Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
802.1X Wireless Service
Configure this service for wireless end-hosts connecting through any 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. wireless access device or controller, with authentication via IEEE Institute of Electrical and Electronics Engineers. 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.. To create a wireless service with rules are customized for a typical ArubaController deployment, see also Aruba 802.1X Wireless Service.
|
If you want to administer the same set of policies for wired and wireless access, you can combine the service rule to define one single service. The other option is to keep two services for wired and wireless access, but reuse the policy components (authentication methods, authentication source, authorization source, role mapping policies, posture policies, and enforcement policies) in both services. |
The Service Rules section defines a set of criteria that supplicants must match to trigger the service. Some service templates have one or more rules predefined. You can click on a service rule to modify any of its options.
tab provides basic configuration parameters for the service. TheTo configure a 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. Wireless service:
1. Navigate to > , then click the link. The dialog opens.
2. From the drop-down, select .
3. Specify the tab parameters as described in the following table:
Parameter |
Action/Description |
Type |
Select . |
Name |
Enter the name of this service. |
Description |
Policy Manager autofills the Description field with "802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. Wireless Access Service." You can change the description if you wish. |
Monitor Mode |
Select this check box to monitor network access activity without enforcement. |
More Options |
Check these boxes to access the additional configuration tabs: Authorization: See Authorization Configuration Posture Compliance: See Posture Configuration Audit End-hosts: See Audit Configuration Profile Endpoints: See Profiler Configuration Accounting Proxy: See Accounting Proxy Configuration |
|
|
Matches |
Select the match condition for this service: Matches ANY Matches ALL of the following conditions |
Type |
Select to select the service rule type. |
Name |
Select the name of the service rule from the drop-down list. |
Operator |
Select an appropriate operator from the list of operators for the data type of the attribute. |
Value |
Enter the value or select the value from the drop-down list. The value list depends on the and selected. |
4. Click a service rule to modify its options.
5. Click to view the tab.
The Authentication tab contains options for configuring authentication methods and authentication sources. The following figure displays the
dialog:Figure 1 Add 802.1X Wireless Service > Authentication Dialog
6. Specify the tab parameters as described in the following table:
Use the Authorization check box. Policy Manager fetches role-mapping attributes from the authorization sources associated with the service, regardless of which authentication source was used to authenticate the user.
tab to select the authorization sources for this service. The tab is not displayed by default. To access this tab, select the >For a given service, role-mapping attributes are fetched from the following authorization sources:
Authorization sources associated with the authentication source
Authorization sources associated with the service
Specify the
parameters as described in the following table:Table 3: Add Aruba 802.1X Wireless Service > Authorization Parameters
Parameter |
Action/Description |
---|---|
Authentication Source |
Displays the authorization sources from which role mapping attributes are fetched for each authentication source. |
Attributes Fetched From |
Displays the source of attributes. |
Additional authorization sources from which to fetch role-mapping attributes |
Specify the authorization sources using the field.There can be one or more instances of the following list of authorization sources: Admin User Repository
Endpoints Repository Guest Device Repository Guest User Repository Insight Repository Local User Repository
Onboard Devices Repository Social Login Repository Time Source When you attempt to specify more than 23 Services authorization sources, the following error message is displayed: |
Use the
tab to associate a role-mapping policy with this service. Specify the parameters as described in the following table:
Parameter |
Action/Description |
Role Mapping Policy |
Select a role mapping policy from the drop-down list. Policy Manager ships a number of preconfigured roles. A service can be configured without a role-mapping policy, but only one role-mapping policy can be configured for each service. |
|
|
Description |
Provide additional information about the selected role-mapping policy. |
Default Role |
Specify the role to which Policy Manager defaults when the role-mapping policy does not produce a match. |
Rules Evaluation Algorithm |
Shows the first matched rule. |
For information on configuring role-mapping policies, see Configuring a Role and Role-Mapping Policy.
The
tab is not enabled by default. To enable posture configuration options, return to the tab and select > Posture Compliance. You can enable the posture checking for this kind of service if you deploy any of the following:ClearPass Policy Manager in a Microsoft Network Access Protection (NAP Network Access Protection. The NAP feature in the Windows Server allows network administrators to define specific levels of network access based on identity, groups, and policy compliance. The NAP Agent is a service that collects and manages health information for NAP client computers. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.) environment
Cisco Network Admission Control (NAC Network Access Control. NAC is a computer networking solution that uses a set of protocols to define and implement a policy that describes how devices can secure access to network nodes when they initially attempt to connect to a network.) Framework environment
Aruba hosted captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. that performs posture checks through a dissolvable agent
Specify the Wireless Service Table 5:
parameters as described in
Parameter |
Action/Description |
|
|
Posture Policies |
Select the posture policy from the drop-down list.If you do not have any preconfigured posture policies, click to create a new posture policy.Only NAP Network Access Protection. The NAP feature in the Windows Server allows network administrators to define specific levels of network access based on identity, groups, and policy compliance. The NAP Agent is a service that collects and manages health information for NAP client computers. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access. agent-type posture policies are applicable for this service. |
Default Posture Token |
Select the default posture token from the drop-down list. |
Remediate End-Hosts |
To perform remediation action, when a client is quarantined, select the Enable auto-remediation of non-compliant end-hosts check box. |
Remediation URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. |
To perform the remediation, enter the web link of a server resource. |
For more information on configuring posture polices, see Configuring Posture Policy Agents and Hosts.
Use this tab to select an enforcement policy for a service. Specify the
parameters as described in the following table:
Parameter |
Action/Description |
Use Cached Results |
Select this check box to use cached roles and posture attributes from previous sessions. |
Enforcement Policy |
Select the preconfigured enforcement policy from the drop-down list. This is mandatory. If you do not have any preconfigured enforcement policies, click to create a new enforcement policy. |
|
|
Description |
Displays additional information about the selected enforcement policy. |
Default Profile |
Displays a default profile applied by Policy Manager. |
Rules Evaluation Algorithm |
Shows the first matched rule. |
For related information, see Configuring Enforcement Policies.
The
tab is not enabled by default. To enable this tab, return to the tab and select > Audit End-hosts. To enable audit checking for this service, specify the parameters as described in the following table:
Parameter |
Action/Description |
Audit Server |
Select the audit server from the following options: Policy Manager primarily to perform vulnerability scanning. : Interfaces with : Performs specificTo view the dialog with the summary of audit server details, click the button.To view the tab with audit server details, click the button. |
Audit Trigger Conditions |
Select an audit trigger condition: Always: Always perform an audit. When posture is not available: Perform audit only when posture credentials are not available in the request. For MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Authentication Request: If you select this option, Policy Manager presents the following three additional settings: For known end-hosts only: Select this option when you want to reject unknown end-hosts and to audit known clients. Known end-hosts are defined as clients that are found in the authentication source(s) associated with this service. For unknown end-hosts only: Select this option when the known end-hosts are assumed to be healthy, but you want to establish the identity of unknown end-hosts and assign roles. Unknown end-hosts are end-hosts that are not found in any of the authentication sources associated with this service. For all end-hosts: For both known and unknown end-hosts. |
Action After Audit |
Specify the audit that can be performed only after the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication request is completed and the client has acquired an IP address through DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. . Once the audit results are available, Policy Manager reapplies policies on the network device in one of the following ways: : The audit does not apply policies on the network device after completing this audit. 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. reauthentication (both done using SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. ). : This option bounces the switch port or forces anBouncing the port triggers a new 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. or MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication request by the client. If the audit server already has the posture token and attributes associated with this client in its cache, it returns the token and the attributes to Policy Manager. RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. command from Policy Manager to the network device. : This option sends a |
The
tab is not displayed by default. To access this tab, return to the tab and select > . Specify the parameters as described in the following table:The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting packets to all the proxy targets. You can configure the proxy targets to which RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server should be forwarded and the attributes to be added in the accounting. This enables the external security solutions to use the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. account event to detect when a user connects and disconnects to the server.
tab is not displayed by default. To access this tab, return to the tab and select > . Use the tab to broadcast theSpecify the
parameters as described in the following table:The
page presents the summary of parameters defined when you created a new service.