About 802.1X Authentication

This chapter describes how to configure 802.1X wireless authentication with Active Directory® in an Aruba network.

802.1X is an IEEE standard and a method for authenticating the identity of a user before providing network access to the user. 802.1X provides an authentication mechanism to devices that need to attach to a wireless LAN or a wired LAN.

RADIUS (Remote Authentication Dial In User Service) is a protocol that provides centralized authentication, authorization, and accounting management.

For authentication purpose, the wireless client can associate with a network access server (NAS) or a RADIUS client. Policy Manager is a RADIUS server. The wireless client can pass data traffic only after successful 802.1X authentication.

802.1X offers the capability to permit or deny network connectivity based on the identity of the end user or device.

802.1X enables port-based access control using authentication. An 802.1X-enabled port can be dynamically enabled or disabled based on the identity of the user or device that connects to it.

Before authentication, the identity of the endpoint is unknown and all traffic is blocked. After authentication, the identity of the endpoint is known and all traffic from that endpoint is allowed.

802.1X Authentication Components

802.1x authentication consists of three components—a supplicant, an authenticator, and an authentication server (see Figure 1).

The supplicant, or client, is the device attempting to gain access to the network. You can configure the user-centric network to support 802.1x authentication for wired users as well as wireless users.

The authenticator is the gatekeeper to the network and permits or denies access to the supplicants.

The mobility controller acts as the authenticator, relaying information between the authentication/Policy Manager server and the supplicant. The EAP type must be consistent between the authentication server and supplicant and is transparent to the mobility controller.

The authentication server is typically a host running software supporting the RADIUS and EAP protocols. It provides a database of information required for authentication and informs the authenticator to deny or permit access to the supplicant. In this guide, the authentication server is the Policy Manager server.

Figure 1  802.1X Authentication Network Components

Table 1 describes each of the Policy Manager firewall ports that are used by Active Directory.

Table 1: Active Directory Policy Manager Firewall Ports

Firewall Port


UDP Port 88

Used for Kerberos authentication.

TCP and UDP Port 135

Used for domain controller-to-domain controller and client-to-domain controller operations.

UDP Port 389

Used for LDAP to handle normal queries from client computers to the domain controllers.

TCP and UDP Port 445

Used for Kerberos password change.

TCP Ports 3268 and 3269

Used for Global Catalog distribution from the client to the domain controller.

The Global Catalog makes the directory structure within a forest transparent to users who perform a search. In a multidomain Active Directory Domain Services forest, the Global Catalog provides a central repository of domain information for the forest by storing partial replicas of all domain directory partitions. These partial replicas are distributed by multimaster replication to all Global Catalog servers in a forest.

TCP and UDP Port 53

Used for DNS from the client to the domain controller and from the domain controller to another domain controller.

ICMP types echo (8) and echo-reply (0)

The Internet Control Message Protocol (ICMP) has many messages that are identified by a Type field. ICMP types echo (8) and echo-reply (0) are used between the Policy Manager host and the domain controller during the domain join operation (see Joining a Policy Manager Server to an Active Directory Domain).