You are here: Home > CLI Commands > Just_CLI_Topics > aaa authentication dot1x

aaa authentication dot1x

aaa authentication dot1x {<profile>|countermeasures}

ca-cert <certificate>

cert-cn-lookup

clear

clone <profile>

delete-keycache

eap-frag-mtu <ipmtu>

eapol-logoff

enforce-suite-b-128

enforce-suite-b-192

framed-mtu <mtu>

heldstate-bypass-counter <number>

ignore-eap-id-match

ignore-eapolstart-afterauthentication

key-cache clear

machine-authentication blacklist-on-failure|{cache-timeout <hours>}|enable|
  {machine-default-role <role>}|{user-default-role <role>}

max-authentication-failures <number>

max-requests <number>

multicast-keyrotation

no ...

opp-key-caching

reauth-max <number>

reauth-server-termination-action

reauthentication

reload-cert

server {server-retry <number>|server-retry-period <seconds>}

server-cert <certificate>

termination {eap-type <type>}|enable|enable-token-caching|{inner-eap-type (eap-  gtc|eap-mschapv2)}|{token-caching-period <hours>}

timer {idrequest_period <seconds>}|{keycache-tmout <kc-tmout>}|{mkey-rotation-period <seconds>}|{quiet-period   <seconds>}|{reauth-period <seconds>}|{ukey-rotation-period <seconds>}|{wpa-  groupkey-delay <seconds>}|{wpa-key-period <milliseconds>}|wpa2-key-delay <milliseconds>

tls-guest-access

tls-guest-role <role>

unicast-keyrotation

use-session-key

use-static-key

validate-pmkid

wep-key-retries <number>

wep-key-size {40|128}

wpa-fast-handover

wpa-key-retries <number>

xSec-mtu <mtu>

Description

This command configures the 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile.

Syntax

Parameter

Description

Range

Default

<profile>

Name that identifies an instance of the profile. The name must be 1-63 characters.

default

clear

Clear the Cached PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. , Role and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. entries. This command is available in enable mode only.

countermeasures

Scans for message integrity code failures in traffic received from clients. If there are more than 2 message integrity code failures within 60 seconds, the AP is shut down for 60 seconds. This option is intended to slow down an attacker who is making a large number of forgery attempts in a short time.

disabled

ca-cert <certificate>

CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for client authentication. The CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate needs to be loaded in the Mobility Master.

ca-cert-name

Name of the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate.

cert-cn-lookup

If you use client certificates for user authentication, enable this option to verify that the CNCommon Name. CN is the primary name used to identify a certificate. of the certificate exists in the server. This parameter is disabled by default.

delete-keycache

Delete the key cache entry when the user entry is deleted.

disabled

eap-frag-mtu <ipmtu>

Enables EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. fragmentation for the configured IP MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet..

NOTE: If configured, the EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. fragmentation is applied to all authentication servers. If the IP MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. is different for each authentication servers, configure the minimum IP MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet..

eapol-logoff

Enables handling of EAPOL-LOGOFF messages.

disabled

enforce-suite-b-128

 

Configure Suite-B 128 bit or more security level

authentication enforcement.

disabled

enforce-suite-b-192

Configure Suite-B 192 bit or more security level

authentication enforcement

disabled

framed-mtu <MTU>

Sets the framed MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. attribute sent to the authentication server.

500-1500

1100

heldstate-bypass- counter <number>

This parameter is applicable when 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is terminated on the Mobility Master, also known as AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. FastConnect. Number of consecutive authentication failures which, when reached, causes the Mobility Master to not respond to authentication requests from a client while the Mobility Master is in a held state after the authentication failure. Until this number is reached, the Mobility Master responds to authentication requests from the client even while the Mobility Master is in its held state.

0-3

0

ignore-eap-id-
match

Ignore EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  ID during negotiation.

disabled

ignore-eapol
start-afterauthentication

Ignores EAPOL-START messages after authentication.

disabled

key-cache clear

Clears the Cached PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. , Role and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

machine-authentication

This parameter is applicable in Windows environments only. These parameters set machine authentication.

NOTE: This parameter requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

blacklist-on-failure

Blacklists the client if machine authentication fails.

disabled

cache-timeout <hours>

The timeout, in hours, for machine authentication.

1-1000

24 hours

enable

Select this option to enforce machine authentication before user authentication. If selected, either the machine-default-role or the user-default-role is assigned to the user, depending on which authentication is successful.

disabled

machine-default-role <role>

Default role assigned to the user after completing only machine authentication.

guest

user-default-role <role>

Default role assigned to the user after 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

guest

max-authentication- failures <number>

Number of times a user can try to login with wrong credentials after which the user is blacklisted as a security threat. Set to 0 to disable blacklisting, otherwise enter a non-zero integer to blacklist the user after the specified number of failures.

0-5

0 (disabled)

max-requests <number>

Maximum number of times ID requests are sent to the client.

1-10

5

multicast-key
rotation

Enables multicast key rotation

disabled

no

Negates any configured parameter.

opp-key-caching

Enables a cached PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. derived with a client and an associated AP to be used when the client roams to a new AP. This allows clients faster roaming without a full 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

NOTE: Make sure that the wireless client (the 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. supplicant) supports this feature. If the client does not support this feature, the client will attempt to renegotiate the key whenever it roams to a new AP. As a result, the key cached on the managed device can be out of sync with the key used by the client.

enabled

reauth-max <number>

Maximum number of reauthentication attempts.

1-10

3

reauth-server-
termination-action

Specifies the termination-action attribute from the server.

   

reauthentication

Select this option to force the client to do a 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. reauthentication after the expiration of the default timer for reauthentication. (The default value of the timer is 24 hours.) If the user fails to reauthenticate with valid credentials, the state of the user is cleared.

If derivation rules are used to classify 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.-authenticated users, then the reauthentication timer per role overrides this setting.

disabled

reload-cert

Reload certificate for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. termination. This command is available in enable mode only.

server

Sets options for sending authentication requests to the authentication server group.

 

 

server-retry <number>

Maximum number of authentication requests that are sent to server group.

0-5

3

server-retry-period <seconds>

Server group retry interval, in seconds.

2-65535

5 seconds

server-cert <certificate>

Server certificate used by the managed device to authenticate itself to the client.

termination

Sets options for terminating 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication on the managed device.

 

 

eap-type <type>

The EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method, either EAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). or EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..

eap-peap or
eap-tls

eap-peap

enable

Enables 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. termination on the managed device.

disabled

enable-token
-caching

If you select EAP-GTCEAP – Generic Token Card. (non-tunneled). as the inner EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method, you can enable the Mobility Master to cache the username and password of each authenticated user. The Mobility Master continues to reauthenticate users with the remote authentication server, however, if the authentication server is not available, the Mobility Master will inspect its cached credentials to reauthenticate users.

disabled

inner-eap-type eap-gtc|eap-mschapv2

When EAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). is the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method, one of the following inner EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  types is used:

EAP-GTC: Described in RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 2284, this EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTCEAP – Generic Token Card. (non-tunneled). are one-time token cards such as SecureID and the use of LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. or RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  as the user authentication server. You can also enable caching of user credentials on the Mobility Master as a backup to an external authentication server.

EAP-MSCHAPv2: Described in RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 2759, this EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method is widely supported by Microsoft clients.

eap-gtc or eap-
mschapv2

eap-mschap
v2

token-caching-period <hours>

If you select EAP-GTCEAP – Generic Token Card. (non-tunneled). as the inner EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method, you can specify the timeout period, in hours, for the cached information.

(any)

24 hours

timer

Sets timer options for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication:

 

 

idrequest-
period <seconds>

Interval, in seconds, between identity request retries.

1-65535

5 seconds

keycache-tmout

Set the per BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. PMKSA cache interval. Cache is deleted within 2 hours of the interval.

1-2000 (hours)

8 hours

mkey-rotation-period <seconds>

Interval, in seconds, between multicast key rotation.

60-864000

1800 seconds

quiet-period <seconds>

Interval, in seconds, following failed authentication.

1-65535

30 seconds

reauth-period <seconds>

Interval, in seconds, between reauthentication attempts, or specify server to use the server-provided reauthentication period.

60-864000

86400 seconds
(1 day)

ukey-rotation-period <seconds>

Interval, in seconds, between unicast key rotation.

60-864000

900 seconds

wpa-groupkey
-delay <milliseconds>

Interval, in milliseconds, between unicast and multicast key exchanges.

0-2000

0 ms
(no delay)

wpa-key-period <milliseconds>

Interval, in milliseconds, between each WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. key exchange.

10-5000

1000 ms

wpa2-key-delay <milliseconds>

Set the delay between EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -Success and unicast key exchange.

1-2000

0 ms
(no delay)

tls-guest-access

Enables guest access for EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. users with valid certificates.

disabled

tls-guest-role <role>

User role assigned to EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. guest.

NOTE: This parameter requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

guest

unicast-keyrotation

Enables unicast key rotation.

disabled

use-session-key

Use RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  session key as the unicast WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key.

disabled

use-static-key

Use static key as the unicast or multicast WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key.

disabled

validate-pmkid

This parameter instructs the Mobility Master to check the PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. ID sent by the client. When this option is enabled, the client must send a PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. ID in the associate or reassociate frame to indicate that it supports OKCOpportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. or PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching; otherwise, full 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication takes place. (This feature is optional, since most clients that support OKCOpportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. and PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching do not send the PMKID in their association request.)

disabled

wep-key-retries <number>

Number of times WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. or WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. key messages are retried.

1-3

2

wep-key-size

Dynamic WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key size, either 40 or 128 bits.

40 or 128

128 bits

wpa-fast-handover

Enables WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-fast-handover. This is only applicable for phones that support WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. and fast handover.

disabled

wpa-key-retries

Set the number of times WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. or WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. Key Messages are retried. The supported range is 1-10 retries, and the default value is 3.

1-10

3

xSec-mtu <mtu>

Sets the size of the MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. for xSec.

1024-1500

1300 bytes

Usage Guidelines

The 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile allows you to enable and configure machine authentication and 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. termination on the managed device (also called AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. FastConnect).

In the AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, specify the 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile, the default role for authenticated users, and the server group for the authentication.

Examples

The following example enables authentication of the user’s client device before user authentication. If machine authentication fails but user authentication succeeds, the user is assigned the restricted guest role:

(host) ^[md] (config) #aaa authentication dot1x dot1x

(host) ^[md] (802.1X Authentication Profile "dot1x") machine-authentication enable

(host) ^[md] (802.1X Authentication Profile "dot1x") machine-authentication machine-default-role computer

(host) ^[md] (802.1X Authentication Profile "dot1x") machine-authentication user-default-role guest

The following example configures an 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. profile that terminates authentication on the managed device, where the user authentication is performed with the internal database of the managed device or to a “backend” non-802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. server:

(host) ^[md] (config) #aaa authentication dot1x dot1x

(host) ^[md] (802.1X Authentication Profile "dot1x") #termination enable

Command History

Release

Modification

ArubaOS 8.4.0.0

Added eap-frag-mtu parameter.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system. The voice-aware parameter requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

Config mode on Mobility Master.

/*]]>*/