Supported Authentication Servers
Based on the security requirements, you can configure internal or external authentication servers. This section describes the types of servers that can be configured for client authentication:
In 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management users. For more information, on management users and TACACS+ server based authentication, see Configuring Authentication Parameters for Management Users .
Internal RADIUS Server
Each IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the IAP sends a RADIUS packet to the local IP address. The internal RADIUS server listens and replies to the RADIUS packet. Instant itself serves as a RADIUS server for 802.1X authentication. However, the internal RADIUS server can also be configured as a backup RADIUS server for an external RADIUS server.
External RADIUS Server
In the external RADIUS server, the IP address of the Virtual Controller is configured as the NAS IP address. Instant RADIUS is implemented on the Virtual Controller, and this eliminates the need to configure multiple NAS clients for every IAP on the RADIUS server for client authentication. Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the authentication request with an Access-Accept or Access-Reject message, and the clients are allowed or denied access to the network depending on the response from the RADIUS server. When you enable an external RADIUS server for the network, the client on the IAP sends a RADIUS packet to the local IP address. The external RADIUS server then responds to the RADIUS packet.
Instant supports the following external authentication servers:
|
|
RADIUS (Remote Authentication Dial-In User Service) |
|
|
LDAP (Lightweight Directory Access Protocol) |
|
|
CPPM Server for AirGroup CoA |
To use an LDAP server for user authentication, configure the LDAP server on the Virtual Controller, and configure user IDs and passwords. To use a RADIUS server for user authentication, configure the RADIUS server on the Virtual Controller.
RADIUS Server Authentication with VSA
An external RADIUS server authenticates network users and returns to the IAP the vendor-specific attribute (VSA) that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.
Instant supports the following VSAs for user role and VLAN derivation rules:
|
|
Acct-Tunnel-Packets-Lost |
|
|
Aruba-AS-Credential-Hash |
|
|
Aruba-AirGroup-Device-Type |
|
|
Aruba-AirGroup-Shared-Group |
|
|
Aruba-AirGroup-Shared-Role |
|
|
Aruba-AirGroup-Shared-User |
|
|
Aruba-AirGroup-User-Name |
|
|
Aruba-Auth-Survivability |
|
|
Aruba-Framed-IPv6-Address |
|
|
Aruba-Mdps-Device-Iccid |
|
|
Aruba-Mdps-Device-Product |
|
|
Aruba-Mdps-Device-Profile |
|
|
Aruba-Mdps-Device-Serial |
|
|
Aruba-Mdps-Device-Version |
|
|
Aruba-Mdps-Provisioning-Settings |
|
|
Aruba-Network-SSO-Token |
|
|
Aruba-No-DHCP-Fingerprint |
|
|
Aruba-WorkSpace-App-Name |
|
|
Authentication-Sub-Type |
|
|
Chargeable-User-Identity |
|
|
Framed-AppleTalk-Network |
|
|
Requested-Location-Info |
|
|
Tunnel-Private-Group-Id |
Dynamic Load Balancing between Two Authentication Servers
You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers. Load balancing of authentication servers ensures that the authentication load is split across multiple authentication servers and enables the IAPs to perform load balancing of authentication requests destined to authentication servers such as RADIUS or LDAP.
The load balancing in IAP is performed based on outstanding authentication sessions. If there are no outstanding sessions and if the rate of authentication is low, only primary server will be used. The secondary is used only if there are outstanding authentication sessions on the primary server. With this, the load balance can be performed across asymmetric capacity RADIUS servers without the need to obtain inputs about the server capabilities from the administrators.