166
| Authentication and User Management
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
Configuring Authentication Survivability
The authentication survivability feature supports a survivable authentication framework against any remote
link failures when working with external authentication servers. When enabled, this feature allows the IAPs to
authenticate the previously connected clients against the cached credentials if the connection to the
authentication server is temporarily lost.
Instant supports the following EAP standards for authentication survivability:
l
EAP-PEAP
: The Protected Extensible Authentication Protocol, also known as Protected EAP or PEAP, is a
protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security
(TLS) tunnel. The EAP-PEAP supports MS-CHAPv2 and GTC methods.
l
EAP-TLS
: EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer
Security (TLS) protocol.
When the authentication survivability feature is enabled, the following authentication process is used:
1. The client associates to an IAP and authenticates to the external authentication server. The external
authentication server can be either ClearPass Policy Manager (for EAP-PEAP) or RADIUS server (EAP-TLS).
2. Upon successful authentication, the associated IAP caches the authentication credentials of the connected
clients for the configured duration. The cache expiry duration for authentication survivability can be set
within the range of 1–99 hours, with 24 hours being the default cache timeout duration.
3. If the client roams or tries to reconnect to the IAP and the remote link fails due to the unavailability of the
authentication server, the IAP uses the cached credentials in the internal authentication server to
authenticate the user. However, if the client tries to reconnect after the cache expiry, the authentication
fails.
4. When the authentication server is available and if the client tries to reconnect, the IAP detects the
availability of server and allows the client to authenticate to the server. Upon successful authentication, the
IAP cache details are refreshed.
Enabling Authentication Survivability
You can enable authentication survivability for a wireless network profile through the UI or the CLI.
In the Instant UI
To configure authentication survivability for a wireless network:
1. On the
Network
tab, click
New
to create a new network profile or select an existing profile for which you
want to enable authentication survivability and click
edit
.
2. In the
Edit <profile-name>
or the
New WLAN
window, ensure that all required WLAN and VLAN
attributes are defined, and then click
Next
.
3. On the
Security
tab, under
Enterprise
security settings, select an existing authentication server or create a
new server by clicking
New
.
4. To enable authentication survivability, select
Enabled
from the
Authentication survivability
drop-down
list. On enabling this, the IAP authenticates the previously connected clients using EAP-PEAP and EAP-TLS
authentication when connection to the external authentication server is temporarily lost.
5. Specify the cache timeout duration, after which the cached details of the previously authenticated clients
expire. You can specify a value within the range of 1–99 hours and the default cache timeout duration is 24
hours.
6. Click
Next
and then click
Finish
to apply the changes.