WAN Authentication Survivability Overview

Authentication survivability is critical to managed device WLANs Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. since most managed devices use geographically remote authentication servers to provide authentication and authorization services. When those authentication servers are not accessible, clients cannot access the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. because the managed device cannot authenticate them. AOS-8 authentication survivability allows managed devices to provide client authentication and authorization survivability when remote authentication servers are not accessible. When this feature is enabled, AOS-8 stores user access credentials and key reply attributes whenever clients are authenticated with external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers or LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. authentication servers. When external authentication servers are not accessible, the managed device uses its internal survival server to continue providing authentication and authorization functions by using the user access credentials and key reply attributes that were stored earlier.

When authentication survivability is enabled, an internal survival server on the managed node performs authentication functions, as well as EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -termination using the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  protocol. The survival server performs authentication or query requests when authentication survivability is enabled, and one of the following is true:

  • All servers are out of service in the server group if fail-through is disabled.
  • All in-service servers failed the authentication and at least one server is out of service when fail-through is enabled.

All access credentials and key reply attributes saved in the local survival server remain in the system until they expire. The system-wide lifetime parameter auth-survivability cache-lifetime has a range from 1 to 168 hours, and a default value of 24 hours. Expired user credential attributes and key reply attributes stored in the survival server cache are purged every 10 minutes.

Best practices is to import a customer server certificate into the managed device and assign it to the local survival server.

The survival server can store the following types of client data:

Supported Client and Authentication Types

The following combination of clients and authentication types are supported with the authentication survivability feature see the table below:

Table 1: Clients and Supported Authentication Types

Clients

Authentication Methods

802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. clients

Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. clients

PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.

External Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. clients using the XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-API

PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -based Authentication clients

PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.

MPSK clients

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.

VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. and other VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients

PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. method and CN Common Name. CN is the primary name used to identify a certificate. lookup

VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients

Wireless Internet Service Provider roaming clients

PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.

Supported Key Reply Attributes

The following key reply attributes are supported:

Feature Restrictions and Limitations

The authentication survivability feature has the following support restrictions:

To configure Authentication Server Dead Time, on the managed device, navigate to Configuration > SECURITY > Authentication > Advanced > Authentication Timers > Authentication Server Dead Time (min).

Captive Portal Authentication Workflow

This section describes the authentication procedures for Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. clients, both when the branch authentication servers are available and when they are not available. When the authentication servers are not available, the Survival Server takes over the handling of authentication requests.

Captive Portal Client Authentication Using PAP

Table 2 describes what occurs for Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. clients using PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. as the authentication method.

Table 2: Captive Portal Authentication Using PAP

When Authentication Servers Are Available

When Authentication Servers Are Not Available

If authentication succeeds, the associated access credential with an encrypted SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. ‑1 hash of the password and Key Reply attributes are stored in the Survival Server database.

If authentication fails, the associated access credential and Key Reply attributes associated with the PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. method (if they exist) are deleted from the Survival Server database.

When no in-service server in the associated server group is available, the Survival Server is used to authenticate the Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. client using PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure..

 

 

The Survival Server uses the previously stored unexpired access credential to perform authentication and, upon successful authentication, returns the previously stored Key Reply attributes.

External Captive Portal Client Authentication Using the XML-API

Table 3 describes the authentication procedures for External Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. clients using the XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-API, both when the branch authentication servers are available and when they are not available. When the authentication servers are not available, the Survival Server takes over the handling of authentication requests.

Table 3: Captive Portal Authentication Using XML-API

When Authentication Servers Are Available

When Authentication Servers Are Not Available

For authentication requests from an External Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. using the XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-API, PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. is used to authenticate these requests with an external authentication server.

If authentication succeeds, the associated access credential with an encrypted SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. ‑1 hash of the password and Key Reply attributes are stored in the Survival Server database.

If authentication fails, the associated access credential and Key Reply attributes associated with the PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. method (if they exist) are deleted from the Survival Server database.

When no in-service server in the associated server group is available, the Survival Server is used to authenticate the Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. client using PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure..

The Survival Server uses the previously stored unexpired access credential to perform authentication and, upon successful authentication, returns the previously stored Key Reply attributes.

802.1X Authentication Workflow

This section describes the authentication procedures for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. clients with termination at an External RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, or at the controller.

Table 4: 802.1X Authentication Terminating at an External Server

 

When Authentication Servers Are Available

When Authentication Servers Are Not Available

For an 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. client that terminates at an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server using EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.:

If authentication is accepted, the associated access credential with the EAP-TLS indicator, in addition to the Key Reply attributes, are stored in the Survival Server database.

If authentication is rejected, the associated access credential and Key Reply attributes associated with the EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. method (if they exist) are deleted from the Survival Server database.

When there is no available in-service server in the associated server group, the Survival Server terminates and authenticates 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. clients using EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..

The Survival Server uses the previously stored unexpired access credential to perform authentication and, upon successful authentication, returns the previously stored Key Reply attributes.

In this case, the client station must be configured to accept the server certificate assigned to the Survival Server.

For an 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. client for which termination is enabled at the managed device using EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. with CN Common Name. CN is the primary name used to identify a certificate. lookup, a query request about the Common Name is sent to the external authentication server.

The external authentication server can be either a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server or an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server.

Table 5: 802.1X Client Authentication Using EAP_TLS with CN Lookup

 

When Authentication Servers Are Available

When Authentication Servers Are Not Available

  • If the query succeeds, the associated access credential with a returned indicator of EXIST, plus the Key Reply attributes, are stored in the Survival Server database.
  • If the query fails, the associated access credential and Key Reply attributes associated with the Query method (if they exist) are deleted from the Survival Server database.

When there is no available in-service server in the associated server group, the Survival Server performs CN Common Name. CN is the primary name used to identify a certificate. lookup for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. clients for which termination is enabled at the managed device using EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..

The Survival Server returns previously stored Key Reply attributes as long as the client with the EXIST indicator is in the Survival Server database.

MAC Authentication Workflow

This section describes the authentication procedures for clients.

Table 6: MAC-Based Client Authentication Using PAP

 

When Authentication Servers Are Available

When Authentication Servers Are Not Available

If authentication succeeds, the associated access credential, along with an encrypted SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. -1 hash of the password and Key Reply attributes, are stored in the Survival Server database.

If authentication fails, the associated access credential and Key Reply attributes associated with the PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. method (if they exist) are deleted from the Survival Server database.

When there is no available in-service server in the associated server group, the Survival Server authenticates the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -based authentication client using PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure..

The Survival Server returns previously stored Key Reply attributes as long as the client with the EXIST indicator is in the Survival Server database.

WISPr Authentication

This section describes the authentication procedures for WISPr Wireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs. clients, both when the branch authentication servers are available and when they are not available. When the authentication servers are not available, the Survival Server takes over the handling of authentication requests.

Table 7: WISPr Authentication Using PAP

When Authentication Servers Are Available

When Authentication Servers Are Not Available

For a WISPr Wireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs. client authenticated by an external server using PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.:

If authentication succeeds, the associated access credential, along with an encrypted SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. -1 hash of the password and Key Reply attributes, are stored in the Survival Server database.

If authentication fails, the associated access credential and Key Reply attributes (if they exist) associated with the PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. method are deleted from the Survival Server database.

When there is no available in-service server in the associated server group, the Survival Server authenticates the WISPr Wireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs. client using PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure..

Upon successful authentication, the Survival Server uses the previously stored unexpired credential to perform authentication, and returns the previously stored Key Reply attributes .