile.

2. Click the Security tab and select a splash page profile.

3. Select an authentication type.

4. From the Authentication Server 1 drop-down list, select the server name on which RadSec is enabled.

5. Click Next and then click Finish .

In the CLI

To associate an authentication server to a WLAN SSID:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant AP)(SSID Profile <name>)# end

((Instant AP)# commit apply

To associate an authentication server to a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# auth-server <name>

(Instant AP)(wired ap profile <name>)# end


Configuring Dynamic RADIUS Proxy Parameters

The RADIUS server can be deployed at different locations and VLANs. In most cases, a centralized RADIUS or local server is used to authenticate users. However, some user networks can use a local RADIUS server for employee authentication and a centralized RADIUS-based captive portal server for guest authentication. To ensure that the RADIUS traffic is routed to the required RADIUS server, the dynamic RADIUS proxy feature must be enabled.

The dynamic RADIUS proxy parameters configuration is not required if RadSec is enabled in the RADIUS server profile.

If the IAP clients need to authenticate to the RADIUS servers through a different IP address and VLAN, ensure that the following steps are completed:

1.

Enable dynamic RADIUS proxy

.

2.

Configure dynamic RADIUS proxy IP, VLAN, netmask, and gateway for each authentication server .

3.

Associate the authentication servers to SSID or a wired profile to which the clients connect .

After completing the configuration steps mentioned above, you can authenticate the SSID users against the configured dynamic RADIUS proxy parameters.

Enabling Dynamic RADIUS Proxy

You can enable RADIUS server support using the Instant UI or the CLI.


To enable RADIUS server support:

1. In the Instant main window, click the System link. The System window is displayed.

2. On the General tab of the System window, select the RADIUS check box for Dynamic Proxy .

3. Click OK .


When dynamic RADIUS proxy is enabled, the VC network uses the IP Address of the VC for communication with external RADIUS servers. Ensure that the VC IP Address is set as a NAS IP when configuring RADIUS server attributes with dynamic RADIUS proxy enabled. For more information on configuring RADIUS server attributes, see

Configuring an External Server for Authentication on page 159 .

In case of VPN deployments, the tunnel IP received when establishing a VPN connection is used as the NAS IP. In such cases, the VC IP need not be configured for the external RADIUS servers.

In the CLI

To enable the dynamic RADIUS proxy feature:

(Instant AP)(config)# dynamic-radius-proxy



Configuring Dynamic RADIUS Proxy Parameters

You can configure DRP parameters for the authentication server by using the Instant UI or the CLI.


To configure dynamic RADIUS proxy in the Instant UI:

1. Go to Security > Authentication Servers .

2. To create a new server, click New and configure the required RADIUS server parameters as described in

Table 34

.

3. Ensure that the following dynamic RADIUS proxy parameters are configured: n n n n

DRP IP —IP address to be used as source IP for RADIUS packets.

DRP Mask —Subnet mask of the DRP IP address.

DRP VLAN —VLAN in which the RADIUS packets are sent.

DRP Gateway —Gateway IP address of the DRP VLAN.

4. Click OK .

In the CLI

To configure dynamic RADIUS proxy parameters:


(Instant AP)(Auth Server <profile-name>)# ip <IP-address>


(Instant AP)(Auth Server <profile-name>)# port <port>

(Instant AP)(Auth Server <profile-name>)# acctport <port>

(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>

(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>

(Instant AP)(Auth Server <profile-name>)# timeout <seconds>

(Instant AP)(Auth Server <profile-name>)# retry-count <number>

(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>

(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway

<gateway-IP-address>



Associate Server Profiles to a Network Profile

To associate the authentication server profiles with a network profile:

1. Access the WLAN wizard or the Wired Settings window.

n

To open the WLAN wizard, select an existing SSID on the Network tab, and click edit .


n

To open the wired settings window, click More > Wired . In the Wired window, select a profile and click

Edit .

You can also associate the authentication servers when creating a new WLAN or wired profile.

2. Click the Security tab.

3. If you are configuring the authentication server for a WLAN SSID, on the Security tab, move the slider to

Enterprise security level.

4. Ensure that an authentication type is enabled.

5. From the Authentication Server 1 drop-down list, select the server name on which dynamic RADIUS proxy parameters are enabled. You can also create a new server with RADIUS and RADIUS proxy parameters by selecting New .

6. Click Next and then click Finish .

7. To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.

You can also add an external RADIUS server by selecting New for Authentication Server when configuring a WLAN or wired profile. For more information, see

Configuring Security Settings for a WLAN SSID Profile on page 96

and

Configuring Security Settings for a Wired Profile on page 115

.

In the CLI

To associate an authentication server to a WLAN SSID:


(Instant AP)(SSID Profile <name>)# auth-server <server-name>


((Instant AP)# commit apply

To associate an authentication server to a wired profile:


(Instant AP)(wired ap profile <name>)# auth-server <name>



Understanding Encryption Types

Encryption is the process of converting data into a cryptic format or code when it is transmitted on a network.

Encryption prevents unauthorized use of the data.

Instant supports the following types of encryption: n n n

WEP —Wired Equivalent Privacy (WEP) is an authentication method where all users share the same key. WEP is not as secure as other encryption types such as TKIP.

TKIP —Temporal Key Integrity Protocol (TKIP) uses the same encryption algorithm as WEP. However, TKIP is more secure and has an additional message integrity check (MIC).

AES —The Advanced Encryption Standard (AES) encryption algorithm is a widely supported encryption type for all wireless networks that contain any confidential data. AES in Wi-Fi leverages 802.1X or PSKs to generate per-station keys for all devices. AES provides a high level of security like IP Security (IPsec) clients.

WEP and TKIP are limited to WLAN connection speed of 54 Mbps. The 802.11n connection supports only AES encryption. Aruba recommends AES encryption. Ensure that all devices that do not support AES are upgraded or replaced with the devices that support AES encryption.


WPA and WPA-2

WPA is created based on the draft of 802.11i, which allowed users to create more secure WLANs. WPA-2 encompasses the full implementation of the 802.11i standard. WPA-2 is a superset that encompasses the full

WPA feature set.

The following table summarizes the differences between the two certifications:

Table 38: WPA and WPA-2 Features

Certification

WPA

Authentication n n

PSK

IEEE 802.1X with

Extensible

Authentication

Protocol (EAP)

WPA-2 n n

PSK

IEEE 802.1X with

EAP

Encryption

TKIP with message integrity check (MIC)

AES—Counter Mode with Cipher Block Chaining

Message Authentication Code (AESCCMP)

WPA and WPA-2 can be further classified as follows: n n

Personal —Personal is also called Pre-Shared Key (PSK). In this type, a unique key is shared with each client in the network. Users have to use this key to securely log in to the network. The key remains the same until it is changed by authorized personnel. You can also configure key change intervals .

Enterprise —Enterprise is more secure than WPA Personal. In this type, every client automatically receives a unique encryption key after securely logging in to the network. This key is automatically updated at regular intervals. WPA uses TKIP and WPA-2 uses the AES algorithm.

Recommended Authentication and Encryption Combinations

The following table summarizes the recommendations for authentication and encryption combinations for the

Wi-Fi networks.

Table 39: Recommended Authentication and Encryption Combinations

Network Type

Employee

Authentication

802.1X

Encryption

AES

Guest Network

Voice Network or

Handheld devices

Captive portal

802.1X or PSK as supported by the device

None

AES if possible, TKIP or WEP if necessary (combine with security settings assigned for a user role).

Configuring Authentication Survivability

The authentication survivability feature supports a survivable authentication framework against any remote link failures when working with external authentication servers. When enabled, this feature allows the IAPs to authenticate the previously connected clients against the cached credentials if the connection to the authentication server is temporarily lost.

Instant supports the following EAP standards for authentication survivability:


n n

EAP-PEAP : The Protected Extensible Authentication Protocol, also known as Protected EAP or PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security

(TLS) tunnel. The EAP-PEAP supports MS-CHAPv2 and GTC methods.

EAP-TLS : EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer

Security (TLS) protocol.

When the authentication survivability feature is enabled, the following authentication process is used:

1. The client associates to an IAP and authenticates to the external authentication server. The external authentication server can be either ClearPass Policy Manager (for EAP-PEAP) or RADIUS server (EAP-TLS).

2. Upon successful authentication, the associated IAP caches the authentication credentials of the connected clients for the configured duration. The cache expiry duration for authentication survivability can be set within the range of 1–99 hours, with 24 hours being the default cache timeout duration.

3. If the client roams or tries to reconnect to the IAP and the remote link fails due to the unavailability of the authentication server, the IAP uses the cached credentials in the internal authentication server to authenticate the user. However, if the client tries to reconnect after the cache expiry, the authentication fails.

4. When the authentication server is available and if the client tries to reconnect, the IAP detects the availability of server and allows the client to authenticate to the server. Upon successful authentication, the

IAP cache details are refreshed.

Enabling Authentication Survivability

You can enable authentication survivability for a wireless network profile through the UI or the CLI.


To configure authentication survivability for a wireless network:

1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable authentication survivability and click edit .

2. In the Edit <profile-name> or the New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next .

3. On the Security tab, under Enterprise security settings, select an existing authentication server or create a new server by clicking New .

4. To enable authentication survivability, select Enabled from the Authentication survivability drop-down list. On enabling this, the IAP authenticates the previously connected clients using EAP-PEAP and EAP-TLS authentication when connection to the external authentication server is temporarily lost.

5. Specify the cache timeout duration, after which the cached details of the previously authenticated clients expire. You can specify a value within the range of 1–99 hours and the default cache timeout duration is 24 hours.

6. Click Next and then click Finish to apply the changes.

Important Points to Remember n n n

Any client connected through ClearPass Policy Manager and authenticated through IAP remains authenticated with the IAP even if the client is removed from the ClearPass Policy Manager server during the ClearPass Policy Manager downtime.

Do not make any changes to the authentication survivability cache timeout duration when the authentication server is down.

For EAP-PEAP authentication, ensure that the ClearPass Policy Manager 6.0.2 or later version is used for authentication. For EAP-TLS authentication, any external or third-party server can be used.


n

For EAP-TLS authentication, ensure that the server and CA certificates from the authentication servers are uploaded on the IAP. For more information, see

Uploading Certificates on page 182 .

In the CLI

To configure authentication survivability for a wireless network:


(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>|<Guest>}

(Instant AP)(SSID Profile <name>)# auth-server <server-name1>

(Instant AP)(SSID Profile <name>)# auth-survivability

(Instant AP)(SSID Profile <name>)# exit

(Instant AP)(config)# auth-survivability cache-time-out <hours>



To view the cache expiry duration:

(Instant AP)# show auth-survivability time-out

To view the information cached by the IAP:

(Instant AP)# show auth-survivability cached-info

To view logs for debugging:

(Instant AP)# show auth-survivability debug-log

Configuring 802.1X Authentication for a Network Profile

This section consists of the following procedures: n n

Configuring 802.1X Authentication for Wireless Network Profiles on page 170

Configuring 802.1X Authentication for Wired Profiles on page 171

The Instant network supports internal RADIUS server and external RADIUS server for 802.1X authentication.

The steps involved in 802.1X authentication are as follows:

1. The NAS requests authentication credentials from a wireless client.

2. The wireless client sends authentication credentials to the NAS.

3. The NAS sends these credentials to a RADIUS server.

4. The RADIUS server checks the user identity and authenticates the client if the user details are available in its database. The RADIUS server sends an Access-Accept message to the NAS. If the RADIUS server cannot identify the user, it stops the authentication process and sends an Access-Reject message to the NAS. The

NAS forwards this message to the client and the client must re-authenticate with appropriate credentials.

5. After the client is authenticated, the RADIUS server forwards the encryption key to the NAS. The encryption key is used for encrypting or decrypting traffic sent to and from the client.

The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first connects to the NAS.

Configuring 802.1X Authentication for Wireless Network Profiles

You can configure 802.1X authentication for a wireless network profile in the Instant UI or the CLI.


To enable 802.1X authentication for a wireless network:


1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable 802.1X authentication and click edit .


3. On the Security tab, specify the following parameters for the Enterprise security level: a. Select any of the following options from the Key management drop-down list.

n

WPA-2 Enterprise n n

WPA Enterprise

Both (WPA-2 & WPA) n

Dynamic WEP with 802.1X

4. If you do not want to use a session key from the RADIUS server to derive pairwise unicast keys, set Session

Key for LEAP to Enabled .

5. To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server, set

Termination to Enabled .

By default, for 802.1X authentication, the client conducts an EAP exchange with the RADIUS server, and the

IAP acts as a relay for this exchange. When Termination is enabled, the IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server.

6. Specify the type of authentication server to use and configure other required parameters. You can also configure two different authentication servers to function as primary and backup servers when

Termination is enabled. For more information on RADIUS authentication configuration parameters, see

Configuring an External Server for Authentication on page 159

.

7. Click Next to define access rules, and then click Finish to apply the changes.

In the CLI

To configure 802.1X authentication for a wireless network:


(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>}

(Instant AP)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip|wpa-tkip,wpa2-aes|dynamic-wep}

(Instant AP)(SSID Profile <name>)# leap-use-session-key

(Instant AP)(SSID Profile <name>)# termination

(Instant AP)(SSID Profile <name>)# auth-server <server1>

(Instant AP)(SSID Profile <name>)# auth-server <server2>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>






Configuring 802.1X Authentication for Wired Profiles

You can configure 802.1X authentication for a wired profile in the Instant UI or the CLI.


To enable 802.1X authentication for a wired profile:

1. Click the Wired link under More in the main window. The Wired window is displayed.

2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable 802.1X authentication and then click Edit .


3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and

VLAN attributes are defined, and then click Next .

4. On the Security tab, select Enabled from the 802.1X authentication drop-down list.

5. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see


.


7. Assign the profile to an Ethernet port. For more information, see

Assigning a Profile to Ethernet Ports on page 118 .

In the CLI

To enable 802.1X authentication for a wired profile:


(Instant AP)(wired ap profile <name>)# type {<employee>|<guest>}

(Instant AP)(wired ap profile <name>)# dot1x

(Instant AP)(wired ap profile <name>)# auth-server <server1>

(Instant AP)(wired ap profile <name>)# auth-server <server2>

(Instant AP)(wired ap profile <name>)# server-load-balancing

(Instant AP)(wired ap profile <name>)# radius-reauth-interval <Minutes>



Enabling 802.1X Supplicant Support

The 802.1X authentication protocol prevents the unauthorized clients from gaining access to the network through publicly accessible ports. If the ports to which the IAPs are connected, are configured to use the

802.1X authentication method, ensure that you configure the IAPs to function as an 802.1X client or supplicant. If your network requires all wired devices to authenticate using PEAP or TLS protocol, you need to configure the IAP uplink ports for 802.1X authentication, so that the switch grants access to the IAP only after completing the authentication as a valid client.

To enable the 802.1X supplicant support on an IAP, ensure that the 802.1X authentication parameters are configured on all IAPs in the cluster and are stored securely in the IAP flash.

The 802.1X supplicant support feature is not supported with mesh and Wi-Fi uplink.

Configuring an IAP for 802.1X Supplicant Support

To enable 802.1X supplicant support, configure 802.1X authentication parameters on every IAP using the

Instant UI or the CLI.

In the UI

1. To use PEAP protocol-based 802.1X authentication method, complete the following steps: a. In the Access Points tab, click the IAP on which you want to set the variables for 802.1X authentication, and then click the edit link.

b. In the Edit Access Point window, click the Uplink tab.

c. Under PEAP user, enter the username, password, and retype the password for confirmation. The IAP username and password are stored in IAP flash. When the IAP boots, the /tmp/ap1xuser and

/tmp/ap1xpassword files are created based on these two variables.

The default inner authentication protocol for PEAP is MS-CHAPV2.


2. To upload server certificates for validating the authentication server credentials, complete the following steps: a. Click Upload New Certificate .

b. Specify the URL from where you want to upload the certificates and select the type of certificate.

3. Click OK .

4. To configure 802.1X authentication on uplink ports of an IAP, complete the following steps: a. Go to System > Show advanced options > Uplink .

b. Click AP1X.

c. Select PEAP or TLS as the authentication type.

d. If you want to validate the server credentials using server certificate, select the Validate Server check box. Ensure that the server certificates for validating server credentials are uploaded to IAP database.

e. Click OK .

5. Reboot the IAP.

In the CLI

To set username and password variable used by the PEAP protocol-based 802.1X authentication:

(Instant AP)# ap1x-peap-user <ap1xuser> <password>

To set the PEAP 802.1X authentication type:

(Instant AP)(config)# ap1x peap [validate-server]



To set TLS 802.1X authentication type:

(Instant AP)(config)# ap1x tls <tpm|user> [validate-server]



To upload user or CA certificates for PEAP or TLS authentication:

(Instant AP)# copy tftp <addr> <file> ap1x {ca|cert <password>} format pem

To download user or server certificates from a TFTP, FTP, or web server:

(Instant AP)# download ap1x <url> format pem [psk <psk>]

(Instant AP)# download ap1xca <url> format pem

To view the certificate details:

(Instant AP)# show ap1xcert

To verify the configuration, use any of the following commands:

(Instant AP)# show ap1x config

(Instant AP)# show ap1x debug-logs

(Instant AP)# show ap1x status

Configuring MAC Authentication for a Network Profile

MAC authentication can be used alone or it can be combined with other forms of authentication such as WEP authentication. However, it is recommended that you do not use the MAC-based authentication.

This section describes the following procedures: n n

Configuring MAC Authentication for Wireless Network Profiles on page 173

Configuring MAC Authentication for Wired Profiles on page 174

Configuring MAC Authentication for Wireless Network Profiles

You can configure MAC authentication for a wired profile in the Instant UI or the CLI.



To enable MAC Authentication for a wireless network:

1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable MAC authentication and click edit .


3. On the Security tab, select Enabled from the MAC authentication drop-down list for the Personal or the Open security level.

4. Specify the type of authentication server to use.

5. If an internal authentication server is used, perform the following steps to allow MAC-address-based authentication: a. Click the Users link beside the Internal server parameter. The Users window is displayed.

b. Specify the client MAC address as the username and password.

c. Specify the type of the user (employee or guest).

d. Click Add .

e. Repeat the steps to add more users.

f. Click OK .

6. To allow the IAP to use a delimiter in the MAC authentication request, specify a character ( for example, colon or dash) as a delimiter for the MAC address string. For example, if you specify colon as the delimiter,

MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used.

7. To allow the IAP to use uppercase letters in the MAC address string, set Uppercase support to Enabled .

8. Configure other parameters as required.


In the CLI

To configure MAC-address based authentication with external server:



(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# mac-authentication-delimiter <delim>

(Instant AP)(SSID Profile <name>)# mac-authentication-upper-case

(Instant AP)(SSID Profile <name>)# external-server



(Instant AP)(SSID Profile <name>)# server-load-balancing




To add users for MAC authentication based on internal authentication server:

(Instant AP)(config)# user <username> [<password>] [portal|radius]



Configuring MAC Authentication for Wired Profiles

You can configure MAC authentication for a wired profile in the Instant UI or the CLI.



To enable MAC authentication for a wired profile:


2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable MAC authentication and then click Edit .



4. On the Security tab, select Enabled from the MAC authentication drop-down list.

5. Specify the type of authentication server to use.

6. If an internal authentication server is used, perform the following steps to allow MAC-address-based authentication: a. Click the Users link beside Internal server . The Users window is displayed.

b. Specify the client MAC address as the username and password.

c. Specify the type of the user (employee or guest).

d. Click Add .

e. Repeat the steps to add more users.

f. Click OK .

7. Configure other parameters as required.


In the CLI

To configure MAC-address-based authentication with external server:


(Instant AP)(wired ap profile <name>)# type {<employee>|<guest>}

(Instant AP)(wired ap profile <name>)# mac-authentication

(Instant AP)(wired ap profile <name>)# auth-server <server-1>

(Instant AP)(wired ap profile <name>)# auth-server <server-2>

(Instant AP)(wired ap profile <name>)# server-load-balancing

(Instant AP)(wired ap profile <name>)# radius-reauth-interval <Minutes>



To add users for MAC authentication based on internal authentication server:

(Instant AP)(config)# user <username> [<password>] [portal|radius]


(Instant AP)# commit apply n n

Configuring MAC Authentication with 802.1X Authentication

This section describes the following procedures:

Configuring MAC and 802.1X Authentications for Wireless Network Profiles on page 175

Configuring MAC and 802.1X Authentications for Wired Profiles on page 176

Configuring MAC and 802.1X Authentications for Wireless Network Profiles

You can configure MAC authentication with 802.1X authentication for a wireless network profile using the




To configure both MAC and 802.1X authentications for a wireless network:

1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable MAC and 802.1X authentications and click edit .


3. On the Security tab, ensure that the required parameters for MAC authentication and 802.1X

authentication are configured.

4. Select the Perform MAC authentication before 802.1X

check box to use 802.1X authentication only when the MAC authentication is successful.

5. Select the MAC authentication fail-thru check box to use 802.1X authentication even when the MAC authentication fails.


In the CLI

To configure both MAC and 802.1X authentications for a wireless network:




(Instant AP)(SSID Profile <name>)# l2-auth-failthrough








Configuring MAC and 802.1X Authentications for Wired Profiles

You can configure MAC and 802.1X authentications for a wired profile in the Instant UI or the CLI.


To enable MAC and 802.1X authentications for a wired profile:


2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable MAC authentication and then click Edit .



4. On the Security tab, perform the following steps: n n

Select Enabled from the MAC authentication drop-down list.

Select Enabled from the 802.1X authentication drop-down list.

n

Select Enabled from the MAC authentication fail-thru drop-down list.

5. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see


.



In the CLI

To enable MAC and 802.1X authentications for a wired profile:


(Instant AP)(wired ap profile "<name>")# type {<employee>|<guest>}

(Instant AP)(wired ap profile "<name>")# mac-authentication

(Instant AP)(wired ap profile "<name>")# dot1x

(Instant AP)(wired ap profile "<name>")# l2-auth-failthrough

(Instant AP)(wired ap profile "<name>")# auth-server <name>

(Instant AP)(wired ap profile "<name>")# server-load-balancing

(Instant AP)(wired ap profile "<name>")# radius-reauth-interval <Minutes>

(Instant AP)(wired ap profile "<name>")# end


Configuring MAC Authentication with Captive Portal

Authentication

The following configuration conditions apply to MAC + captive portal authentication method: n n

If the captive portal splash page type is Internal-Authenticated or External-RADIUS Server , MAC authentication reuses the server configurations.

If the captive portal splash page type is Internal-Acknowledged or External-Authentication Text and

MAC authentication is enabled, a server configuration page is displayed.

You can configure the MAC authentication with captive portal authentication for a network profile using the



1. Select an existing wireless or wired profile for which you want to enable MAC with captive portal authentication. Depending on the network profile selected, the Edit <WLAN-Profile> or the Edit Wired

Network window is displayed.

To enable MAC authentication with captive portal authentication on a new WLAN SSID or wired profile, click the Security tab on the New WLAN window and the New Wired Network window.

2. On the Security tab, specify the following parameters: a. Select Enabled from the MAC authentication drop-down list to enable MAC authentication for captive portal users. If the MAC authentication fails, the captive portal authentication role is assigned to the client.

b. To enforce MAC authentication, click the Access tab and select Enforce MAC auth only role check box.


In the CLI

To configure MAC authentication with captive portal authentication for a wireless profile:


(Instant AP)(SSID Profile <name>)# type <guest>


(Instant AP)(SSID Profile <name>)# captive-portal {<type> [exclude-uplink <types>]|external

[Profile <name>] [exclude-uplink <types>]}

(Instant AP)(SSID Profile <name>)# set-role-mac-auth <mac-only>




To configure MAC authentication with captive portal authentication for a wired profile:


(Instant AP)(wired ap profile <name>)# type <guest>

(Instant AP)(wired ap profile <name>)# mac-authentication

(Instant AP)(wired ap profile <name>)# captive-portal <type>

(Instant AP)(wired ap profile <name>)# captive-portal {<type> [exclude-uplink <types>]

|external [Profile <name>] [exclude-uplink <types>]}

(Instant AP)(wired ap profile <name>)# set-role-mac-auth <mac-only>



Configuring WISPr Authentication

Instant supports the following smart clients: l l iPass

Boingo

These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic

Interface Specification (GIS) redirect , authentication , and logoff messages within HTML messages that are sent to the IAP.

Wireless Internet Service Provider roaming (WISPr) authentication is supported only for the Internal - Authenticated and External - RADIUS Server captive portal authentication. Select the Internal – Authenticated or the External -

RADIUS Server option from the Splash page type drop-down list to configure WISPr authentication for a WLAN profile.

You can configure WISPr authentication using the Instant UI or the CLI.


1. Click the System link located directly above the Search bar in the Instant main window. The System window is displayed.

2. Click Show advanced options .

3. Click WISPr tab. The WISPr tab contents are displayed. The following figure shows the WISPr tab contents:

Figure 37 Configuring WISPr Authentication

4. Enter the ISO Country Code for the WISPr Location ID in the ISO country code text box.

5. Enter the E.164 Area Code for the WISPr Location ID in the E.164 area code text box.

6. Enter the operator name of the hotspot in the Operator name text box.

7. Enter the E.164 Country Code for the WISPr Location ID in the E.164 country code text box.

8. Enter the SSID/Zone section for the WISPr Location ID in the SSID/Zone text box.

9. Enter the name of the Hotspot location in the Location name text box. If no name is defined, the name of the IAP to which the user is associated is used.

10.Click

OK to apply the changes.


The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication. Contact your ISP to determine these values. You can find a list of ISO and ITU country and area codes at the ISO and ITU websites ( www.iso.org

and http://www.itu.int

).

A Boingo smart client uses a NAS identifier in the <CarrierID>_<VenueID> format for location identification. To support

Boingo clients, ensure that you configure the NAS identifier parameter in the RADIUS server profile for the WISPr server.

In the CLI

(Instant AP)(config)# wlan wispr-profile

(Instant AP)(WISPr)# wispr-location-id-ac

(Instant AP)(WISPr)# wispr-location-id-cc

(Instant AP)(WISPr)# wispr-location-id-isocc

(Instant AP)(WISPr)# wispr-location-id-network

(Instant AP)(WISPr)# wispr-location-name-location

(Instant AP)(WISPr)# wispr-location-name-operator-name

(Instant AP)(WISPr)# end


Blacklisting Clients

The client blacklisting denies connection to the blacklisted clients. When a client is blacklisted, it is not allowed to associate with an IAP in the network. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force client disconnection.

This section describes the following procedures: n n

Blacklisting Clients Manually on page 179

Blacklisting Users Dynamically on page 180

Blacklisting Clients Manually

Manual blacklisting adds the MAC address of a client to the blacklist. These clients are added into a permanent blacklist. These blacklisted clients are not allowed to connect to the network unless they are removed from the blacklist.

Adding a Client to the Blacklist

You can add a client to the blacklist manually using the Instant UI or the CLI.



2. Click the Blacklisting tab.

3. Under the Manual Blacklisting , click New .

4. Enter the MAC address of the client to be blacklisted in the MAC address to add text box.

For the blacklisting to take effect on the MAC address, you must enable blacklisting in the SSID profile. For more information, see

Blacklisting on page 100

.

5. Click OK . The Blacklisted Since tab displays the time at which the current blacklisting has started for the client.

6. To delete a client from the manual blacklist, select the MAC Address of the client under the Manual

Blacklisting , and then click Delete .


In the CLI

To blacklist a client:

(Instant AP)(config)# blacklist-client <MAC-Address>



To enable blacklisting in the SSID profile:


(Instant AP)(SSID Profile <name>)# blacklisting



To view the blacklisted clients:

(Instant AP)# show blacklist-client

Blacklisted Clients

-------------------

MAC

---

Reason

------

Timestamp

---------

Remaining time(sec)

-------------------

00:1c:b3:09:85:15 user-defined 17:21:29 Permanent

AP name

-------

-

Blacklisting Users Dynamically

The clients can be blacklisted dynamically when they exceed the authentication failure threshold or when a blacklisting rule is triggered as part of the authentication process.

Authentication Failure Blacklisting

When a client takes time to authenticate and exceeds the configured failure threshold, it is automatically blacklisted by an IAP.

Session Firewall-Based Blacklisting

In session firewall-based blacklisting, an ACL rule is used to enable the option for dynamic blacklisting. When the ACL rule is triggered, it sends out blacklist information and the client is blacklisted.

Configuring Blacklist Duration

You can set the blacklist duration using the Instant UI or the CLI.


To set a blacklist duration:


2. Click the Blacklisting tab.

3. Under Dynamic Blacklisting :

4. For Auth failure blacklist time , the duration in seconds after which the clients that exceed the authentication failure threshold must be blacklisted.

5. For PEF rule blacklisted time , enter the duration in seconds after which the clients can be blacklisted due to an ACL rule trigger.

You can configure a maximum number of authentication failures by the clients, after which a client must be blacklisted. For more information on configuring maximum authentication failure attempts, see

Configuring Security

Settings for a WLAN SSID Profile on page 96

.

To enable session-firewall-based blacklisting, click New and navigate to WLAN Settings > VLAN > Security >

Access window, and enable the Blacklist option of the corresponding ACL rule.


In the CLI

To dynamically blacklist clients:

(Instant AP)(config)# auth-failure-blacklist-time <seconds>

(Instant AP)(config)# blacklist-time <seconds>



To enable blacklisting in the SSID profile:


(Instant AP)(SSID Profile <name>)# blacklisting



To view the blacklisted clients:

(Instant AP)# show blacklist-client config

Blacklist Time :60

Auth Failure Blacklist Time :60

Manually Blacklisted Clients

----------------------------

MAC Time

------

Dynamically Blacklisted Clients

-------------------------------

MAC Reason Timestamp Remaining time(sec) AP IP

--------------------------------------

Dyn Blacklist Count :0


Uploading Certificates

A certificate is a digital file that certifies the identity of the organization or products of the organization. It is also used to establish your credentials for any web transactions. It contains the organization name, a serial number, expiration date, a copy of the certificate-holder's public key, and the digital signature of the certificateissuing authority so that a recipient can ensure that the certificate is real.

Instant supports the following certificate files: n n n n n

Authentication server (PEM format)

Captive portal server (PEM format)—Customized certificate for internal captive portal server

CA certificate (PEM or DER format)

RadSec certificate (PEM or DER format)

WebUI certificate (PEM format)

This section describes the following procedures: n n n n

Loading Certificates Through Instant UI on page 182

Loading Certificates Through Instant CLI on page 183

Removing Certificates on page 183

Loading Certificates Through AirWave on page 183

Loading Certificates Through Instant UI

To load a certificate in the Instant UI:

1. Click the Maintenance link located directly above the Search bar in the Instant main window.

2. Click the Certificates tab. The Certificates tab contents are displayed.

3. To upload a certificate, click Upload New Certificate . The New Certificate window is displayed.

4. Browse and select the file to upload.

5. Select any of the following types of certificates from the Certificate type drop-down list: n n

CA—CA certificate to validate the identity of the client.

Auth Server—The authentication server certificate to verify the identity of the server to the client.

n n n n

Captive portal server—Captive portal server certificate to verify the identity of internal captive portal server to the client.

RadSec—The RadSec server certificate to verify the identity of the server to the client.

RadSec CA—The RadSec CA certificate for mutual authentication between the IAP clients and the TLS server.

WebUI—Customized certificate for WebUI management.

6. Select the certificate format from the Certificate format drop-down list.

7. If you have selected Auth Server , Captive portal server , Web UI , or RadSec as the type of certificate, enter a passphrase in Passphrase and retype the passphrase. If the certificate does not include a passphrase, there is no passphrase required.

8. Click Browse and select the appropriate certificate file, and click Upload Certificate . The Certificate

Successfully Installed message is displayed.


The IAP database can have only one authentication server certificate and one captive portal server certificate at any point in time.

When a Captive Portal server certificate is uploaded using the Instant UI, the default management certificate on the UI is also replaced by the Captive portal server certificate.

Loading Certificates Through Instant CLI

To upload a CA, server, web UI, or captive portal certificate:

(Instant AP)# copy tftp <ip-address> <filename> {cpserver cert <password> format {p12|pem}| radsec {ca|cert <password>} format pem|system {1xca format {der|pem}| 1xcert <password> format pem} uiserver cert <password> format pem}

To download RadSec certificates:

(Instant AP)# download-cert radsec ftp://192.0.2.7 format pem [psk <psk>]

(Instant AP)# download-cert radsecca ftp://192.0.2.7 format pem

Removing Certificates

To clear a certificate:

(Instant AP)# clear-cert {ca|cp|radsec|radsecca|server}

Loading Certificates Through AirWave

You can manage certificates using AirWave. The AMP directly provisions the certificates and performs basic certificate verification (such as certificate type, format, version, serial number, and so on) before accepting the certificate and uploading to an IAP network. The AMP packages the text of the certificate into an HTTPS message and sends it to the VC. After the VC receives this message, it draws the certificate content from the message, converts it to the right format, and saves it on the RADIUS server.

To load a certificate in AirWave:

1. Navigate to Device Setup > Certificate and then click Add to add a new certificate. The Certificate window is displayed.

2. Enter the certificate Name , and click Choose File to browse and upload the certificate.

Figure 38 Loading Certificate through AirWave

3. Select the appropriate Format that matches the certificate filename.


n n

Select Server Cert for certificate Type , and provide the passphrase if you want to upload a server certificate.

Select either Intermediate CA or Trusted CA certificate Type , if you want to upload a CA certificate.

Figure 39 Server Certificate

4. After you upload the certificate, navigate to Groups, click the Instant Group and then select Basic . The

Group name is displayed only if you have entered the Organization name in the Instant UI. For more information, see

Configuring Organization String on page 313

for further information.

Figure 40 Selecting the Group

The Virtual Controller Certificate section displays the certificates (CA cert and Server).

5. Click Save to apply the changes only to AirWave. Click Save and Apply to apply the changes to the IAP.

6. To clear the certificate options, click Revert .


No results