Configuring an External Server for Authentication

The following procedure describes how to configure RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. , TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. , LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network., and ClearPass Policy Manager servers:

  1. Navigate to the Configuration > Security page.
  2. Expand Authentication Servers.
  3. To create a new server, click +. The New Authentication Server window for specifying details for the new server is displayed.
  4. Configure parameters based on the type of server.
  1. Click OK.

Table 1: RADIUS Server Configuration Parameters

Parameter

Description

Name

Enter a name for the server.

IP address

Enter the host name or the IP address of the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

NOTE: The hose name value will be accepted only if the RadSec parameter is enabled.

RadSec

Set RadSec to Enabled to enable secure communication between the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and Instant AP by creating a TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel between the Instant AP and the server.

If RadSec is enabled, the following configuration options are displayed:

For more information on RadSec configuration, see Enabling RADIUS Communication over TLS (RadSec) .

Auth port

Enter the authorization port number of the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server within the range of 1–65,535. The default port number is 1812.

Accounting port

Enter the accounting port number within the range of 1–65,535. This port is used for sending accounting records to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. The default port number is 1813.

Shared key

Enter a shared key for communicating with the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Retype key

Re-enter the shared key.

Timeout

Specify a timeout value in seconds. The value determines the timeout for one RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request. The Instant AP retries to send the request several times (as configured in the Retry count) before the user gets disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.

Retry count

Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group, and the default value is 3 requests.

RFC 3576

Select Enabled to allow the Instant APs to process RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. messages modify session authorization attributes such as data filters.

RFC 5997

This helps to detect the server status of the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. Every time there is an authentication or accounting request timeout, the Instant AP will send a status request enquiry to get the actual status of the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server before confirming the status of the server to be DOWN.

  • Authentication—Select this check-box to ensure the Instant AP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.
  • Accounting—Select this check-box to ensure the Instant AP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.

NOTE: You can choose to select either the Authentication or Accounting check-boxes or select both check-boxes to support RFC5997.

NAS IP address

Allows you to configure an arbitrary IP address to be used as RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute 4, NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP Address, without changing source IP address in the IP header of the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packet.

NOTE: If you do not enter the IP address, the virtual controller IP address is used by default when Dynamic RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Proxy is enabled.

NAS Identifier

Allows you to configure strings for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute 32, NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. Identifier, to be sent with RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Dead Time

Specify a dead time for authentication server in minutes.

When two or more authentication servers are configured on the Instant AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

Dynamic RADIUS proxy parameters

Specify the following dynamic RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters:

For more information on dynamic RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters and configuration procedure, see Configuring Dynamic RADIUS Proxy Parameters.

Service type framed user

Sets the service type value to frame for the following authentication methods:

 

Table 2: LDAP Server Configuration Parameters

Parameter

Description

Name

Enter a name for the server.

IP address

Enter the IP address of the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.  server.

Auth port

Enter the authorization port number of the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server. The default port number is 389.

NOTE: Secure LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. is currently not supported on Instant APs. Changing the authentication port to 636 will not enable secure LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet..

Admin-DN

Enter a DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. for the admin user with read/search privileges across all the entries in the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. database (the user need not have write privileges, but the user must be able to search the database, and read attributes of other users in the database).

Admin password

Enter a password for administrator.

Base-DN

Enter a DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. for the node that contains the entire user database.

Filter

Specify the filter to apply when searching for a user in the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. database. The default filter string is (objectclass=*).

Key Attribute

Specify the attribute to use as a key while searching for the LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server. For Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed., the value is sAMAccountName

Timeout

Enter a value between 1 and 30 seconds. The default value is 5.

Retry count

Enter a value between 1 and 5. The default value is 3.

Dead Time

Specify a dead time for the authentication server in minutes within the range of 1–1440 minutes. The default dead time interval is 5 minutes.

When two or more authentication servers are configured on the Instant AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

 

Table 3: TACACS Configuration Parameters

Parameter

Description

Name

Enter a name for the server.

IP address

Enter the IP address of the TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server.

Auth Port

Enter a TCPIP port used by the server. The default port number is 49.

Shared Key

Enter a secret key of your choice to authenticate communication between the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  client and the server.

Retype Key

Re-enter the shared key.

Timeout

Enter a number between 1 and 30 seconds to indicate the timeout period for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  requests. The default value is 20 seconds.

Retry Count

Enter a number between 1 and 5 to indicate the maximum number of authentication attempts. The default value is 3.

Dead time

Specify a dead time in minutes within the range of 1–1440 minutes. The default dead time interval is 5 minutes.

Session authorization

Enables or disables session authorization. When enabled, the optional authorization session is turned on for the admin users. By default, session authorization is disabled.

 

Table 4: ClearPass Policy Manager Server Configuration Parameters for AirGroup CoA

Parameter

Description

Name

Enter a name of the server.

IP address

Enter the host name or IP address of the server.

Air Group CoA port

Enter a port number for sending AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. on a port different from the standard CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. port. The default value is 5999.

Shared key

Enter a shared key for communicating with the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Retype key

Re-enter the shared key.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server with DRP parameters:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <host>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name>)# port <port>

(Instant AP)(Auth Server <profile-name>)# acctport <port>

(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>

(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>

(Instant AP)(Auth Server <profile-name>)# timeout <seconds>

(Instant AP)(Auth Server <profile-name>)# retry-count <number>

(Instant AP)(Auth Server <profile-name>)# rfc3576

(Instant AP)(Auth Server <profile-name>)# rfc5997 {auth-only|acct-only}

(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>

(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway <gateway-IP-address)

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable RadSec:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server "name")# ip <host>

(Instant AP)(Auth Server "name")# radsec [port <port>]

(Instant AP)(Auth Server "name")# rfc3576

(Instant AP)(Auth Server "name")# rfc5997 {auth-only|acct-only}

(Instant AP)(Auth Server "name")# nas-id <id>

(Instant AP)(Auth Server "name")# nas-ip <ip>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server:

(Instant AP)(config)# wlan ldap-server <profile-name>

(Instant AP)(LDAP Server <profile-name>)# ip <IP-address>

(Instant AP)(LDAP Server <profile-name>)# port <port>

(Instant AP)(LDAP Server <profile-name>)# admin-dn <name>

(Instant AP)(LDAP Server <profile-name>)# admin-password <password>

(Instant AP)(LDAP Server <profile-name>)# base-dn <name>

(Instant AP)(LDAP Server <profile-name>)# filter <filter>

(Instant AP)(LDAP Server <profile-name>)# key-attribute <key>

(Instant AP)(LDAP Server <profile-name>)# timeout <seconds>

(Instant AP)(LDAP Server <profile-name>)# retry-count <number>

(Instant AP)(LDAP Server <profile-name>)# deadtime <minutes>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server:

(Instant AP)(config)# wlan tacacs-server <profile-name>

(Instant AP)(TACACS Server <profile-name>)# ip <IP-address>

(Instant AP)(TACACS Server <profile-name>)# port <port>

(Instant AP)(TACACS Server <profile-name>)# key <key>

(Instant AP)(TACACS Server <profile-name>)# timeout <seconds>

(Instant AP)(TACACS Server <profile-name>)# retry-count <number>

(Instant AP)(TACACS Server <profile-name>)# deadtime <minutes>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a ClearPass Policy Manager server used for AirGroup CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. :

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <host>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-port <port>

(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-only

Customizing the RADIUS Attributes

Aruba Instant allows users to configure RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  modifier profile to customize the attributes that are included, excluded, and modified in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request before it is sent to the authentication server. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  modifier profile can be configured and applied to either Access-Request RADIUS packet sent to a RADIUS server requesting authorization. or Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information. or both on a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server.

This profile can contain up to 64 RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes with static values that are used either to add or update in the request and another 64 RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes to be excluded from the Requests.

Two new parameters have been added in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication-server profile :