You are here: Authentication and User Management > Understanding Authentication Survivability
Previous TopicNext Topic

Support for Authentication Survivability

 

The authentication survivability feature supports a survivable authentication framework against the remote link failure when working with the external authentication servers. When enabled, this feature allows the IAPs to authenticate the previously connected clients against the cached credentials if the connection to the authentication server is temporarily lost.

Instant supports the following EAP standards for authentication survivability:

EAP-PEAP: The Protected Extensible Authentication Protocol also known as Protected EAP or PEAP is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The EAP-PEAP supports the MSCHAPv2 and GTC methods.
EAP-TLS: EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer Security (TLS) protocol.

When the authentication survivability feature is enabled, the following authentication process is used:

1. The client associates to an IAP and authenticates to the external authentication server. The external authentication server can be either CPPM (for EAP-PEAP) or RADIUS server (EAP-TLS).
2. Upon successful authentication, the associated IAP caches the authentication credentials of the connected users for the configured duration. The cache expiry duration for authentication survivability can be set within the range of 1-99 hours, with 24 hours being the default cache timeout duration.
3. If the client roams or tries to reconnect to the IAP and the remote link fails due to the unavailability of the authentication server, the IAP uses the cached credentials in the internal authentication server to authenticate the user. However, if the user tries to reconnect after the cache expiry, the authentication fails.
4. When the authentication server is available and if the client tries to reconnect, the IAP detects the availability of server and allows the client to authenticate to the server. Upon successful authentication, the IAP cache details are refreshed.

Configuring Authentication Survivability

You can enable authentication survivability for a wireless network profile through the UI or CLI.

In the Instant UI

To configure authentication survivability for a wireless network:

1. In the Network tab, click New to create a new network profile or select an existing profile for which you want to enable authentication survivability and click edit.
2. In the Edit <profile-name> or New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next.
3. In the Security tab, under Enterprise security settings, select an existing authentication server or create a new server by clicking New.
4. To enable authentication survivability, select Enabled from the Authentication survivability drop-down. On enabling this, the IAP authenticates the previously connected clients using EAP-PEAP and EAP-TLS authentication when connection to the external authentication server is temporarily lost.
5. Specify the cache timeout duration, after which the cached details of the previously authenticated clients expire. You can specify a value within the range of 1-99 hours and the default cache timeout duration is 24 hours.
6. Click Next and then click Finish to apply the changes.

Important Points to Remember

Any client connected through CPPM and authenticated through IAP remains authenticated with the IAP even if the client is removed from the CPPM server during the CPPM downtime.
Do not make any changes to the authentication survivability cache timeout duration when the authentication server is down.
For EAP-PEAP authentication, ensure that the CPPM 6.0.2 or later version is used for authentication. For EAP-TLS authentication, any external or third-party server can be used.
For EAP-TLS authentication, ensure that the server and CA certificates from the authentication servers are uploaded on IAP. For more information, see Uploading Certificates.

In the CLI

To configure authentication survivability for a wireless network:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# type {<Employee> | <Voice>| <Guest>}

(Instant AP)(SSID Profile <name>)# auth-server <server-name1>

(Instant AP)(SSID Profile <name>)# auth-survivability

(Instant AP)(SSID Profile <name>)# exit

(Instant AP)(config)# auth-survivability cache-time-out <hours>

(Instant AP)(config)# end

(Instant AP)# commit apply

To view the cache expiry duration:

(Instant AP)# show auth-survivability time-out

To view the information cached by the IAP:

(Instant AP)# show auth-survivability cached-info

To view logs for debugging:

(Instant AP)# show auth-survivability debug-log