Configuring Authentication Survivability

The authentication survivability feature supports a survivable authentication framework against any remote link failures when working with external authentication servers. When enabled, this feature allows the Instant APs to authenticate the previously connected clients against the cached credentials if the connection to the authentication server is temporarily lost.

Instant supports the following EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  standards for authentication survivability:

EAP-MSCHAPv2: The PEAPProtected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS., also known as Protected EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. , is a protocol that encapsulates EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  within a potentially encrypted and authenticated TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel.

EAP-TLS: EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. is an IETF open standard that uses the TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. protocol.

When the authentication survivability feature is enabled, the following authentication process is used:

1. Upon successful authentication, the associated Instant AP caches the authentication credentials of the connected clients for the configured duration. The cache expiry duration for authentication survivability can be set within the range of 1–99 hours, with 24 hours being the default cache timeout duration.

2. If the client roams or tries to reconnect to the Instant AP and the remote link fails due to the unavailability of the authentication server, the Instant AP uses the cached credentials in the internal authentication server to authenticate the user. However, if the client tries to reconnect after the cache expiry, the authentication fails.

3. When the authentication server is available and if the client tries to reconnect, the Instant AP detects the availability of server and allows the client to authenticate to the server. Upon successful authentication, the Instant AP cache details are refreshed.

Starting from Aruba Instant 8.4.0.0, access credentials, user roles, and other key attributes are cached when clients are authenticated by an external authentication server.

Below are the cached RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes:

ARUBA_NAMED_VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

ARUBA_NO_DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. _FINGERPRINT

ARUBA_ROLE

ARUBA_VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

MS_TUNNEL_MEDIUM_TYPE

MS_TUNNEL_PRIVATE_GROUP_ID

MS_TUNNEL_TYPE

PW_SESSION_TIMEOUT

PW_USER_NAME

Enabling Authentication Survivability

You can enable authentication survivability for a wireless network profile through the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the Old WebUI

To configure authentication survivability for a wireless network:

1. On the Networks tab, click New to create a new WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile or select an existing profile for which you want to enable authentication survivability and click edit.

2. In the Edit <profile-name> or the New WLAN window, ensure that the required WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. attributes are defined, and then click Next.

3. On the Security tab, under Enterprise security settings, select an existing authentication server or create a new server by clicking New.

4. To enable authentication survivability, select Enabled from the Authentication survivability drop-down list. On enabling this, the Instant AP authenticates the previously connected clients using EAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). and EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication when connection to the external authentication server is temporarily lost.

5. In the Cache timeout (global) text box, specify the cache timeout duration, after which the cached details of the previously authenticated clients expire. You can specify a value within the range of 1–99 hours and the default cache timeout duration is 24 hours.

6. Click Next and then click Finish to apply the changes.

In the New WebUI

To configure authentication survivability for a wireless network:

1. In the Configuration > Networks page,

Click + to create a new WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, or

Select an existing profile for which you want to enable authentication survivability and click edit.

2. Ensure that the required WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. attributes are defined under Basic and VLAN tabs.

3. Under Security tab, select Enterprise in Security Level list box.

4. Select an existing authentication server or create a new server by clicking +.

5. To enable authentication survivability, toggle the Authentication survivability switch. On enabling this, the Instant AP authenticates the previously connected clients using EAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). and EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication when connection to the external authentication server is temporarily lost.

6. In the Cache timeout (global) text box, specify the cache timeout duration, after which the cached details of the previously authenticated clients expire. You can specify a value within the range of 1–99 hours and the default cache timeout duration is 24 hours.

7. Click Next and until Finish to apply the changes.

Important Points to Remember

Any client connected through ClearPass Policy Manager and authenticated through Instant AP remains authenticated with the Instant AP even if the client is removed from the ClearPass Policy Manager server during the ClearPass Policy Manager downtime.

Do not make any changes to the authentication survivability cache timeout duration when the authentication server is down.

For EAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). authentication, ensure that the ClearPass Policy Manager 6.0.2 or later version is used for authentication. For EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication, any external or third-party server can be used.

For EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication, ensure that the server and CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificates from the authentication servers are uploaded on the Instant AP. For more information, see Uploading Certificates.

Authentication cache will be lost if the Instant AP on which the user credentials are cached, is rebooted.

EAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). authentication survivability is supported on Aruba CPPM Server version 6.0.2 or later versions.

Limitations

Authentication survivability is not supported under the following conditions:

1. When MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is enabled on the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

2. When EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  Termination is enabled.

3. When the RadSec server is used as an authentication server.

4. When the internal server is used as a secondary authentication server.

In the CLI

To configure authentication survivability for a wireless network:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>|<Guest>}

(Instant AP)(SSID Profile <name>)# auth-server <server-name1>

(Instant AP)(SSID Profile <name>)# auth-survivability

(Instant AP)(SSID Profile <name>)# exit

(Instant AP)(config)# auth-survivability cache-time-out <hours>

To view the cache expiry duration:

(Instant AP)# show auth-survivability time-out

To view the information cached by the Instant AP:

(Instant AP)# show auth-survivability cached-info

To view logs for debugging:

(Instant AP)# show auth-survivability debug-log