You are here: Authentication and User Management > Supported EAP Authentication Frameworks
Previous TopicNext Topic

Supported EAP Authentication Frameworks

The following EAP authentication frameworks are supported in the Instant network:

EAP-TLS— The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and certification authority (CA) certificates installed on the IAP. The client certificate is verified on the Virtual Controller (the client certificate must be signed by a known CA), before the username is verified on the authentication server.
EAP-TTLS (MSCHAPv2)— The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS) method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords.
EAP-PEAP (MSCHAPv2)— EAP-PEAP is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.
LEAP— Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys for authentication between the client and authentication server.

To use the IAP’s internal database for user authentication, add the names and passwords of the users to be authenticated.


Aruba does not recommend the use of LEAP authentication, because it does not provide any resistance to network attacks.

Authentication Termination on IAP

IAPs support EAP termination for enterprise WLAN SSIDs. The EAP termination can reduce the number of exchange packets between the IAP and the authentication servers. Instant allows Extensible Authentication Protocol (EAP) termination for Protected Extensible Authentication Protocol (PEAP)-Generic Token Card (PEAP-GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2 (PEAP-MSCHAV2). PEAP-GTC termination allows authorization against an Lightweight Directory Access Protocol (LDAP) server and external RADIUS server while PEAP-MSCHAV2 allows authorization against an external RADIUS server.

This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft Active Directory server with LDAP authentication.

EAP-Generic Token Card (GTC)— This EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the IAP to an external authentication server for user data backup.
EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)— This EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.