Important Points to Remember
l
Any client connected through ClearPass Policy Manager and authenticated through IAP remains
authenticated with the IAP even if the client is removed from the ClearPass Policy Manager server during
the ClearPass Policy Manager downtime.
l
Do not make any changes to the authentication survivability cache timeout duration when the
authentication server is down.
l
For EAP-PEAP authentication, ensure that the ClearPass Policy Manager 6.0.2 or later version is used for
authentication. For EAP-TLS authentication, any external or third-party server can be used.
l
For EAP-TLS authentication, ensure that the server and CA certificates from the authentication servers are
uploaded on the IAP. For more information, see
Uploading Certificates on page 179
In the CLI
To configure authentication survivability for a wireless network:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>|<Guest>}
(Instant AP)(SSID Profile <name>)# auth-server <server-name1>
(Instant AP)(SSID Profile <name>)# auth-survivability
(Instant AP)(SSID Profile <name>)# exit
(Instant AP)(config)# auth-survivability cache-time-out <hours>
(Instant AP)(config)# end
(Instant AP)# commit apply
To view the cache expiry duration:
(Instant AP)# show auth-survivability time-out
To view the information cached by the IAP:
(Instant AP)# show auth-survivability cached-info
To view logs for debugging:
(Instant AP)# show auth-survivability debug-log
Configuring 802.1X Authentication for a Network Profile
This section consists of the following procedures:
l
Configuring 802.1X Authentication for Wireless Network Profiles on page 168
l
Configuring 802.1X Authentication for Wired Profiles on page 168
The Instant network supports internal RADIUS server and external RADIUS server for 802.1X authentication.
The steps involved in 802.1X authentication are as follows:
1. The NAS requests authentication credentials from a wireless client.
2. The wireless client sends authentication credentials to the NAS.
3. The NAS sends these credentials to a RADIUS server.
4. The RADIUS server checks the user identity and authenticates the client if the user details are available in its
database. The RADIUS server sends an
Access-Accept
message to the NAS. If the RADIUS server cannot
identify the user, it stops the authentication process and sends an
Access-Reject
message to the NAS. The
NAS forwards this message to the client and the client must re-authenticate with appropriate credentials.
5. After the client is authenticated, the RADIUS server forwards the encryption key to the NAS. The encryption
key is used for encrypting or decrypting traffic sent to and from the client.
The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network
first connects to the NAS.
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
Authentication and User Management |
167