Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Authentication Methods and Sources
As a first step in the service-based processing, Policy Manager uses an authentication method to authenticate the user or device against an authentication source. Policy Manager includes several predefined Policy Manager authentication sources.
Default Authentication Methods
After the user or device is authenticated, Policy Manager fetches attributes for role-mapping policies from the authorization sources associated with this authentication source. For a general overview of Policy Manager authentication and authorization, see Authentication and Authorization Architecture and Flow.
Policy Manager provides the following default authentication methods:
Import/Export a default authentication source to ClearPass 6.10.8
Importing a default configuration source to ClearPass 6.10.8 from an earlier version fails and an error message such as "Default filter query cannot be modified" and "Custom SQL must not contain and data modifying SQL statements" display at Configuration > Authorization > Sources.
Imports, exports, and the display of default data in authentication sources and services are now validated.
After authentication sources containing default data or queries are exported from a lower version, and before they are imported to ClearPass 6.10.8, complete the following steps:
1. Make a copy of the XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. file and remove all the default AuthSources XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. tags: <AuthSource > ... </AuthSource>.
The ClearPass default AuthSource name is contained in "[<AuthSource-name>]". For eample: <AuthSource description="Authenticate users against Policy Manager local user database" name ="[Local User Repository]" is AuthorizationSource="true" type="Local">
2. Import the configuration in ClearPass 6.10.8
Tunneled and Non-Tunneled Authentication Methods
Refer to the following list of tunneled and non-tunneled authentication methods Policy Manager supports:
The tunneled EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. authentication methods are:
EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. Protected EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. (EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled).)
EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. Flexible Authentication Secure Tunnel (EAP-FAST EAP – Flexible Authentication Secure Tunnel (tunneled).)
EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. Transport Layer Security (EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.)
EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. Tunneled TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. (EAP-TTLS EAP–Tunneled Transport Layer Security. EAP-TTLS is an EAP method that encapsulates a TLS session, consisting of a handshake phase and a data phase. See RFC 5281.)
The non-tunneled authentication methods are:
EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. Message Digest 5 (EAP-MD5 EAP – Method Digest 5. (non-tunneled).)
EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. Microsoft Challenge Handshake Authentication Protocol version 2 (EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. - MSCHAPv2)
EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. Generic Token Card (EAP-GTC EAP – Generic Token Card. (non-tunneled).)
Challenge Handshake Authentication Protocol (CHAP Challenge Handshake Authentication Protocol. CHAP is an authentication scheme used by PPP servers to validate the identity of remote clients.)
Password Authentication Protocol (PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.)
Microsoft CHAP Challenge Handshake Authentication Protocol. CHAP is an authentication scheme used by PPP servers to validate the identity of remote clients. version 1 and 2
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication method (MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -AUTH)
Authorize authentication
Default Authentication Sources
The following table describes the predefined Policy Manager authentication sources that are part of the Policy Manager local SQL database. These default authentication sources appear in brackets; they cannot be copied or deleted.
Authentication Source Name |
Description |
---|---|
[Admin User Repository] |
Users are authenticated against this Policy Manager admin user database. |
[Denylist User Repository] |
This database includes blocked users who have exceeded bandwidth or session-related limits. |
[Endpoints Repository] |
Authenticates endpoints against the local Policy Manager database. This database supports the following filter categories: Authentication Status Profile Fingerprint |
[Guest Device Repository] |
Authenticates Guest devices against the local Policy Manager database. This database supports the following filter queries: Authentication Device Role ID Device MPSK Authorization |
[Guest User Repository] |
Authenticates Guest users against the local Policy Manager database. This database supports the following filter queries: Authentication Authorization |
[Insight Repository] |
Insight database with session information for users and devices. This database supports the following filter queries: WebAuth check Successful login count since midnight Active sessions Online status Daily duration Weekly duration Monthly duration |
[Local User Repository] |
Authenticates users against the Policy Manager local user database. |
[Onboard Devices Repository] |
Authenticates Onboard devices against the local Policy Manager database. |
[Social Login Repository] |
Authenticates users againstPolicy Manager Social Login database. This database supports the following filter queries: Authentication Social |
[Time Source] |
Authorization source for implementing various time functions. |