You are here: Home > Configuring ArubaOS Features > Managed Devices > WAN Authentication Survivability Overview

WAN Authentication Survivability Overview

Authentication survivability is critical to managed device WLANsWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. since most managed devices use geographically remote authentication servers to provide authentication and authorization services. When those authentication servers are not accessible, clients cannot access the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. because the managed device cannot authenticate them. ArubaOS authentication survivability allows managed devices to provide client authentication and authorization survivability when remote authentication servers are not accessible. When this feature is enabled, ArubaOS stores user access credentials and key reply attributes whenever clients are authenticated with external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers or LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. authentication servers. When external authentication servers are not accessible, the managed device uses its internal survival server to continue providing authentication and authorization functions by using the user access credentials and key reply attributes that were stored earlier.

When authentication survivability is enabled, an internal survival server on the managed node performs authentication functions, as well as EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -termination using the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  protocol. The survival server performs authentication or query requests when authentication survivability is enabled, and one of the following is true:

1. All servers are out of service in the server group if fail-through is disabled.

2. All in-service servers failed the authentication and at least one server is out of service when fail-through is enabled.

All access credentials and key reply attributes saved in the local survival server remain in the system until they expire. The system-wide lifetime parameter auth-survivability cache-lifetime has a range from 1 to 168 hours, and a default value of 24 hours. Expired user credential attributes and key reply attributes stored in the survival server cache are purged every 10 minutes.

 

Best practices is to import a customer server certificate into the managed device and assign it to the local survival server.

The survival server can store the following types of client data:

Client username

Encrypted Passwords. For PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. authentication, the survival server receives the password provided by the client and then stores the encrypted SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. -1 hashed value of the password.

EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  indicator: When employing 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. with disabled termination using EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216., the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  indicator is stored.

The CNCommon Name. CN is the primary name used to identify a certificate. lookup EXIST indicator

/*]]>*/