The authentication survivability feature supports a survivable authentication framework against the remote link failure when working with the external authentication servers. When enabled, this feature allows the IAPs to authenticate the previously connected clients against the cached credentials if the connection to the authentication server is temporarily lost.
Instant supports the following EAP standards for authentication survivability:
| : The Protected Extensible Authentication Protocol also known as Protected EAP or PEAP is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The EAP-PEAP supports the MSCHAPv2 and GTC methods. |
| : EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer Security (TLS) protocol. |
When the authentication survivability feature is enabled, the following authentication process is used:
1. | The client associates to a |
2. | Upon successful authentication, the associated IAP caches the authentication credentials of the connected users for the configured duration. The cache expiry duration for authentication survivability can be set within the range of 1-99 hours, with 24 hours being the default cache timeout duration. |
3. | If the client roams or tries to reconnect to the IAP and the remote link fails due to the unavailability of the authentication server, the IAP uses the cached credentials in the internal authentication server to authenticate the user. However, if the user tries to reconnect after the cache expiry, the authentication fails. |
4. | When the authentication server is available and if the client tries to reconnect, the IAP detects the availability of server and allows the client to authenticate to the server. Upon successful authentication, the IAP cache details are refreshed. |
You can enable authentication survivability for a wireless network profile through the UI or CLI.
To configure authentication survivability for a wireless network:
1. | In the Network tab, click to create a new network profile or select an existing profile for which you want to enable authentication survivability and click edit. |
2. | In the | or window, ensure that all required WLAN and VLAN attributes are defined, and then click .
3. | In the Security tab, under security settings, select an existing authentication server or create a new server by clicking . |
4. | To enable authentication survivability, select IAP authenticates the previously connected clients using EAP-PEAP and EAP-TLS authentication when connection to the external authentication server is temporarily lost. | from the drop-down. On enabling this, the
5. | Specify the cache timeout duration, after which the cached details of the previously authenticated clients expire. You can specify a value within the range of 1-99 hours and the default cache timeout duration is 24 hours. |
6. | Click Next and then click Finish to apply the changes. |
| Any client connected through CPPM and authenticated through IAP remains authenticated with the IAP even if the client is removed from the CPPM server during the CPPM downtime. |
| Do not make any changes to the authentication survivability cache timeout duration when the authentication server is down. |
| For EAP-PEAP authentication, ensure that the CPPM 6.0.2 or later version is used for authentication. For EAP-TLS authentication, any external or third-party server can be used. |
| For EAP-TLS authentication, ensure that the server and CA certificates from the authentication servers are uploaded on IAP. For more information, see Uploading Certificates. |
To configure authentication survivability for a wireless network:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# type {<Employee> | <Voice>| <Guest>}
(Instant AP)(SSID Profile <name>)# auth-server <server-name1>
(Instant AP)(SSID Profile <name>)# auth-survivability
(Instant AP)(SSID Profile <name>)# exit
(Instant AP)(config)# auth-survivability cache-time-out <hours>
(Instant AP)(config)# end
(Instant AP)# commit apply
To view the cache expiry duration:
(Instant AP)# show auth-survivability time-out
To view the information cached by the IAP:
(Instant AP)# show auth-survivability cached-info
To view logs for debugging:
(Instant AP)# show auth-survivability debug-log