You are here: Authentication and User Management > Supported Authentication Servers
Previous TopicNext Topic

Supported Authentication Servers

Based on the security requirements, you can configure internal or external authentication servers. This section describes the types of servers that can be configured for client authentication:

Internal RADIUS Server
External RADIUS Server
Dynamic Load Balancing between Two Authentication Servers

In 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management users. For more information, on management users and TACACS+ server based authentication, see Configuring Authentication Parameters for Management Users .

Internal RADIUS Server

Each IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the IAP sends a RADIUS packet to the local IP address. The internal RADIUS server listens and replies to the RADIUS packet. Instant itself serves as a RADIUS server for 802.1X authentication. However, the internal RADIUS server can also be configured as a backup RADIUS server for an external RADIUS server.

External RADIUS Server

In the external RADIUS server, the IP address of the Virtual Controller is configured as the NAS IP address. Instant RADIUS is implemented on the Virtual Controller, and this eliminates the need to configure multiple NAS clients for every IAP on the RADIUS server for client authentication. Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the authentication request with an Access-Accept or Access-Reject message, and the clients are allowed or denied access to the network depending on the response from the RADIUS server. When you enable an external RADIUS server for the network, the client on the IAP sends a RADIUS packet to the local IP address. The external RADIUS server then responds to the RADIUS packet.

Instant supports the following external authentication servers:

RADIUS (Remote Authentication Dial-In User Service)
LDAP (Lightweight Directory Access Protocol)
CPPM Server for AirGroup CoA

To use an LDAP server for user authentication, configure the LDAP server on the Virtual Controller, and configure user IDs and passwords. To use a RADIUS server for user authentication, configure the RADIUS server on the Virtual Controller.

RADIUS Server Authentication with VSA

An external RADIUS server authenticates network users and returns to the IAP the vendor-specific attribute (VSA) that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.

Instant supports the following VSAs for user role and VLAN derivation rules:

AP-Group
AP-Name
ARAP-Features
ARAP-Security
ARAP-Security-Data
ARAP-Zone-Access
Acct-Authentic
Acct-Delay-Time
Acct-Input-Gigawords
Acct-Input-Octets
Acct-Input-Packets
Acct-Interim-Interval
Acct-Link-Count
Acct-Multi-Session-Id
Acct-Output-Gigawords
Acct-Output-Octets
Acct-Output-Packets
Acct-Session-Id
Acct-Session-Time
Acct-Status-Type
Acct-Terminate-Cause
Acct-Tunnel-Packets-Lost
Add-Port-To-IP-Address
Aruba-AP-Group
Aruba-AP-IP-Address
Aruba-AS-Credential-Hash
Aruba-AS-User-Name
Aruba-Admin-Role
Aruba-AirGroup-Device-Type
Aruba-AirGroup-Shared-Group
Aruba-AirGroup-Shared-Role
Aruba-AirGroup-Shared-User
Aruba-AirGroup-User-Name
Aruba-AirGroup-Version
Aruba-Auth-Survivability
Aruba-CPPM-Role
Aruba-Device-Type
Aruba-Essid-Name
Aruba-Framed-IPv6-Address
Aruba-Location-Id
Aruba-Mdps-Device-Iccid
Aruba-Mdps-Device-Imei
Aruba-Mdps-Device-Name
Aruba-Mdps-Device-Product
Aruba-Mdps-Device-Profile
Aruba-Mdps-Device-Serial
Aruba-Mdps-Device-Udid
Aruba-Mdps-Device-Version
Aruba-Mdps-Max-Devices
Aruba-Mdps-Provisioning-Settings
Aruba-Named-User-Vlan
Aruba-Network-SSO-Token
Aruba-No-DHCP-Fingerprint
Aruba-Port-Id
Aruba-Priv-Admin-User
Aruba-Template-User
Aruba-User-Group
Aruba-User-Role
Aruba-User-Vlan
Aruba-WorkSpace-App-Name
Authentication-Sub-Type
Authentication-Type
CHAP-Challenge
Callback-Id
Callback-Number
Chargeable-User-Identity
Class
Connect-Info
Connect-Rate
Crypt-Password
DB-Entry-State
Digest-Response
Domain-Name
EAP-Message
Error-Cause
Event-Timestamp
Exec-Program
Exec-Program-Wait
Expiration
Fall-Through
Filter-Id
Framed-AppleTalk-Link
Framed-AppleTalk-Network
Framed-AppleTalk-Zone
Framed-Compression
Framed-IP-Address
Framed-IP-Netmask
Framed-IPX-Network
Framed-IPv6-Pool
Framed-IPv6-Prefix
Framed-IPv6-Route
Framed-Interface-Id
Framed-MTU
Framed-Protocol
Framed-Route
Framed-Routing
Full-Name
Group
Group-Name
Hint
Huntgroup-Name
Idle-Timeout
Location-Capable
Location-Data
Location-Information
Login-IP-Host
Login-IPv6-Host
Login-LAT-Node
Login-LAT-Port
Login-LAT-Service
Login-Service
Login-TCP-Port
Menu
Message-Auth
NAS-IPv6-Address
NAS-Port-Type
Operator-Name
Password
Password-Retry
Port-Limit
Prefix
Prompt
Rad-Authenticator
Rad-Code
Rad-Id
Rad-Length
Reply-Message
Requested-Location-Info
Revoke-Text
Server-Group
Server-Name
Service-Type
Session-Timeout
Simultaneous-Use
State
Strip-User-Name
Suffix
Termination-Action
Termination-Menu
Tunnel-Assignment-Id
Tunnel-Client-Auth-Id
Tunnel-Client-Endpoint
Tunnel-Connection-Id
Tunnel-Medium-Type
Tunnel-Preference
Tunnel-Private-Group-Id
Tunnel-Server-Auth-Id
Tunnel-Server-Endpoint
Tunnel-Type
User-Category
User-Name
User-Vlan
Vendor-Specific

Dynamic Load Balancing between Two Authentication Servers

You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers. Load balancing of authentication servers ensures that the authentication load is split across multiple authentication servers and enables the IAPs to perform load balancing of authentication requests destined to authentication servers such as RADIUS or LDAP.

The load balancing in IAP is performed based on outstanding authentication sessions. If there are no outstanding sessions and if the rate of authentication is low, only primary server will be used. The secondary is used only if there are outstanding authentication sessions on the primary server. With this, the load balance can be performed across asymmetric capacity RADIUS servers without the need to obtain inputs about the server capabilities from the administrators.