Authentication and User Management. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant
Add to My manuals466 Pages
advertisement
![Authentication and User Management. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant | Manualzz Authentication and User Management. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant | Manualzz](http://s3.manualzz.com/store/data/065045696_1-2596b7af9e274a2b316ebd13b4ae14bd-360x466.png)
Chapter 13
Authentication and User Management
This chapter provides the following information: n n n n n n n n n n n n n n
Managing IAP Users on page 146
Supported Authentication Methods on page 151
Supported EAP Authentication Frameworks on page 152
Configuring Authentication Servers on page 153
Understanding Encryption Types on page 167
Configuring Authentication Survivability on page 168
Configuring 802.1X Authentication for a Network Profile on page 170
Enabling 802.1X Supplicant Support on page 172
Configuring MAC Authentication for a Network Profile on page 173
Configuring MAC Authentication with 802.1X Authentication on page 175
Configuring MAC Authentication with Captive Portal Authentication on page 177
Configuring WISPr Authentication on page 178
Blacklisting Clients on page 179
Uploading Certificates on page 182
Managing IAP Users
The IAP users can be classified as follows: n n n n n
Administrator—An admin user who creates SSIDs, wired profiles, and DHCP server configuration parameters; and manages the local user database. The admin users can access the VC Management UI.
Guest administrator—A guest interface management user who manages guest users added in the local user database.
Administrator with read-only access—The read-only admin user does not have access to the Instant CLI. The
Instant UI will be displayed in the read-only mode for these users.
Employee users—Employees who use the enterprise network for official tasks.
Guest users—Visiting users who temporarily use the enterprise network to access the Internet.
The user access privileges are determined by IAP management settings in the AirWave Management client and
Aruba Central, and the type of the user. The following table outlines the access privileges defined for the admin user, guest management interface admin, and read-only users.
Table 32: User Privileges
User Category
Aruba Central or AMP in Management Mode
IAP in Monitor Mode or without AMP or Aruba Central administrator Access to local user database only Complete access to the IAP
No write privileges read-only administrator
No write privileges guest administrator Access to local user database only Access to local user database only
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 146
Configuring IAP Users
The Instant user database consists of a list of guest and employee users. The addition of a user involves specifying the login credentials for a user. The login credentials for these users are provided outside the Instant system.
A guest user can be a visitor who is temporarily using the enterprise network to access the Internet. However, if you do not want to allow access to the internal network and the Intranet, you can segregate the guest traffic from the enterprise traffic by creating a guest WLAN and specifying the required authentication, encryption, and access rules.
An employee user is the employee who is using the enterprise network for official tasks. You can create
Employee WLANs, specify the required authentication, encryption and access rules, and allow the employees to use the enterprise network.
The user database is also used when an IAP is configured as an internal RADIUS server.
The local user database of IAPs can support up to 512 user entries.
In the Instant UI
To configure users:
1. Click the Security link located directly above the Search bar in the Instant main window.
2. Click Users for Internal Server . The following figure shows the contents of the Users for Internal
Server tab.
Figure 35 Adding a User
3. Enter the user name in the Username text box.
4. Enter the password in the Password text box and reconfirm.
5. Select the type of network from the Type drop-down list.
6. Click Add and click OK.
The users are listed in the Users list.
147 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
Edit or Delete User Settings
1. To edit user settings: a. Select the user you want to modify from the Users list in the table.
b. Click Edit to modify user settings.
c. Click OK .
2. To delete a user: a. Select the user you want to delete from the Users list in the table.
b. Click Delete .
c. Click OK .
3. To delete all or multiple users at a time: a. Select multiple users you want to delete from the Users list in the table.
b. Click Delete All .
c. Click OK .
Deleting a user only removes the user record from the user database, and will not disconnect the online user associated with the user name.
In the CLI
To configure an employee user:
(Instant AP)(config)# user <username> <password> radius
(Instant AP)(config)# end
(Instant AP)# commit apply
To configure a guest user:
(Instant AP)(config)# user <username> <password> portal
(Instant AP)(config)# end
(Instant AP)# commit apply
Configuring Authentication Parameters for Management Users
You can configure RADIUS or Terminal Access Controller Access Control System (TACACS) authentication servers to authenticate and authorize the management users of an IAP. The authentication servers determine if the user has access to administrative interface. The privilege level for different types of management users is defined on the RADIUS or TACACS server instead of the IAP. The IAPs map the management users to the corresponding privilege level and provide access to the users based on the attributes returned by the RADIUS or TACACS server.
You can configure authentication parameters for local admin, read-only, and guest management administrator account settings through the Instant UI or the CLI.
In the Instant UI
1. Navigate to System > Admin . The Admin tab details are displayed.
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 148
Table 33: Authentication Parameters for Management Users
Type of User Authentication Options Steps to Follow
Local administrator
Internal
Select Internal if you want to specify a single set of user credentials. If using an internal authentication server:
1. Specify the Username and Password .
2. Retype the password to confirm.
Administrator with
Read-Only Access
Guest
Authentication server
Internal
Authentication server
Internal
Authentication server
Select the RADIUS or TACACS authentication servers.
You can also create a new server by selecting New from the Authentication server drop-down list.
n n n
Authentication server w/ fallback to internal —
Select Authentication server w/ fallback to internal option if you want to use both internal and external servers. When enabled, the authentication switches to Internal if there is no response from the
RADIUS server (RADIUS server timeout). To use this option, select the authentication servers and configure the user credentials for internal-serverbased authentication.
Load balancing —If two servers are configured, users can use them in the primary or backup mode, or load balancing mode. To enable load balancing, select Enabled from the Load balancing dropdown list. For more information on load balancing, see
Dynamic Load Balancing between Two
Authentication Servers on page 158
.
TACACS accounting —If a TACACS server is selected, enable TACACS accounting to report management commands if required.
Select Internal to specify a single set of user credentials.
If using an internal authentication server:
1. Specify the Username and Password .
2. Retype the password to confirm.
If a RADIUS or TACACS server is configured, select
Authentication server for authentication.
Select Internal to specify a single set of user credentials.
If using an internal authentication server:
1. Specify the Username and Password .
2. Retype the password to confirm.
If a RADIUS or TACACS server is configured, select
Authentication server for authentication.
3. Click OK .
In the CLI
To configure a local admin user:
(Instant AP)(config)# mgmt-user <username> [password]
To configure guest management administrator credentials:
(Instant AP)(config)# mgmt-user <username> [password] guest-mgmt
To configure a user with read-only privilege:
(Instant AP)(config)# mgmt-user <username> [password] read-only
149 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
To configure management authentication settings:
(Instant AP)(config)# mgmt-auth-server <server1>
(Instant AP)(config)# mgmt-auth-server <server2>
(Instant AP)(config)# mgmt-auth-server-load-balancing
(Instant AP)(config)# mgmt-auth-server-local-backup
To enable TACACS accounting:
(Instant AP)(config)# mgmt-accounting command all
Adding Guest Users through the Guest Management Interface
To add guest users through the Guest Management interface:
1. Log in to the Instant UI with the guest management interface administrator credentials. The guest management interface is displayed.
Figure 36 Guest Management Interface
2. To add a user, click New . The New Guest User popup window is displayed.
3. Specify a Username and Password .
4. Retype the password to confirm.
5. Click OK .
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 150
Supported Authentication Methods
Authentication is a process of identifying a user through a valid username and password or based on the user's
MAC addresses. The following authentication methods are supported in Instant: n n n n n n n
MAC Authentication with 802.1X Authentication
MAC Authentication with Captive Portal Authentication
802.1X Authentication with Captive Portal Role
802.1X Authentication
802.1X is an IEEE standard that provides an authentication framework for WLANs. The 802.1X standard uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1X framework include EAP-Transport Layer Security (EAP-
TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS). These protocols allow the network to authenticate the client while also allowing the client to authenticate the network. For more information on EAP authentication framework supported by the IAPs, see
Supported EAP Authentication Frameworks on page
.
The 802.1X authentication method allows an IAP to authenticate the identity of a user before providing network access to the user. The Remote Authentication Dial In User Service (RADIUS) protocol provides centralized authentication, authorization, and accounting management. For authentication purpose, the wireless client can associate to a network access server (NAS) or RADIUS client such as a wireless IAP. The wireless client can pass data traffic only after a successful 802.1X authentication.
For more information on configuring an IAP to use 802.1X authentication, see
Authentication for a Network Profile on page 170
.
MAC Authentication
MAC authentication is used for authenticating devices based on their physical MAC addresses. MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses. This authentication method is not recommended for scalable networks and the networks that require stringent security settings. For more information on configuring an IAP to use MAC authentication, see
Authentication for a Network Profile on page 173
.
MAC Authentication with 802.1X Authentication
This authentication method has the following features: n n
MAC authentication precedes 802.1X authentication—The administrators can enable MAC authentication for 802.1X authentication. MAC authentication shares all the authentication server configurations with
802.1X authentication. If a wireless or wired client connects to the network, MAC authentication is performed first. If MAC authentication fails, 802.1X authentication does not trigger. If MAC authentication is successful, 802.1X authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only role.
MAC authentication only role—Allows you to create a mac-auth-only role to allow role-based access rules when MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication
151 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
n is successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients.
L2 authentication fall-through—Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by default.
For more information on configuring an IAP to use MAC as well as 802.1X authentication, see
MAC Authentication with 802.1X Authentication on page 175
.
Captive Portal Authentication
Captive portal authentication is used for authenticating guest users. For more information on captive portal authentication, see
Captive Portal for Guest Access on page 122 .
MAC Authentication with Captive Portal Authentication
You can enforce MAC authentication for captive portal clients. For more information on configuring an IAP to use MAC authentication with captive portal authentication, see
Configuring MAC Authentication with Captive
Portal Authentication on page 177
.
802.1X Authentication with Captive Portal Role
This authentication mechanism allows you to configure different captive portal settings for clients on the same
SSID. For example, you can configure an 802.1X SSID and create a role for captive portal access, so that some of the clients using the SSID derive the captive portal role. You can configure rules to indicate access to external or internal captive portal, or none. For more information on configuring captive portal roles for an SSID with
802.1X authentication, see
Configuring Captive Portal Roles for an SSID on page 141
.
WISPr Authentication
Wireless Internet Service Provider roaming (WISPr) authentication allows the smart clients to authenticate on the network when they roam between wireless Internet service providers, even if the wireless hotspot uses an
Internet Service Provider (ISP) with whom the client may not have an account.
If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the
Internet at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and allows the client to access the network. If the client only has an account with a partner ISP, the WISPr AAA server forwards the client’s credentials to the partner ISP’s WISPr AAA server for authentication. When the client is authenticated on the partner ISP, it is also authenticated on the hotspot’s own ISP as per their service agreements. The IAP assigns the default WISPr user role to the client when the client's ISP sends an authentication message to the IAP. For more information on WISPr authentication, see
.
n
Supported EAP Authentication Frameworks
The following EAP authentication frameworks are supported in the Instant network:
EAP-TLS—The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and certification authority (CA) certificates installed on the IAP. The client certificate is verified on the VC (the client certificate must be signed by a known CA) before the username is verified on the authentication server.
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 152
n n n
EAP-TTLS (MS-CHAPv2)—The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-
TTLS) method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords.
EAP-PEAP (MS-CHAPv2)—EAP-PEAP is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL/TLS tunnel between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.
LEAP—Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys for authentication between the client and authentication server.
To use the IAP’s internal database for user authentication, add the usernames and passwords of the users to be authenticated.
Aruba does not recommend the use of LEAP authentication, because it does not provide any resistance to network attacks.
Authentication Termination on IAP
IAPs support EAP termination for enterprise WLAN SSIDs. The EAP termination can reduce the number of exchange packets between the IAP and the authentication servers. Instant allows Extensible Authentication
Protocol (EAP) termination for Protected Extensible Authentication Protocol-Generic Token Card (PEAP-GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAV2). PEAP-GTC termination allows authorization against a Lightweight Directory Access
Protocol (LDAP) server and external RADIUS server while PEAP-MS-CHAV2 allows authorization against an external RADIUS server.
This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft
Active Directory (MAD) server with LDAP authentication.
n n
EAP-Generic Token Card (GTC)—This EAP method permits the transfer of unencrypted usernames and passwords from the client to the server. The main uses for EAP-GTC are procuring one-time token cards such as SecureID and using LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the IAP to an external authentication server for user data backup.
EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)—This EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.
Configuring Authentication Servers
This section describes the following procedures: n n n
Configuring an External Server for Authentication on page 159
Enabling RADIUS Communication over TLS on page 163
Configuring Dynamic RADIUS Proxy Parameters on page 165
Supported Authentication Servers
Based on the security requirements, you can configure internal or external authentication servers. This section describes the types of servers that can be configured for client authentication: n n n
Internal RADIUS Server on page 154
External RADIUS Server on page 154
Dynamic Load Balancing between Two Authentication Servers on page 158
153 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
Starting from Instant 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management users. For more information on management users and TACACS+ server-based authentication, see
Configuring Authentication Parameters for Management Users
.
Internal RADIUS Server
Each IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the IAP sends a RADIUS packet to the local IP address. The internal
RADIUS server listens and replies to the RADIUS packet. Instant serves as a RADIUS server for 802.1X
authentication. However, the internal RADIUS server can also be configured as a backup RADIUS server for an external RADIUS server.
External RADIUS Server
In the external RADIUS server, the IP address of the VC is configured as the NAS IP address. Instant RADIUS is implemented on the VC and this eliminates the need to configure multiple NAS clients for every IAP on the
RADIUS server for client authentication. Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the authentication request with an
Access-Accept or Access-Reject message, and the clients are allowed or denied access to the network depending on the response from the RADIUS server. When you enable an external RADIUS server for the network, the client on the IAP sends a RADIUS packet to the local IP address. The external RADIUS server then responds to the RADIUS packet.
Instant supports the following external authentication servers: n n n
RADIUS
LDAP
ClearPass Policy Manager Server for AirGroup CoA
To use an LDAP server for user authentication, configure the LDAP server on the VC, and configure user IDs and passwords. To use a RADIUS server for user authentication, configure the RADIUS server on the VC.
RADIUS Server Authentication with VSA
An external RADIUS server authenticates network users and returns to the IAP the vendor-specific attribute
(VSA) that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.
Instant supports the following VSAs for user role and VLAN derivation rules: n n n n n n n n n n n n n
AP-Group
AP-Name
ARAP-Features
ARAP-Security
ARAP-Security-Data
ARAP-Zone-Access
Acct-Authentic
Acct-Delay-Time
Acct-Input-Gigawords
Acct-Input-Octets
Acct-Input-Packets
Acct-Interim-Interval
Acct-Link-Count
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 154
n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n
Acct-Multi-Session-Id
Acct-Output-Gigawords
Acct-Output-Octets
Acct-Output-Packets
Acct-Session-Id
Acct-Session-Time
Acct-Status-Type
Acct-Terminate-Cause
Acct-Tunnel-Packets-Lost
Add-Port-To-IP-Address
Aruba-AP-Group
Aruba-AP-IP-Address
Aruba-AS-Credential-Hash
Aruba-AS-User-Name
Aruba-Admin-Path
Aruba-Admin-Role
Aruba-AirGroup-Device-Type
Aruba-AirGroup-Shared-Group
Aruba-AirGroup-Shared-Role
Aruba-AirGroup-Shared-User
Aruba-AirGroup-User-Name
Aruba-AirGroup-Version
Aruba-Auth-SurvMethod
Aruba-Auth-Survivability
Aruba-CPPM-Role
Aruba-Calea-Server-Ip
Aruba-Device-Type
Aruba-Essid-Name
Aruba-Framed-IPv6-Address
Aruba-Location-Id
Aruba-Mdps-Device-Iccid
Aruba-Mdps-Device-Imei
Aruba-Mdps-Device-Name
Aruba-Mdps-Device-Product
Aruba-Mdps-Device-Profile
Aruba-Mdps-Device-Serial
Aruba-Mdps-Device-Udid
Aruba-Mdps-Device-Version
Aruba-Mdps-Max-Devices
Aruba-Mdps-Provisioning-Settings
Aruba-Named-User-Vlan
Aruba-Network-SSO-Token
155 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n
Aruba-No-DHCP-Fingerprint
Aruba-Port-Bounce-Host
Aruba-Port-Id
Aruba-Priv-Admin-User
Aruba-Template-User
Aruba-User-Group
Aruba-User-Role
Aruba-User-Vlan
Aruba-WorkSpace-App-Name
Authentication-Sub-Type
Authentication-Type
CHAP-Challenge
Callback-Id
Callback-Number
Chargeable-User-Identity
Class
Connect-Info
Connect-Rate
Crypt-Password
DB-Entry-State
Digest-Response
Domain-Name
EAP-Message
Error-Cause
Event-Timestamp
Exec-Program
Exec-Program-Wait
Expiration
Fall-Through
Filter-Id
Framed-AppleTalk-Link
Framed-AppleTalk-Network
Framed-AppleTalk-Zone
Framed-Compression
Framed-IP-Address
Framed-IP-Netmask
Framed-IPX-Network
Framed-IPv6-Pool
Framed-IPv6-Prefix
Framed-IPv6-Route
Framed-Interface-Id
Framed-MTU
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 156
n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n
Framed-Protocol
Framed-Route
Framed-Routing
Full-Name
Group
Group-Name
Hint
Huntgroup-Name
Idle-Timeout
Location-Capable
Location-Data
Location-Information
Login-IP-Host
Login-IPv6-Host
Login-LAT-Node
Login-LAT-Port
Login-LAT-Service
Login-Service
Login-TCP-Port
Menu
Message-Auth
NAS-IPv6-Address
NAS-Port-Type
Operator-Name
Password
Password-Retry
Port-Limit
Prefix
Prompt
Rad-Authenticator
Rad-Code
Rad-Id
Rad-Length
Reply-Message
Requested-Location-Info
Revoke-Text
Server-Group
Server-Name
Service-Type
Session-Timeout
Simultaneous-Use
State
157 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
n n n n n n n n n n n n n n n n n n n n n n n
Strip-User-Name
Suffix
Termination-Action
Termination-Menu
Tunnel-Assignment-Id
Tunnel-Client-Auth-Id
Tunnel-Client-Endpoint
Tunnel-Connection-Id
Tunnel-Medium-Type
Tunnel-Preference
Tunnel-Private-Group-Id
Tunnel-Server-Auth-Id
Tunnel-Server-Endpoint
Tunnel-Type
User-Category
User-Name
User-Vlan
Vendor-Specific fw_mode dhcp-option dot1x-authentication-type mac-address mac-address-and-dhcp-options
TACACS Servers
You can now configure a TACACS server as the authentication server to authenticate and authorize all types of management users, and account user sessions. When configured, the TACACS server allows a remote access server to communicate with an authentication server to determine if the user has access to the network. The
IAP users can create several TACACS server profiles and associate these profiles to the user accounts to enable authentication of the management users.
TACACS supports the following types of authentication: n n n n n
ASCII
PAP
CHAP
ARAP
MS-CHAP
The TACACS server cannot be attributed to any SSID or wired profile in general as the authentication server and is configured only for the IAP management users.
Dynamic Load Balancing between Two Authentication Servers
You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers. Load balancing of authentication servers ensures that the authentication
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 158
load is split across multiple authentication servers and enables the IAPs to perform load balancing of authentication requests destined to authentication servers such as RADIUS or LDAP.
The load balancing in IAP is performed based on outstanding authentication sessions. If there are no outstanding sessions and if the rate of authentication is low, only primary server will be used. The secondary is used only if there are outstanding authentication sessions on the primary server. With this, the load balance can be performed across RADIUS servers of asymmetric capacity without the need to obtain inputs about the server capabilities from the administrators.
Configuring an External Server for Authentication
You can configure RADIUS, TACACS, LDAP, and ClearPass Policy Manager servers through the Instant UI or the
CLI.
In the Instant UI
To configure an external authentication server:
1. Navigate to Security > Authentication Servers . The Security window is displayed.
2. To create a new server, click New . A window for specifying details for the new server is displayed.
3. Configure parameters based on the type of sever.
n
RADIUS —To configure a RADIUS server, specify the attributes described in the following table:
Table 34: RADIUS Server Configuration Parameters
Parameter Description
Name Enter a name for the server.
Enter the host name or the IP address of the external RADIUS server.
Server address
RadSec Set RadSec to Enabled to enable secure communication between the RADIUS server and IAP clients by creating a TLS tunnel between the IAP and the server.
If RadSec is enabled, the following configuration options are displayed: n RadSec port —Communication port number for RadSec TLS connection. By default, the port number is set to 2083.
n n n n
For more information on RadSec configuration, see
Enabling RADIUS Communication over TLS on page 163
.
Auth port
Accounting port
Shared key
Retype key
Enter the authorization port number of the external RADIUS server within the range of 1–65,535.
The default port number is 1812.
Enter the accounting port number within the range of 1–65,535. This port is used for sending accounting records to the RADIUS server. The default port number is 1813.
Enter a shared key for communicating with the external RADIUS server.
Re-enter the shared key.
159 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
Table 34: RADIUS Server Configuration Parameters
Parameter Description
Timeout Specify a timeout value in seconds. The value determines the timeout for one RADIUS request. The
IAP retries to send the request several times (as configured in the Retry count ) before the user gets disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.
Retry count
RFC 3576
Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group, and the default value is 3 requests.
Select Enabled to allow the IAPs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters.
RFC 5997
NAS IP address
This helps to detect the server status of the RADIUS server. Every time there is an authentication or accounting request timeout, the IAP will send a status request enquiry to get the actual status of the
RADIUS server before confirming the status of the server to be DOWN.
n
Authentication —Select this checkbox to ensure the IAP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.
n Accounting —Select this checkbox to ensure the IAP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.
NOTE: You can choose to select either the Authentication or Accounting checkboxes or select both checkboxes to support RFC5997.
Allows you to configure an arbitrary IP address to be used as RADIUS attribute 4, NAS IP Address, without changing source IP Address in the IP header of the RADIUS packet.
NOTE: If you do not enter the IP address, the VC IP address is used by default when Dynamic
RADIUS Proxy is enabled.
NAS
Identifier
Dead Time
Allows you to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.
Specify a dead time for authentication server in minutes.
When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.
Dynamic
RADIUS proxy parameters
Specify the following dynamic RADIUS proxy (DRP) parameters: n
DRP IP—IP address to be used as source IP for RADIUS packets.
n n
DRP Mask—Subnet mask of the DRP IP address.
DRP VLAN—VLAN in which the RADIUS packets are sent.
n DRP Gateway—Gateway IP address of the DRP VLAN.
For more information on dynamic RADIUS proxy parameters and configuration procedure, see
Configuring Dynamic RADIUS Proxy Parameters on page 165 .
Service type Sets the service type value to frame for the following authentication methods: n
802.1X
—Changes the service type to frame for 802.1X authentication.
n n
Captive Portal —Changes the service type to frame for Captive Portal authentication.
MAC —Changes the service type to frame for MAC authentication.
To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
You can also add an external RADIUS server by selecting the New option when configuring a WLAN or wired profile.
For more information, see
Configuring Security Settings for a WLAN SSID Profile on page 96
and
Settings for a Wired Profile on page 115
.
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 160
n
LDAP —To configure an LDAP server, select the LDAP option and configure the attributes described in the following table:
Table 35: LDAP Server Configuration Parameters
Parameter Description
Name Enter a name for the server.
IP address
Auth port
Admin-DN
Enter the IP address of the LDAP server.
Enter the authorization port number of the LDAP server. The default port number is 389.
Enter a distinguished name for the admin user with read/search privileges across all the entries in the LDAP database (the user need not have write privileges, but the user must be able to search the database, and read attributes of other users in the database).
Enter a password for administrator.
Admin password
Base-DN
Filter
Key
Attribute
Timeout
Retry count
Dead Time
Enter a distinguished name for the node that contains the entire user database.
Specify the filter to apply when searching for a user in the LDAP database. The default filter string is
(objectclass=*) .
Specify the attribute to use as a key while searching for the LDAP server. For Active Directory, the value is sAMAccountName
Enter a value between 1 and 30 seconds. The default value is 5.
Enter a value between 1 and 5. The default value is 3.
Specify a dead time for the authentication server in minutes within the range of 1–1440 minutes.
The default dead time interval is 5 minutes.
When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.
n
TACACS —To configure TACACS server, select the TACACS option and configure the following parameters:
Table 36: TACACS Configuration Parameters
Parameter Description
Name Enter a name for the server.
IP address
Auth Port
Shared Key
Retype Key
Timeout
Enter the IP address of the TACACS server.
Enter a TCPIP port used by the server. The default port number is 49.
Enter a secret key of your choice to authenticate communication between the TACACS+ client and the server.
Re-enter the shared key.
Enter a number between 1 and 30 seconds to indicate the timeout period for TACACS+ requests.
The default value is 20 seconds.
161 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
Table 36: TACACS Configuration Parameters
Parameter Description
Retry Count
Dead time
Enter a number between 1 and 5 to indicate the maximum number of authentication attempts. The default value is 3.
Specify a dead time in minutes within the range of 1–1440 minutes. The default dead time interval is 5 minutes.
Session authorization
Enables or disables session authorization. When enabled, the optional authorization session is turned on for the admin users. By default, session authorization is disabled.
You can also add TACACS server by selecting the New option when configuring authentication parameters for management users. For more information, see
Configuring Authentication Parameters for Management Users on page 148
.
n
CPPM Server for AirGroup CoA—To configure a ClearPass Policy Manager server used for AirGroup CoA
(Change of Authorization), select the CoA only check box. The RADIUS server is automatically selected.
Table 37: ClearPass Policy Manager Server Configuration Parameters for AirGroup CoA
Parameter
Name
Server address
Description
Enter a name of the server.
Enter the host name or IP address of the server.
Air Group CoA port
Shared key
Retype key
Enter a port number for sending AirGroup CoA on a port different from the standard CoA port.
The default value is 5999.
Enter a shared key for communicating with the external RADIUS server.
Re-enter the shared key.
4. Click OK .
The ClearPass Policy Manager server acts as a RADIUS server and asynchronously provides the AirGroup parameters for the client device including shared user, role, and location.
In the CLI
To configure a RADIUS server with DRP parameters:
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)(Auth Server <profile-name>)# ip <host>
(Instant AP)(Auth Server <profile-name>)# key <key>
(Instant AP)(Auth Server <profile-name>)# port <port>
(Instant AP)(Auth Server <profile-name>)# acctport <port>
(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>
(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>
(Instant AP)(Auth Server <profile-name>)# timeout <seconds>
(Instant AP)(Auth Server <profile-name>)# retry-count <number>
(Instant AP)(Auth Server <profile-name>)# rfc3576
(Instant AP)(Auth Server <profile-name>)# rfc5997 {auth-only|acct-only}
(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>
(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan>
<gateway-IP-address)
(Instant AP)(Auth Server <profile-name>)# end
Aruba Instant 6.5.2.0 | User Guide gateway
Authentication and User Management | 162
(Instant AP)# commit apply
To enable RadSec:
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)(Auth Server "name")# ip <host>
(Instant AP)(Auth Server "name")# radsec [port <port>]
(Instant AP)(Auth Server "name")# rfc3576
(Instant AP)(Auth Server "name")# rfc5997 {auth-only|acct-only}
(Instant AP)(Auth Server "name")# nas-id <id>
(Instant AP)(Auth Server "name")# nas-ip <ip>
(Instant AP)(Auth Server "name")# end
(Instant AP)# commit apply
To configure an LDAP server:
(Instant AP)(config)# wlan ldap-server <profile-name>
(Instant AP)(LDAP Server <profile-name>)# ip <IP-address>
(Instant AP)(LDAP Server <profile-name>)# port <port>
(Instant AP)(LDAP Server <profile-name>)# admin-dn <name>
(Instant AP)(LDAP Server <profile-name>)# admin-password <password>
(Instant AP)(LDAP Server <profile-name>)# base-dn <name>
(Instant AP)(LDAP Server <profile-name>)# filter <filter>
(Instant AP)(LDAP Server <profile-name>)# key-attribute <key>
(Instant AP)(LDAP Server <profile-name>)# timeout <seconds>
(Instant AP)(LDAP Server <profile-name>)# retry-count <number>
(Instant AP)(LDAP Server <profile-name>)# deadtime <minutes>
(Instant AP)(LDAP Server <profile-name>)# end
(Instant AP)# commit apply
To configure a TACACS+ server:
(Instant AP)(config)# wlan tacacs-server <profile-name>
(Instant AP)(TACACS Server <profile-name>)# ip <IP-address>
(Instant AP)(TACACS Server <profile-name>)# port <port>
(Instant AP)(TACACS Server <profile-name>)# key <key>
(Instant AP)(TACACS Server <profile-name>)# timeout <seconds>
(Instant AP)(TACACS Server <profile-name>)# retry-count <number>
(Instant AP)(TACACS Server <profile-name>)# deadtime <minutes>
(Instant AP)(TACACS Server <profile-name>)# end
(Instant AP)# commit apply
To configure a ClearPass Policy Manager server used for AirGroup CoA:
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)(Auth Server <profile-name>)# ip <host>
(Instant AP)(Auth Server <profile-name>)# key <key>
(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-port <port>
(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-only
(Instant AP)(Auth Server <profile-name>)# end
(Instant AP)# commit apply
Enabling RADIUS Communication over TLS
You can configure an IAP to use Transport Layer Security (TLS) tunnel and to enable secure communication between the RADIUS server and IAP clients. Enabling RADIUS communication over TLS increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that RadSec protocol is used for safely transmitting the authentication and accounting data between the IAP clients and the RADIUS server in cloud.
The following configuration conditions apply to RadSec configuration: n
When the TLS tunnel is established, RADIUS packets will go through the tunnel and server adds CoA on this tunnel.
163 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
n n n
By default, the TCP port 2083 is assigned for RadSec. Separate ports are not used for authentication, accounting, and dynamic authorization changes.
Instant supports dynamic CoA (RFC 3576) over RadSec and the RADIUS server uses an existing TLS connection opened by the IAP to send the request.
For authentication between the IAP clients and the TLS server, RadSec certificate must be uploaded to IAP.
For more information on uploading certificates, see
Uploading Certificates on page 182 .
Configuring RadSec Protocol
You can configure RadSec Protocl using the Instant UI or the CLI;
In the Instant UI
To configure the RadSec protocol in the UI:
1. Navigate to Security > Authentication Servers . The Security window is displayed.
2. To create a new server, click New . A popup window for specifying details for the new server is displayed.
3. Under RADIUS Server , configure the following parameters: a. Enter the name of the server.
b. Enter the host name or the IP address of the server.
c. Select Enabled to enable RadSec.
d. Ensure that the port defined for RadSec is correct. By default, the port number is set to 2083.
e. To allow the IAPs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server, set RFC 3576 to Enabled . Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters.
f. If RFC 3576 is enabled, specify an AirGroup CoA port if required.
g. Enter the NAS IP address.
h. Specify the NAS identifier to configure strings for RADIUS attribute 32 and to send it with RADIUS requests to the RADIUS server.
4. Click OK .
In the CLI
To configure the RadSec protocol:
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)(Auth Server "name")# ip <host>
(Instant AP)(Auth Server "name")# radsec [port <port>]
(Instant AP)(Auth Server "name")# rfc3576
(Instant AP)(Auth Server "name")# nas-id <id>
(Instant AP)(Auth Server "name")# nas-ip <ip>
(Instant AP)(Auth Server "name")# end
(Instant AP)(Auth Server "name")# commit apply
Associate the Server Profile with a Network Profile
You can associate the server profile with a network profile using the Instant UI or the CLI.
In the Instant UI
To associate an authentication server in the Instant UI:
1. Access the WLAN wizard or the Wired Settings window.
n
To open the WLAN wizard, select an existing SSID on the Network tab, and click edit .
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 164
n
To open the wired settings window, click More > Wired . In the Wired window, select a profile and click
Edit .
You can also associate the authentication servers when creating a new WLAN or wired profile.
2. Click the Security tab and select a splash page profile.
3. Select an authentication type.
4. From the Authentication Server 1 drop-down list, select the server name on which RadSec is enabled.
5. Click Next and then click Finish .
In the CLI
To associate an authentication server to a WLAN SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# auth-server <server-name>
(Instant AP)(SSID Profile <name>)# end
((Instant AP)# commit apply
To associate an authentication server to a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# auth-server <name>
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply
Configuring Dynamic RADIUS Proxy Parameters
The RADIUS server can be deployed at different locations and VLANs. In most cases, a centralized RADIUS or local server is used to authenticate users. However, some user networks can use a local RADIUS server for employee authentication and a centralized RADIUS-based captive portal server for guest authentication. To ensure that the RADIUS traffic is routed to the required RADIUS server, the dynamic RADIUS proxy feature must be enabled.
The dynamic RADIUS proxy parameters configuration is not required if RadSec is enabled in the RADIUS server profile.
If the IAP clients need to authenticate to the RADIUS servers through a different IP address and VLAN, ensure that the following steps are completed:
1.
.
2.
Configure dynamic RADIUS proxy IP, VLAN, netmask, and gateway for each authentication server .
3.
Associate the authentication servers to SSID or a wired profile to which the clients connect .
After completing the configuration steps mentioned above, you can authenticate the SSID users against the configured dynamic RADIUS proxy parameters.
Enabling Dynamic RADIUS Proxy
You can enable RADIUS server support using the Instant UI or the CLI.
In the Instant UI
To enable RADIUS server support:
1. In the Instant main window, click the System link. The System window is displayed.
2. On the General tab of the System window, select the RADIUS check box for Dynamic Proxy .
3. Click OK .
165 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
When dynamic RADIUS proxy is enabled, the VC network uses the IP Address of the VC for communication with external RADIUS servers. Ensure that the VC IP Address is set as a NAS IP when configuring RADIUS server attributes with dynamic RADIUS proxy enabled. For more information on configuring RADIUS server attributes, see
Configuring an External Server for Authentication on page 159 .
In case of VPN deployments, the tunnel IP received when establishing a VPN connection is used as the NAS IP. In such cases, the VC IP need not be configured for the external RADIUS servers.
In the CLI
To enable the dynamic RADIUS proxy feature:
(Instant AP)(config)# dynamic-radius-proxy
(Instant AP)(config)# end
(Instant AP)# commit apply
Configuring Dynamic RADIUS Proxy Parameters
You can configure DRP parameters for the authentication server by using the Instant UI or the CLI.
In the Instant UI
To configure dynamic RADIUS proxy in the Instant UI:
1. Go to Security > Authentication Servers .
2. To create a new server, click New and configure the required RADIUS server parameters as described in
.
3. Ensure that the following dynamic RADIUS proxy parameters are configured: n n n n
DRP IP —IP address to be used as source IP for RADIUS packets.
DRP Mask —Subnet mask of the DRP IP address.
DRP VLAN —VLAN in which the RADIUS packets are sent.
DRP Gateway —Gateway IP address of the DRP VLAN.
4. Click OK .
In the CLI
To configure dynamic RADIUS proxy parameters:
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)(Auth Server <profile-name>)# ip <IP-address>
(Instant AP)(Auth Server <profile-name>)# key <key>
(Instant AP)(Auth Server <profile-name>)# port <port>
(Instant AP)(Auth Server <profile-name>)# acctport <port>
(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>
(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>
(Instant AP)(Auth Server <profile-name>)# timeout <seconds>
(Instant AP)(Auth Server <profile-name>)# retry-count <number>
(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>
(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway
<gateway-IP-address>
(Instant AP)(Auth Server <profile-name>)# end
(Instant AP)# commit apply
Associate Server Profiles to a Network Profile
To associate the authentication server profiles with a network profile:
1. Access the WLAN wizard or the Wired Settings window.
n
To open the WLAN wizard, select an existing SSID on the Network tab, and click edit .
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 166
n
To open the wired settings window, click More > Wired . In the Wired window, select a profile and click
Edit .
You can also associate the authentication servers when creating a new WLAN or wired profile.
2. Click the Security tab.
3. If you are configuring the authentication server for a WLAN SSID, on the Security tab, move the slider to
Enterprise security level.
4. Ensure that an authentication type is enabled.
5. From the Authentication Server 1 drop-down list, select the server name on which dynamic RADIUS proxy parameters are enabled. You can also create a new server with RADIUS and RADIUS proxy parameters by selecting New .
6. Click Next and then click Finish .
7. To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
You can also add an external RADIUS server by selecting New for Authentication Server when configuring a WLAN or wired profile. For more information, see
Configuring Security Settings for a WLAN SSID Profile on page 96
and
Configuring Security Settings for a Wired Profile on page 115
.
In the CLI
To associate an authentication server to a WLAN SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# auth-server <server-name>
(Instant AP)(SSID Profile <name>)# end
((Instant AP)# commit apply
To associate an authentication server to a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# auth-server <name>
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply
Understanding Encryption Types
Encryption is the process of converting data into a cryptic format or code when it is transmitted on a network.
Encryption prevents unauthorized use of the data.
Instant supports the following types of encryption: n n n
WEP —Wired Equivalent Privacy (WEP) is an authentication method where all users share the same key. WEP is not as secure as other encryption types such as TKIP.
TKIP —Temporal Key Integrity Protocol (TKIP) uses the same encryption algorithm as WEP. However, TKIP is more secure and has an additional message integrity check (MIC).
AES —The Advanced Encryption Standard (AES) encryption algorithm is a widely supported encryption type for all wireless networks that contain any confidential data. AES in Wi-Fi leverages 802.1X or PSKs to generate per-station keys for all devices. AES provides a high level of security like IP Security (IPsec) clients.
WEP and TKIP are limited to WLAN connection speed of 54 Mbps. The 802.11n connection supports only AES encryption. Aruba recommends AES encryption. Ensure that all devices that do not support AES are upgraded or replaced with the devices that support AES encryption.
167 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
WPA and WPA-2
WPA is created based on the draft of 802.11i, which allowed users to create more secure WLANs. WPA-2 encompasses the full implementation of the 802.11i standard. WPA-2 is a superset that encompasses the full
WPA feature set.
The following table summarizes the differences between the two certifications:
Table 38: WPA and WPA-2 Features
Certification
WPA
Authentication n n
PSK
IEEE 802.1X with
Extensible
Authentication
Protocol (EAP)
WPA-2 n n
PSK
IEEE 802.1X with
EAP
Encryption
TKIP with message integrity check (MIC)
AES—Counter Mode with Cipher Block Chaining
Message Authentication Code (AESCCMP)
WPA and WPA-2 can be further classified as follows: n n
Personal —Personal is also called Pre-Shared Key (PSK). In this type, a unique key is shared with each client in the network. Users have to use this key to securely log in to the network. The key remains the same until it is changed by authorized personnel. You can also configure key change intervals .
Enterprise —Enterprise is more secure than WPA Personal. In this type, every client automatically receives a unique encryption key after securely logging in to the network. This key is automatically updated at regular intervals. WPA uses TKIP and WPA-2 uses the AES algorithm.
Recommended Authentication and Encryption Combinations
The following table summarizes the recommendations for authentication and encryption combinations for the
Wi-Fi networks.
Table 39: Recommended Authentication and Encryption Combinations
Network Type
Employee
Authentication
802.1X
Encryption
AES
Guest Network
Voice Network or
Handheld devices
Captive portal
802.1X or PSK as supported by the device
None
AES if possible, TKIP or WEP if necessary (combine with security settings assigned for a user role).
Configuring Authentication Survivability
The authentication survivability feature supports a survivable authentication framework against any remote link failures when working with external authentication servers. When enabled, this feature allows the IAPs to authenticate the previously connected clients against the cached credentials if the connection to the authentication server is temporarily lost.
Instant supports the following EAP standards for authentication survivability:
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 168
n n
EAP-PEAP : The Protected Extensible Authentication Protocol, also known as Protected EAP or PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security
(TLS) tunnel. The EAP-PEAP supports MS-CHAPv2 and GTC methods.
EAP-TLS : EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer
Security (TLS) protocol.
When the authentication survivability feature is enabled, the following authentication process is used:
1. The client associates to an IAP and authenticates to the external authentication server. The external authentication server can be either ClearPass Policy Manager (for EAP-PEAP) or RADIUS server (EAP-TLS).
2. Upon successful authentication, the associated IAP caches the authentication credentials of the connected clients for the configured duration. The cache expiry duration for authentication survivability can be set within the range of 1–99 hours, with 24 hours being the default cache timeout duration.
3. If the client roams or tries to reconnect to the IAP and the remote link fails due to the unavailability of the authentication server, the IAP uses the cached credentials in the internal authentication server to authenticate the user. However, if the client tries to reconnect after the cache expiry, the authentication fails.
4. When the authentication server is available and if the client tries to reconnect, the IAP detects the availability of server and allows the client to authenticate to the server. Upon successful authentication, the
IAP cache details are refreshed.
Enabling Authentication Survivability
You can enable authentication survivability for a wireless network profile through the UI or the CLI.
In the Instant UI
To configure authentication survivability for a wireless network:
1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable authentication survivability and click edit .
2. In the Edit <profile-name> or the New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next .
3. On the Security tab, under Enterprise security settings, select an existing authentication server or create a new server by clicking New .
4. To enable authentication survivability, select Enabled from the Authentication survivability drop-down list. On enabling this, the IAP authenticates the previously connected clients using EAP-PEAP and EAP-TLS authentication when connection to the external authentication server is temporarily lost.
5. Specify the cache timeout duration, after which the cached details of the previously authenticated clients expire. You can specify a value within the range of 1–99 hours and the default cache timeout duration is 24 hours.
6. Click Next and then click Finish to apply the changes.
Important Points to Remember n n n
Any client connected through ClearPass Policy Manager and authenticated through IAP remains authenticated with the IAP even if the client is removed from the ClearPass Policy Manager server during the ClearPass Policy Manager downtime.
Do not make any changes to the authentication survivability cache timeout duration when the authentication server is down.
For EAP-PEAP authentication, ensure that the ClearPass Policy Manager 6.0.2 or later version is used for authentication. For EAP-TLS authentication, any external or third-party server can be used.
169 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
n
For EAP-TLS authentication, ensure that the server and CA certificates from the authentication servers are uploaded on the IAP. For more information, see
Uploading Certificates on page 182 .
In the CLI
To configure authentication survivability for a wireless network:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>|<Guest>}
(Instant AP)(SSID Profile <name>)# auth-server <server-name1>
(Instant AP)(SSID Profile <name>)# auth-survivability
(Instant AP)(SSID Profile <name>)# exit
(Instant AP)(config)# auth-survivability cache-time-out <hours>
(Instant AP)(config)# end
(Instant AP)# commit apply
To view the cache expiry duration:
(Instant AP)# show auth-survivability time-out
To view the information cached by the IAP:
(Instant AP)# show auth-survivability cached-info
To view logs for debugging:
(Instant AP)# show auth-survivability debug-log
Configuring 802.1X Authentication for a Network Profile
This section consists of the following procedures: n n
Configuring 802.1X Authentication for Wireless Network Profiles on page 170
Configuring 802.1X Authentication for Wired Profiles on page 171
The Instant network supports internal RADIUS server and external RADIUS server for 802.1X authentication.
The steps involved in 802.1X authentication are as follows:
1. The NAS requests authentication credentials from a wireless client.
2. The wireless client sends authentication credentials to the NAS.
3. The NAS sends these credentials to a RADIUS server.
4. The RADIUS server checks the user identity and authenticates the client if the user details are available in its database. The RADIUS server sends an Access-Accept message to the NAS. If the RADIUS server cannot identify the user, it stops the authentication process and sends an Access-Reject message to the NAS. The
NAS forwards this message to the client and the client must re-authenticate with appropriate credentials.
5. After the client is authenticated, the RADIUS server forwards the encryption key to the NAS. The encryption key is used for encrypting or decrypting traffic sent to and from the client.
The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first connects to the NAS.
Configuring 802.1X Authentication for Wireless Network Profiles
You can configure 802.1X authentication for a wireless network profile in the Instant UI or the CLI.
In the Instant UI
To enable 802.1X authentication for a wireless network:
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 170
1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable 802.1X authentication and click edit .
2. In the Edit <profile-name> or the New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next .
3. On the Security tab, specify the following parameters for the Enterprise security level: a. Select any of the following options from the Key management drop-down list.
n
WPA-2 Enterprise n n
WPA Enterprise
Both (WPA-2 & WPA) n
Dynamic WEP with 802.1X
4. If you do not want to use a session key from the RADIUS server to derive pairwise unicast keys, set Session
Key for LEAP to Enabled .
5. To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server, set
Termination to Enabled .
By default, for 802.1X authentication, the client conducts an EAP exchange with the RADIUS server, and the
IAP acts as a relay for this exchange. When Termination is enabled, the IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server.
6. Specify the type of authentication server to use and configure other required parameters. You can also configure two different authentication servers to function as primary and backup servers when
Termination is enabled. For more information on RADIUS authentication configuration parameters, see
Configuring an External Server for Authentication on page 159
.
7. Click Next to define access rules, and then click Finish to apply the changes.
In the CLI
To configure 802.1X authentication for a wireless network:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>}
(Instant AP)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip|wpa-tkip,wpa2-aes|dynamic-wep}
(Instant AP)(SSID Profile <name>)# leap-use-session-key
(Instant AP)(SSID Profile <name>)# termination
(Instant AP)(SSID Profile <name>)# auth-server <server1>
(Instant AP)(SSID Profile <name>)# auth-server <server2>
(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>
(Instant AP)(SSID Profile <name>)# auth-survivability
(Instant AP)(SSID Profile <name>)# exit
(Instant AP)(config)# auth-survivability cache-time-out <hours>
(Instant AP)(config)# end
(Instant AP)# commit apply
Configuring 802.1X Authentication for Wired Profiles
You can configure 802.1X authentication for a wired profile in the Instant UI or the CLI.
In the Instant UI
To enable 802.1X authentication for a wired profile:
1. Click the Wired link under More in the main window. The Wired window is displayed.
2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable 802.1X authentication and then click Edit .
171 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and
VLAN attributes are defined, and then click Next .
4. On the Security tab, select Enabled from the 802.1X authentication drop-down list.
5. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see
Configuring Security Settings for a Wired Profile on page 115
.
6. Click Next to define access rules, and then click Finish to apply the changes.
7. Assign the profile to an Ethernet port. For more information, see
Assigning a Profile to Ethernet Ports on page 118 .
In the CLI
To enable 802.1X authentication for a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# type {<employee>|<guest>}
(Instant AP)(wired ap profile <name>)# dot1x
(Instant AP)(wired ap profile <name>)# auth-server <server1>
(Instant AP)(wired ap profile <name>)# auth-server <server2>
(Instant AP)(wired ap profile <name>)# server-load-balancing
(Instant AP)(wired ap profile <name>)# radius-reauth-interval <Minutes>
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply
Enabling 802.1X Supplicant Support
The 802.1X authentication protocol prevents the unauthorized clients from gaining access to the network through publicly accessible ports. If the ports to which the IAPs are connected, are configured to use the
802.1X authentication method, ensure that you configure the IAPs to function as an 802.1X client or supplicant. If your network requires all wired devices to authenticate using PEAP or TLS protocol, you need to configure the IAP uplink ports for 802.1X authentication, so that the switch grants access to the IAP only after completing the authentication as a valid client.
To enable the 802.1X supplicant support on an IAP, ensure that the 802.1X authentication parameters are configured on all IAPs in the cluster and are stored securely in the IAP flash.
The 802.1X supplicant support feature is not supported with mesh and Wi-Fi uplink.
Configuring an IAP for 802.1X Supplicant Support
To enable 802.1X supplicant support, configure 802.1X authentication parameters on every IAP using the
Instant UI or the CLI.
In the UI
1. To use PEAP protocol-based 802.1X authentication method, complete the following steps: a. In the Access Points tab, click the IAP on which you want to set the variables for 802.1X authentication, and then click the edit link.
b. In the Edit Access Point window, click the Uplink tab.
c. Under PEAP user, enter the username, password, and retype the password for confirmation. The IAP username and password are stored in IAP flash. When the IAP boots, the /tmp/ap1xuser and
/tmp/ap1xpassword files are created based on these two variables.
The default inner authentication protocol for PEAP is MS-CHAPV2.
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 172
2. To upload server certificates for validating the authentication server credentials, complete the following steps: a. Click Upload New Certificate .
b. Specify the URL from where you want to upload the certificates and select the type of certificate.
3. Click OK .
4. To configure 802.1X authentication on uplink ports of an IAP, complete the following steps: a. Go to System > Show advanced options > Uplink .
b. Click AP1X.
c. Select PEAP or TLS as the authentication type.
d. If you want to validate the server credentials using server certificate, select the Validate Server check box. Ensure that the server certificates for validating server credentials are uploaded to IAP database.
e. Click OK .
5. Reboot the IAP.
In the CLI
To set username and password variable used by the PEAP protocol-based 802.1X authentication:
(Instant AP)# ap1x-peap-user <ap1xuser> <password>
To set the PEAP 802.1X authentication type:
(Instant AP)(config)# ap1x peap [validate-server]
(Instant AP)(config)# end
(Instant AP)# commit apply
To set TLS 802.1X authentication type:
(Instant AP)(config)# ap1x tls <tpm|user> [validate-server]
(Instant AP)(config)# end
(Instant AP)# commit apply
To upload user or CA certificates for PEAP or TLS authentication:
(Instant AP)# copy tftp <addr> <file> ap1x {ca|cert <password>} format pem
To download user or server certificates from a TFTP, FTP, or web server:
(Instant AP)# download ap1x <url> format pem [psk <psk>]
(Instant AP)# download ap1xca <url> format pem
To view the certificate details:
(Instant AP)# show ap1xcert
To verify the configuration, use any of the following commands:
(Instant AP)# show ap1x config
(Instant AP)# show ap1x debug-logs
(Instant AP)# show ap1x status
Configuring MAC Authentication for a Network Profile
MAC authentication can be used alone or it can be combined with other forms of authentication such as WEP authentication. However, it is recommended that you do not use the MAC-based authentication.
This section describes the following procedures: n n
Configuring MAC Authentication for Wireless Network Profiles on page 173
Configuring MAC Authentication for Wired Profiles on page 174
Configuring MAC Authentication for Wireless Network Profiles
You can configure MAC authentication for a wired profile in the Instant UI or the CLI.
173 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
In the Instant UI
To enable MAC Authentication for a wireless network:
1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable MAC authentication and click edit .
2. In the Edit <profile-name> or the New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next .
3. On the Security tab, select Enabled from the MAC authentication drop-down list for the Personal or the Open security level.
4. Specify the type of authentication server to use.
5. If an internal authentication server is used, perform the following steps to allow MAC-address-based authentication: a. Click the Users link beside the Internal server parameter. The Users window is displayed.
b. Specify the client MAC address as the username and password.
c. Specify the type of the user (employee or guest).
d. Click Add .
e. Repeat the steps to add more users.
f. Click OK .
6. To allow the IAP to use a delimiter in the MAC authentication request, specify a character ( for example, colon or dash) as a delimiter for the MAC address string. For example, if you specify colon as the delimiter,
MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used.
7. To allow the IAP to use uppercase letters in the MAC address string, set Uppercase support to Enabled .
8. Configure other parameters as required.
9. Click Next to define access rules, and then click Finish to apply the changes.
In the CLI
To configure MAC-address based authentication with external server:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>|<Guest>}
(Instant AP)(SSID Profile <name>)# mac-authentication
(Instant AP)(SSID Profile <name>)# mac-authentication-delimiter <delim>
(Instant AP)(SSID Profile <name>)# mac-authentication-upper-case
(Instant AP)(SSID Profile <name>)# external-server
(Instant AP)(SSID Profile <name>)# auth-server <server-name1>
(Instant AP)(SSID Profile <name>)# auth-server <server-name2>
(Instant AP)(SSID Profile <name>)# server-load-balancing
(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To add users for MAC authentication based on internal authentication server:
(Instant AP)(config)# user <username> [<password>] [portal|radius]
(Instant AP)(config)# end
(Instant AP)# commit apply
Configuring MAC Authentication for Wired Profiles
You can configure MAC authentication for a wired profile in the Instant UI or the CLI.
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 174
In the Instant UI
To enable MAC authentication for a wired profile:
1. Click the Wired link under More in the main window. The Wired window is displayed.
2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable MAC authentication and then click Edit .
3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and
VLAN attributes are defined, and then click Next .
4. On the Security tab, select Enabled from the MAC authentication drop-down list.
5. Specify the type of authentication server to use.
6. If an internal authentication server is used, perform the following steps to allow MAC-address-based authentication: a. Click the Users link beside Internal server . The Users window is displayed.
b. Specify the client MAC address as the username and password.
c. Specify the type of the user (employee or guest).
d. Click Add .
e. Repeat the steps to add more users.
f. Click OK .
7. Configure other parameters as required.
8. Click Next to define access rules, and then click Finish to apply the changes.
In the CLI
To configure MAC-address-based authentication with external server:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# type {<employee>|<guest>}
(Instant AP)(wired ap profile <name>)# mac-authentication
(Instant AP)(wired ap profile <name>)# auth-server <server-1>
(Instant AP)(wired ap profile <name>)# auth-server <server-2>
(Instant AP)(wired ap profile <name>)# server-load-balancing
(Instant AP)(wired ap profile <name>)# radius-reauth-interval <Minutes>
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply
To add users for MAC authentication based on internal authentication server:
(Instant AP)(config)# user <username> [<password>] [portal|radius]
(Instant AP)(config)# end
(Instant AP)# commit apply n n
Configuring MAC Authentication with 802.1X Authentication
This section describes the following procedures:
Configuring MAC and 802.1X Authentications for Wireless Network Profiles on page 175
Configuring MAC and 802.1X Authentications for Wired Profiles on page 176
Configuring MAC and 802.1X Authentications for Wireless Network Profiles
You can configure MAC authentication with 802.1X authentication for a wireless network profile using the
Instant UI or the CLI.
175 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
In the Instant UI
To configure both MAC and 802.1X authentications for a wireless network:
1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable MAC and 802.1X authentications and click edit .
2. In the Edit <profile-name> or the New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next .
3. On the Security tab, ensure that the required parameters for MAC authentication and 802.1X
authentication are configured.
4. Select the Perform MAC authentication before 802.1X
check box to use 802.1X authentication only when the MAC authentication is successful.
5. Select the MAC authentication fail-thru check box to use 802.1X authentication even when the MAC authentication fails.
6. Click Next and then click Finish to apply the changes.
In the CLI
To configure both MAC and 802.1X authentications for a wireless network:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>|<Guest>}
(Instant AP)(SSID Profile <name>)# mac-authentication
(Instant AP)(SSID Profile <name>)# l2-auth-failthrough
(Instant AP)(SSID Profile <name>)# auth-server <server-name1>
(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>
(Instant AP)(SSID Profile <name>)# auth-survivability
(Instant AP)(SSID Profile <name>)# exit
(Instant AP)(config)# auth-survivability cache-time-out <hours>
(Instant AP)(config)# end
(Instant AP)# commit apply
Configuring MAC and 802.1X Authentications for Wired Profiles
You can configure MAC and 802.1X authentications for a wired profile in the Instant UI or the CLI.
In the Instant UI
To enable MAC and 802.1X authentications for a wired profile:
1. Click the Wired link under More in the main window. The Wired window is displayed.
2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable MAC authentication and then click Edit .
3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and
VLAN attributes are defined, and then click Next .
4. On the Security tab, perform the following steps: n n
Select Enabled from the MAC authentication drop-down list.
Select Enabled from the 802.1X authentication drop-down list.
n
Select Enabled from the MAC authentication fail-thru drop-down list.
5. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see
Configuring Security Settings for a Wired Profile on page 115
.
6. Click Next to define access rules, and then click Finish to apply the changes.
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 176
In the CLI
To enable MAC and 802.1X authentications for a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile "<name>")# type {<employee>|<guest>}
(Instant AP)(wired ap profile "<name>")# mac-authentication
(Instant AP)(wired ap profile "<name>")# dot1x
(Instant AP)(wired ap profile "<name>")# l2-auth-failthrough
(Instant AP)(wired ap profile "<name>")# auth-server <name>
(Instant AP)(wired ap profile "<name>")# server-load-balancing
(Instant AP)(wired ap profile "<name>")# radius-reauth-interval <Minutes>
(Instant AP)(wired ap profile "<name>")# end
(Instant AP)# commit apply
Configuring MAC Authentication with Captive Portal
Authentication
The following configuration conditions apply to MAC + captive portal authentication method: n n
If the captive portal splash page type is Internal-Authenticated or External-RADIUS Server , MAC authentication reuses the server configurations.
If the captive portal splash page type is Internal-Acknowledged or External-Authentication Text and
MAC authentication is enabled, a server configuration page is displayed.
You can configure the MAC authentication with captive portal authentication for a network profile using the
Instant UI or the CLI.
In the Instant UI
1. Select an existing wireless or wired profile for which you want to enable MAC with captive portal authentication. Depending on the network profile selected, the Edit <WLAN-Profile> or the Edit Wired
Network window is displayed.
To enable MAC authentication with captive portal authentication on a new WLAN SSID or wired profile, click the Security tab on the New WLAN window and the New Wired Network window.
2. On the Security tab, specify the following parameters: a. Select Enabled from the MAC authentication drop-down list to enable MAC authentication for captive portal users. If the MAC authentication fails, the captive portal authentication role is assigned to the client.
b. To enforce MAC authentication, click the Access tab and select Enforce MAC auth only role check box.
3. Click Next and then click Finish to apply the changes.
In the CLI
To configure MAC authentication with captive portal authentication for a wireless profile:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# type <guest>
(Instant AP)(SSID Profile <name>)# mac-authentication
(Instant AP)(SSID Profile <name>)# captive-portal {<type> [exclude-uplink <types>]|external
[Profile <name>] [exclude-uplink <types>]}
(Instant AP)(SSID Profile <name>)# set-role-mac-auth <mac-only>
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
177 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
To configure MAC authentication with captive portal authentication for a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# type <guest>
(Instant AP)(wired ap profile <name>)# mac-authentication
(Instant AP)(wired ap profile <name>)# captive-portal <type>
(Instant AP)(wired ap profile <name>)# captive-portal {<type> [exclude-uplink <types>]
|external [Profile <name>] [exclude-uplink <types>]}
(Instant AP)(wired ap profile <name>)# set-role-mac-auth <mac-only>
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply
Configuring WISPr Authentication
Instant supports the following smart clients: l l iPass
Boingo
These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic
Interface Specification (GIS) redirect , authentication , and logoff messages within HTML messages that are sent to the IAP.
Wireless Internet Service Provider roaming (WISPr) authentication is supported only for the Internal - Authenticated and External - RADIUS Server captive portal authentication. Select the Internal – Authenticated or the External -
RADIUS Server option from the Splash page type drop-down list to configure WISPr authentication for a WLAN profile.
You can configure WISPr authentication using the Instant UI or the CLI.
In the Instant UI
1. Click the System link located directly above the Search bar in the Instant main window. The System window is displayed.
2. Click Show advanced options .
3. Click WISPr tab. The WISPr tab contents are displayed. The following figure shows the WISPr tab contents:
Figure 37 Configuring WISPr Authentication
4. Enter the ISO Country Code for the WISPr Location ID in the ISO country code text box.
5. Enter the E.164 Area Code for the WISPr Location ID in the E.164 area code text box.
6. Enter the operator name of the hotspot in the Operator name text box.
7. Enter the E.164 Country Code for the WISPr Location ID in the E.164 country code text box.
8. Enter the SSID/Zone section for the WISPr Location ID in the SSID/Zone text box.
9. Enter the name of the Hotspot location in the Location name text box. If no name is defined, the name of the IAP to which the user is associated is used.
10.Click
OK to apply the changes.
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 178
The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication. Contact your ISP to determine these values. You can find a list of ISO and ITU country and area codes at the ISO and ITU websites ( www.iso.org
and http://www.itu.int
).
A Boingo smart client uses a NAS identifier in the <CarrierID>_<VenueID> format for location identification. To support
Boingo clients, ensure that you configure the NAS identifier parameter in the RADIUS server profile for the WISPr server.
In the CLI
(Instant AP)(config)# wlan wispr-profile
(Instant AP)(WISPr)# wispr-location-id-ac
(Instant AP)(WISPr)# wispr-location-id-cc
(Instant AP)(WISPr)# wispr-location-id-isocc
(Instant AP)(WISPr)# wispr-location-id-network
(Instant AP)(WISPr)# wispr-location-name-location
(Instant AP)(WISPr)# wispr-location-name-operator-name
(Instant AP)(WISPr)# end
(Instant AP)# commit apply
Blacklisting Clients
The client blacklisting denies connection to the blacklisted clients. When a client is blacklisted, it is not allowed to associate with an IAP in the network. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force client disconnection.
This section describes the following procedures: n n
Blacklisting Clients Manually on page 179
Blacklisting Users Dynamically on page 180
Blacklisting Clients Manually
Manual blacklisting adds the MAC address of a client to the blacklist. These clients are added into a permanent blacklist. These blacklisted clients are not allowed to connect to the network unless they are removed from the blacklist.
Adding a Client to the Blacklist
You can add a client to the blacklist manually using the Instant UI or the CLI.
In the Instant UI
1. Click the Security link located directly above the Search bar in the Instant main window.
2. Click the Blacklisting tab.
3. Under the Manual Blacklisting , click New .
4. Enter the MAC address of the client to be blacklisted in the MAC address to add text box.
For the blacklisting to take effect on the MAC address, you must enable blacklisting in the SSID profile. For more information, see
.
5. Click OK . The Blacklisted Since tab displays the time at which the current blacklisting has started for the client.
6. To delete a client from the manual blacklist, select the MAC Address of the client under the Manual
Blacklisting , and then click Delete .
179 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
In the CLI
To blacklist a client:
(Instant AP)(config)# blacklist-client <MAC-Address>
(Instant AP)(config)# end
(Instant AP)# commit apply
To enable blacklisting in the SSID profile:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# blacklisting
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To view the blacklisted clients:
(Instant AP)# show blacklist-client
Blacklisted Clients
-------------------
MAC
---
Reason
------
Timestamp
---------
Remaining time(sec)
-------------------
00:1c:b3:09:85:15 user-defined 17:21:29 Permanent
AP name
-------
-
Blacklisting Users Dynamically
The clients can be blacklisted dynamically when they exceed the authentication failure threshold or when a blacklisting rule is triggered as part of the authentication process.
Authentication Failure Blacklisting
When a client takes time to authenticate and exceeds the configured failure threshold, it is automatically blacklisted by an IAP.
Session Firewall-Based Blacklisting
In session firewall-based blacklisting, an ACL rule is used to enable the option for dynamic blacklisting. When the ACL rule is triggered, it sends out blacklist information and the client is blacklisted.
Configuring Blacklist Duration
You can set the blacklist duration using the Instant UI or the CLI.
In the Instant UI
To set a blacklist duration:
1. Click the Security link located directly above the Search bar in the Instant main window.
2. Click the Blacklisting tab.
3. Under Dynamic Blacklisting :
4. For Auth failure blacklist time , the duration in seconds after which the clients that exceed the authentication failure threshold must be blacklisted.
5. For PEF rule blacklisted time , enter the duration in seconds after which the clients can be blacklisted due to an ACL rule trigger.
You can configure a maximum number of authentication failures by the clients, after which a client must be blacklisted. For more information on configuring maximum authentication failure attempts, see
Settings for a WLAN SSID Profile on page 96
.
To enable session-firewall-based blacklisting, click New and navigate to WLAN Settings > VLAN > Security >
Access window, and enable the Blacklist option of the corresponding ACL rule.
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 180
In the CLI
To dynamically blacklist clients:
(Instant AP)(config)# auth-failure-blacklist-time <seconds>
(Instant AP)(config)# blacklist-time <seconds>
(Instant AP)(config)# end
(Instant AP)# commit apply
To enable blacklisting in the SSID profile:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# blacklisting
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To view the blacklisted clients:
(Instant AP)# show blacklist-client config
Blacklist Time :60
Auth Failure Blacklist Time :60
Manually Blacklisted Clients
----------------------------
MAC Time
------
Dynamically Blacklisted Clients
-------------------------------
MAC Reason Timestamp Remaining time(sec) AP IP
--------------------------------------
Dyn Blacklist Count :0
181 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
Uploading Certificates
A certificate is a digital file that certifies the identity of the organization or products of the organization. It is also used to establish your credentials for any web transactions. It contains the organization name, a serial number, expiration date, a copy of the certificate-holder's public key, and the digital signature of the certificateissuing authority so that a recipient can ensure that the certificate is real.
Instant supports the following certificate files: n n n n n
Authentication server (PEM format)
Captive portal server (PEM format)—Customized certificate for internal captive portal server
CA certificate (PEM or DER format)
RadSec certificate (PEM or DER format)
WebUI certificate (PEM format)
This section describes the following procedures: n n n n
Loading Certificates Through Instant UI on page 182
Loading Certificates Through Instant CLI on page 183
Removing Certificates on page 183
Loading Certificates Through AirWave on page 183
Loading Certificates Through Instant UI
To load a certificate in the Instant UI:
1. Click the Maintenance link located directly above the Search bar in the Instant main window.
2. Click the Certificates tab. The Certificates tab contents are displayed.
3. To upload a certificate, click Upload New Certificate . The New Certificate window is displayed.
4. Browse and select the file to upload.
5. Select any of the following types of certificates from the Certificate type drop-down list: n n
CA—CA certificate to validate the identity of the client.
Auth Server—The authentication server certificate to verify the identity of the server to the client.
n n n n
Captive portal server—Captive portal server certificate to verify the identity of internal captive portal server to the client.
RadSec—The RadSec server certificate to verify the identity of the server to the client.
RadSec CA—The RadSec CA certificate for mutual authentication between the IAP clients and the TLS server.
WebUI—Customized certificate for WebUI management.
6. Select the certificate format from the Certificate format drop-down list.
7. If you have selected Auth Server , Captive portal server , Web UI , or RadSec as the type of certificate, enter a passphrase in Passphrase and retype the passphrase. If the certificate does not include a passphrase, there is no passphrase required.
8. Click Browse and select the appropriate certificate file, and click Upload Certificate . The Certificate
Successfully Installed message is displayed.
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 182
The IAP database can have only one authentication server certificate and one captive portal server certificate at any point in time.
When a Captive Portal server certificate is uploaded using the Instant UI, the default management certificate on the UI is also replaced by the Captive portal server certificate.
Loading Certificates Through Instant CLI
To upload a CA, server, web UI, or captive portal certificate:
(Instant AP)# copy tftp <ip-address> <filename> {cpserver cert <password> format {p12|pem}| radsec {ca|cert <password>} format pem|system {1xca format {der|pem}| 1xcert <password> format pem} uiserver cert <password> format pem}
To download RadSec certificates:
(Instant AP)# download-cert radsec ftp://192.0.2.7 format pem [psk <psk>]
(Instant AP)# download-cert radsecca ftp://192.0.2.7 format pem
Removing Certificates
To clear a certificate:
(Instant AP)# clear-cert {ca|cp|radsec|radsecca|server}
Loading Certificates Through AirWave
You can manage certificates using AirWave. The AMP directly provisions the certificates and performs basic certificate verification (such as certificate type, format, version, serial number, and so on) before accepting the certificate and uploading to an IAP network. The AMP packages the text of the certificate into an HTTPS message and sends it to the VC. After the VC receives this message, it draws the certificate content from the message, converts it to the right format, and saves it on the RADIUS server.
To load a certificate in AirWave:
1. Navigate to Device Setup > Certificate and then click Add to add a new certificate. The Certificate window is displayed.
2. Enter the certificate Name , and click Choose File to browse and upload the certificate.
Figure 38 Loading Certificate through AirWave
3. Select the appropriate Format that matches the certificate filename.
183 | Authentication and User Management Aruba Instant 6.5.2.0 | User Guide
n n
Select Server Cert for certificate Type , and provide the passphrase if you want to upload a server certificate.
Select either Intermediate CA or Trusted CA certificate Type , if you want to upload a CA certificate.
Figure 39 Server Certificate
4. After you upload the certificate, navigate to Groups, click the Instant Group and then select Basic . The
Group name is displayed only if you have entered the Organization name in the Instant UI. For more information, see
Configuring Organization String on page 313
for further information.
Figure 40 Selecting the Group
The Virtual Controller Certificate section displays the certificates (CA cert and Server).
5. Click Save to apply the changes only to AirWave. Click Save and Apply to apply the changes to the IAP.
6. To clear the certificate options, click Revert .
Aruba Instant 6.5.2.0 | User Guide Authentication and User Management | 184
advertisement
Related manuals
advertisement
Table of contents
- 3 Contents
- 11 Revision History
- 12 About this Guide
- 12 Intended Audience
- 12 Related Documents
- 12 Conventions
- 13 Contacting Support
- 14 About Aruba Instant
- 14 Instant Overview
- 17 What is New in this Release
- 19 Setting up an IAP
- 19 Setting up Instant Network
- 20 Provisioning an IAP
- 23 Logging in to the Instant UI
- 24 Accessing the Instant CLI
- 28 Automatic Retrieval of Configuration
- 28 Managed Mode Operations
- 28 Prerequisites
- 29 Configuring Managed Mode Parameters
- 30 Verifying the Configuration
- 31 Instant User Interface
- 31 Login Screen
- 32 Main Window
- 60 Initial Configuration Tasks
- 60 Configuring System Parameters
- 66 Changing Password
- 67 Customizing IAP Settings
- 67 IAP Discovery Logic
- 72 Modifying the IAP Host Name
- 72 Configuring Zone Settings on an IAP
- 73 Specifying a Method for Obtaining IP Address
- 73 Configuring External Antenna
- 75 Configuring Radio Profiles for an IAP
- 76 Enabling Flexible Radio
- 77 Configuring Uplink VLAN for an IAP
- 77 Changing the IAP Installation Mode
- 78 Changing USB Port Status
- 79 Master Election and Virtual Controller
- 80 Adding an IAP to the Network
- 81 Removing an IAP from the Network
- 81 Support for BLE Asset Tracking
- 82 Intelligent Power Monitoring
- 83 Transmit Power Calculation Support on 200 Series and 300 Series Access Points
- 84 VLAN Configuration
- 84 VLAN Pooling
- 84 Uplink VLAN Monitoring and Detection on Upstream Devices
- 85 IPv6 Support
- 85 IPv6 Notation
- 85 Enabling IPv6 Support for IAP Configuration
- 87 Firewall Support for IPv6
- 87 Debugging Commands
- 88 Wireless Network Profiles
- 88 Configuring Wireless Network Profiles
- 106 Configuring Fast Roaming for Wireless Clients
- 110 Configuring Modulation Rates on a WLAN SSID
- 110 Multi-User-MIMO
- 111 Management Frame Protection
- 111 Disabling Short Preamble for Wireless Client
- 112 Editing Status of a WLAN SSID Profile
- 112 Editing a WLAN SSID Profile
- 112 Deleting a WLAN SSID Profile
- 113 Wired Profiles
- 113 Configuring a Wired Profile
- 118 Assigning a Profile to Ethernet Ports
- 118 Editing a Wired Profile
- 119 Deleting a Wired Profile
- 119 Link Aggregation Control Protocol
- 121 Understanding Hierarchical Deployment
- 122 Captive Portal for Guest Access
- 122 Understanding Captive Portal
- 123 Configuring a WLAN SSID for Guest Access
- 128 Configuring Wired Profile for Guest Access
- 129 Configuring Internal Captive Portal for Guest Network
- 132 Configuring External Captive Portal for a Guest Network
- 138 Configuring Facebook Login
- 139 Configuring Guest Logon Role and Access Rules for Guest Users
- 141 Configuring Captive Portal Roles for an SSID
- 143 Configuring Walled Garden Access
- 146 Authentication and User Management
- 146 Managing IAP Users
- 151 Supported Authentication Methods
- 152 Supported EAP Authentication Frameworks
- 153 Configuring Authentication Servers
- 167 Understanding Encryption Types
- 168 Configuring Authentication Survivability
- 170 Configuring 802.1X Authentication for a Network Profile
- 172 Enabling 802.1X Supplicant Support
- 173 Configuring MAC Authentication for a Network Profile
- 175 Configuring MAC Authentication with 802.1X Authentication
- 177 Configuring MAC Authentication with Captive Portal Authentication
- 178 Configuring WISPr Authentication
- 179 Blacklisting Clients
- 182 Uploading Certificates
- 185 Roles and Policies
- 185 Firewall Policies
- 198 Content Filtering
- 202 Configuring User Roles
- 204 Configuring Derivation Rules
- 211 Using Advanced Expressions in Role and VLAN Derivation Rules
- 214 DHCP Configuration
- 214 Configuring DHCP Scopes
- 221 Configuring the Default DHCP Scope for Client IP Assignment
- 223 Configuring Time-Based Services
- 223 Time Range Profiles
- 223 Configuring a Time Range Profile
- 224 Applying a Time Range Profile to a WLAN SSID
- 225 Verifying the Configuration
- 226 Dynamic DNS Registration
- 226 Enabling Dynamic DNS
- 227 Configuring Dynamic DNS Updates for DL3 Clients
- 227 Verifying the Configuration
- 229 VPN Configuration
- 229 Understanding VPN Features
- 230 Configuring a Tunnel from an IAP to a Mobility Controller
- 241 Configuring Routing Profiles
- 243 IAP-VPN Deployment
- 243 Understanding IAP-VPN Architecture
- 246 Configuring IAP and Controller for IAP-VPN Operations
- 254 Adaptive Radio Management
- 254 ARM Overview
- 255 Configuring ARM Features on an IAP
- 261 Configuring Radio Settings
- 265 Deep Packet Inspection and Application Visibility
- 265 Deep Packet Inspection
- 265 Enabling Application Visibility
- 266 Application Visibility
- 271 Enabling URL Visibility
- 271 Configuring ACL Rules for Application and Application Categories
- 274 Configuring Web Policy Enforcement Service
- 276 Voice and Video
- 276 Wi-Fi Multimedia Traffic Management
- 279 Media Classification for Voice and Video Calls
- 280 Enabling Enhanced Voice Call Tracking
- 282 Services
- 282 Configuring AirGroup
- 291 Configuring an IAP for RTLS Support
- 292 Configuring an IAP for Analytics and Location Engine Support
- 293 Managing BLE Beacons
- 294 Clarity Live
- 296 Configuring OpenDNS Credentials
- 296 Integrating an IAP with Palo Alto Networks Firewall
- 298 Integrating an IAP with an XML API Interface
- 301 CALEA Integration and Lawful Intercept Compliance
- 307 Cluster Security
- 307 Overview
- 308 Enabling Cluster Security
- 309 Cluster Security Debugging Logs
- 309 Verifying the Configuration
- 310 IAP Management and Monitoring
- 310 Managing an IAP from AirWave
- 321 Managing IAP from Aruba Central
- 323 Uplink Configuration
- 323 Uplink Interfaces
- 328 Uplink Preferences and Switching
- 333 Intrusion Detection
- 333 Detecting and Classifying Rogue IAPs
- 333 OS Fingerprinting
- 334 Configuring Wireless Intrusion Protection and Detection Levels
- 339 Configuring IDS
- 341 Mesh IAP Configuration
- 341 Mesh Network Overview
- 342 Setting up Instant Mesh Network
- 342 Configuring Wired Bridging on Ethernet 0 for Mesh Point
- 344 Mobility and Client Management
- 344 Layer-3 Mobility Overview
- 345 Configuring L3-Mobility
- 347 Spectrum Monitor
- 347 Understanding Spectrum Data
- 352 Configuring Spectrum Monitors and Hybrid IAPs
- 355 IAP Maintenance
- 355 Upgrading an IAP
- 358 Backing up and Restoring IAP Configuration Data
- 359 Converting an IAP to a Remote AP and Campus AP
- 365 Resetting a Remote AP or Campus AP to an IAP
- 365 Rebooting the IAP
- 367 Monitoring Devices and Logs
- 367 Configuring SNMP
- 370 Configuring a Syslog Server
- 372 Configuring TFTP Dump Server
- 373 Running Debug Commands
- 377 Uplink Bandwidth Monitoring
- 379 Hotspot Profiles
- 379 Understanding Hotspot Profiles
- 380 Configuring Hotspot Profiles
- 391 Sample Configuration
- 394 Mobility Access Switch Integration
- 394 Mobility Access Switch Overview
- 395 Configuring IAPs for Mobility Access Switch Integration
- 396 ClearPass Guest Setup
- 396 Configuring ClearPass Guest
- 400 Verifying ClearPass Guest Setup
- 401 Troubleshooting
- 402 IAP-VPN Deployment Scenarios
- 402 Scenario 1—IPsec: Single Datacenter Deployment with No Redundancy
- 408 Scenario 2—IPsec: Single Datacenter with Multiple Controllers for Redundancy
- 414 Scenario 3—IPsec: Multiple Datacenter Deployment with Primary and Backup Cont...
- 421 Scenario 4—GRE: Single Datacenter Deployment with No Redundancy
- 427 Glossary of Terms