Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
WAN Authentication Survivability Overview
Authentication survivability is critical to managed device WLANs Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. since most managed devices use geographically remote authentication servers to provide authentication and authorization services. When those authentication servers are not accessible, clients cannot access the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. because the managed device cannot authenticate them. AOS-8 authentication survivability allows managed devices to provide client authentication and authorization survivability when remote authentication servers are not accessible. When this feature is enabled, AOS-8 stores user access credentials and key reply attributes whenever clients are authenticated with external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. servers or LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. authentication servers. When external authentication servers are not accessible, the managed device uses its internal survival server to continue providing authentication and authorization functions by using the user access credentials and key reply attributes that were stored earlier.
When authentication survivability is enabled, an internal survival server on the managed node performs authentication functions, as well as EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -termination using the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. protocol. The survival server performs authentication or query requests when authentication survivability is enabled, and one of the following is true:
- All servers are out of service in the server group if fail-through is disabled.
- All in-service servers failed the authentication and at least one server is out of service when fail-through is enabled.
All access credentials and key reply attributes saved in the local survival server remain in the system until they expire. The system-wide lifetime parameter
- has a range from 1 to 168 hours, and a default value of 24 hours. Expired user credential attributes and key reply attributes stored in the survival server cache are purged every 10 minutes.Best practices is to import a customer server certificate into the managed device and assign it to the local survival server.
The survival server can store the following types of client data:
- Client username
- Encrypted Passwords. For PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. authentication, the survival server receives the password provided by the client and then stores the encrypted SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. -1 hashed value of the password.
- EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. indicator: When employing 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. with disabled termination using EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216., the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. indicator is stored.
- The CN Common Name. CN is the primary name used to identify a certificate. lookup EXIST indicator
Supported Client and Authentication Types
The following combination of clients and authentication types are supported with the authentication survivability feature see the table below:
Table 1: Clients and Supported Authentication Types
Supported Key Reply Attributes
The following key reply attributes are supported:
- ARUBA_NAMED_VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.
- ARUBA_NO_DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. _FINGERPRINT
- ARUBA_ROLE
- ARUBA_VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.
- ARUBA_MPSK_PASSPHRASE
- MS_TUNNEL_MEDIUM_TYPE
- MS_TUNNEL_PRIVATE_GROUP_ID
- MS_TUNNEL_TYPE
- PW_SESSION_TIMEOUT
- PW_USER_NAME
Feature Restrictions and Limitations
The authentication survivability feature has the following support restrictions:
- The Survival Server cache database is station-based (thus, the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address is the key), so authentication survivability is not supported for any station with a zero MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.
- For a client using EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216., you must install the issuer certificate of the Survival Server certificate as a TrustedCA certificate in the client station.
- For an 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. client using EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. that does not terminate at the managed device, the issuer certificate for the client certificate must be imported as a TrustedCA or an intermediateCA certificate at the managed device—just as the same certificate must be installed at the terminating External RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server.
- The Survival Server does not support the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. nor the CRL Certificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. for EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..
- Authentication survivability will not activate if Authentication Server Dead Time is configured as 0.
To configure Authentication Server Dead Time, on the managed device, navigate to > > > > > .
Captive Portal Authentication Workflow
This section describes the authentication procedures for Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. clients, both when the branch authentication servers are available and when they are not available. When the authentication servers are not available, the Survival Server takes over the handling of authentication requests.
Captive Portal Client Authentication Using PAP
Table 2 describes what occurs for Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. clients using PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. as the authentication method.
Table 2: Captive Portal Authentication Using PAP
When Authentication Servers Are Available |
When Authentication Servers Are Not Available |
---|---|
If authentication succeeds, the associated access credential with an encrypted SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. ‑1 hash of the password and Key Reply attributes are stored in the Survival Server database. If authentication fails, the associated access credential and Key Reply attributes associated with the PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. method (if they exist) are deleted from the Survival Server database. |
When no in-service server in the associated server group is available, the Survival Server is used to authenticate the Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. client using PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure..
The Survival Server uses the previously stored unexpired access credential to perform authentication and, upon successful authentication, returns the previously stored Key Reply attributes. |
External Captive Portal Client Authentication Using the XML-API
Table 3 describes the authentication procedures for External Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. clients using the XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-API, both when the branch authentication servers are available and when they are not available. When the authentication servers are not available, the Survival Server takes over the handling of authentication requests.
Table 3: Captive Portal Authentication Using XML-API
802.1X Authentication Workflow
This section describes the authentication procedures for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. clients with termination at an External RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server, or at the controller.
Table 4: 802.1X Authentication Terminating at an External Server
For an 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. client for which termination is enabled at the managed device using EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. with CN Common Name. CN is the primary name used to identify a certificate. lookup, a query request about the Common Name is sent to the external authentication server.
The external authentication server can be either a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server or an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server.
Table 5: 802.1X Client Authentication Using EAP_TLS with CN Lookup
When Authentication Servers Are Available |
When Authentication Servers Are Not Available |
---|---|
|
When there is no available in-service server in the associated server group, the Survival Server performs CN Common Name. CN is the primary name used to identify a certificate. lookup for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. clients for which termination is enabled at the managed device using EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.. The Survival Server returns previously stored Key Reply attributes as long as the client with the EXIST indicator is in the Survival Server database. |
MAC Authentication Workflow
This section describes the authentication procedures for clients.
Table 6: MAC-Based Client Authentication Using PAP
When Authentication Servers Are Available |
When Authentication Servers Are Not Available |
---|---|
If authentication succeeds, the associated access credential, along with an encrypted SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. -1 hash of the password and Key Reply attributes, are stored in the Survival Server database. If authentication fails, the associated access credential and Key Reply attributes associated with the PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. method (if they exist) are deleted from the Survival Server database. |
When there is no available in-service server in the associated server group, the Survival Server authenticates the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -based authentication client using PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.. The Survival Server returns previously stored Key Reply attributes as long as the client with the EXIST indicator is in the Survival Server database. |
WISPr Authentication
This section describes the authentication procedures for WISPr Wireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs. clients, both when the branch authentication servers are available and when they are not available. When the authentication servers are not available, the Survival Server takes over the handling of authentication requests.
The external authentication server can be either a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server or an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server.
Table 7: WISPr Authentication Using PAP