Aruba Instant 8.6.0.0 Online Help Center Help Center
You are here: Home > Aruba Instant User Guide > Table of Contents > Configuring an External Server for Authentication

External RADIUS Server

In the external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, the IP address of the virtual controller is configured as the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address. Instant RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  is implemented on the virtual controller and this eliminates the need to configure multiple NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. clients for every Instant AP on the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for client authentication. Instant RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dynamically forwards all the authentication requests from a NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. to a remote RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server responds to the authentication request with an Access-Accept or Access-Reject message, and the clients are allowed or denied access to the network depending on the response from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. When you enable an external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for the network, the client on the Instant AP sends a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packet to the local IP address. The external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server then responds to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packet.

Instant supports the following external authentication servers:

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. 

LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.

ClearPass Policy Manager Server for AirGroup CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions.

To use an LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server for user authentication, configure the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server on the virtual controller, and configure user IDs and passwords. To use a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for user authentication, configure the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server on the virtual controller.

Configuring an External Server for Authentication

The following procedure describes how to configure RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. , TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. , LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network., and ClearPass Policy Manager servers using the WebUI.

Table 1: Configuring an External Server for Authentication

New WebUI

Old WebUI

1. Navigate to the Configuration > Security page.

2. Expand Authentication Servers.

3. To create a new server, click +. The New Authentication Server window for specifying details for the new server is displayed.

4. Configure parameters based on the type of sever.

RADIUS—To configure a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, specify the attributes described in the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Server Configuration Parameters table below. To assign the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.

NOTE: You can also add an external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server by selecting the New option when configuring a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile. For more information, see Configuring Multiple PSK For WLAN SSID Profiles and Configuring Security Settings for a Wired Employee Network .

LDAP—To configure an LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server, select the LDAP option and configure the attributes described in the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Server Configuration Parameters table below.

TACACS—To configure TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server, select the TACACS option and configure the attributes described in the TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Server Configuration parameters table below.

NOTE: You can also add TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.  server by selecting the New option when configuring authentication parameters for management users. For more information, see Configuring Authentication Parameters for Management Users .

CoA only for AirGroup CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. —To configure a ClearPass Policy Manager server used for AirGroup CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. , select the CoA only check box and configure the attributes defined in the ClearPass Policy Manager Server Configuration Parameters for AirGroup CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. table below. The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is automatically selected.

NOTE: The ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server acts as a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and asynchronously provides the AirGroup parameters for the client device including shared user, role, and location.

5. Click OK.

1. Navigate to Security > Authentication Servers. The Security window is displayed.

2. To create a new server, click New. A window for specifying details for the new server is displayed.

3. Configure parameters based on the type of sever.

RADIUS—To configure a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, specify the attributes described in the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Server Configuration Parameters table below. To assign the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.

NOTE: You can also add an external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server by selecting the New option when configuring a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile. For more information, see Configuring Multiple PSK For WLAN SSID Profiles and Configuring Security Settings for a Wired Employee Network .

LDAP—To configure an LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server, select the LDAP option and configure the attributes described in the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. Server Configuration Parameters table below.

TACACS—To configure TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server, select the TACACS option and configure the attributes described in the TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. Server Configuration parameters table below.

NOTE: You can also add TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server.  server by selecting the New option when configuring authentication parameters for management users. For more information, see Configuring Authentication Parameters for Management Users .

CoA only for AirGroup CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. —To configure a ClearPass Policy Manager server used for AirGroup CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. , select the CoA only check box and configure the attributes defined in the ClearPass Policy Manager Server Configuration Parameters for AirGroup CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. table below. The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is automatically selected.

NOTE: The ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server acts as a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and asynchronously provides the AirGroup parameters for the client device including shared user, role, and location.

4. Click OK.

 

Table 2: RADIUS Server Configuration Parameters

Parameter

Description

Name

Enter a name for the server.

IP address

Enter the host name or the IP address of the external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

NOTE: The hose name value will be accepted only if the RadSec parameter is enabled.

RadSec

Set RadSec to Enabled to enable secure communication between the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and Instant AP by creating a TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel between the Instant AP and the server.

If RadSec is enabled, the following configuration options are displayed:

RadSec port—Communication port number for RadSec TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. connection. By default, the port number is set to 2083.

RFC 3576

RFC 5997

NAS IP address

NAS identifier

Service type framed user

For more information on RadSec configuration, see Configuring a RadSec Server.

Auth port

Enter the authorization port number of the external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server within the range of 1–65,535. The default port number is 1812.

Accounting port

Enter the accounting port number within the range of 1–65,535. This port is used for sending accounting records to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. The default port number is 1813.

Shared key

Enter a shared key for communicating with the external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Retype key

Re-enter the shared key.

Timeout

Specify a timeout value in seconds. The value determines the timeout for one RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request. The Instant AP retries to send the request several times (as configured in the Retry count) before the user gets disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.

Retry count

Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group, and the default value is 3 requests.

RFC 3576

Select Enabled to allow the Instant APs to process RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. Disconnect messages cause a user session to be terminated immediately, whereas the CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. messages modify session authorization attributes such as data filters.

RFC 5997

This helps to detect the server status of the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. Every time there is an authentication or accounting request timeout, the Instant AP will send a status request enquiry to get the actual status of the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server before confirming the status of the server to be DOWN.

Authentication—Select this check-box to ensure the Instant AP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.

Accounting—Select this check-box to ensure the Instant AP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.

NOTE: You can choose to select either the Authentication or Accounting check-boxes or select both check-boxes to support RFC5997.

NAS IP address

Allows you to configure an arbitrary IP address to be used as RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute 4, NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP Address, without changing source IP Address in the IP header of the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packet.

NOTE: If you do not enter the IP address, the virtual controller IP address is used by default when Dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Proxy is enabled.

NAS Identifier

Allows you to configure strings for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute 32, NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. Identifier, to be sent with RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Dead Time

Specify a dead time for authentication server in minutes.

When two or more authentication servers are configured on the Instant AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

Dynamic RADIUS proxy parameters

Specify the following dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters:

DRP IP—IP address to be used as source IP for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets.

DRP MaskSubnetSubnet is the logical division of an IP network. mask of the DRP IP address.

DRP VLANVLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. in which the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets are sent.

DRP GatewayGatewayGateway is a network node that allows traffic to flow in and out of the network. IP address of the DRP VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

For more information on dynamic RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy parameters and configuration procedure, see Enabling Dynamic RADIUS Proxy.

Service type framed user

Sets the service type value to frame for the following authentication methods:

802.1X—Changes the service type to frame for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

Captive Portal—Changes the service type to frame for Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication.

MAC—Changes the service type to frame for MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  authentication.

 

Table 3: LDAP Server Configuration Parameters

Parameter

Description

Name

Enter a name for the server.

IP address

Enter the IP address of the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.  server.

Auth port

Enter the authorization port number of the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server. The default port number is 389.

NOTE: Secure LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. over SSLSecure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. is currently not supported on Instant APs. Changing the authentication port to 636 will not enable secure LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. over SSLSecure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet..

Admin-DN

Enter a DNDistinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. for the admin user with read/search privileges across all the entries in the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. database (the user need not have write privileges, but the user must be able to search the database, and read attributes of other users in the database).

Admin password

Enter a password for administrator.

Base-DN

Enter a DNDistinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. for the node that contains the entire user database.

Filter

Specify the filter to apply when searching for a user in the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. database. The default filter string is (objectclass=*).

Key Attribute

Specify the attribute to use as a key while searching for the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server. For Active DirectoryMicrosoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed., the value is sAMAccountName

Timeout

Enter a value between 1 and 30 seconds. The default value is 5.

Retry count

Enter a value between 1 and 5. The default value is 3.

Dead Time

Specify a dead time for the authentication server in minutes within the range of 1–1440 minutes. The default dead time interval is 5 minutes.

When two or more authentication servers are configured on the Instant AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

 

Table 4: TACACS Configuration Parameters

Parameter

Description

Name

Enter a name for the server.

IP address

Enter the IP address of the TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server.

Auth Port

Enter a TCPIP port used by the server. The default port number is 49.

Shared Key

Enter a secret key of your choice to authenticate communication between the TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  client and the server.

Retype Key

Re-enter the shared key.

Timeout

Enter a number between 1 and 30 seconds to indicate the timeout period for TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  requests. The default value is 20 seconds.

Retry Count

Enter a number between 1 and 5 to indicate the maximum number of authentication attempts. The default value is 3.

Dead time

Specify a dead time in minutes within the range of 1–1440 minutes. The default dead time interval is 5 minutes.

Session authorization

Enables or disables session authorization. When enabled, the optional authorization session is turned on for the admin users. By default, session authorization is disabled.

 

Table 5: ClearPass Policy Manager Server Configuration Parameters for AirGroup CoA

Parameter

Description

Name

Enter a name of the server.

IP address

Enter the host name or IP address of the server.

Air Group CoA port

Enter a port number for sending AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. on a port different from the standard CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. port. The default value is 5999.

Shared key

Enter a shared key for communicating with the external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

Retype key

Re-enter the shared key.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server with DRP parameters:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <host>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name>)# port <port>

(Instant AP)(Auth Server <profile-name>)# acctport <port>

(Instant AP)(Auth Server <profile-name>)# nas-id <NAS-ID>

(Instant AP)(Auth Server <profile-name>)# nas-ip <NAS-IP-address>

(Instant AP)(Auth Server <profile-name>)# timeout <seconds>

(Instant AP)(Auth Server <profile-name>)# retry-count <number>

(Instant AP)(Auth Server <profile-name>)# rfc3576

(Instant AP)(Auth Server <profile-name>)# rfc5997 {auth-only|acct-only}

(Instant AP)(Auth Server <profile-name>)# deadtime <minutes>

(Instant AP)(Auth Server <profile-name>)# drp-ip <IP-address> <mask> vlan <vlan> gateway <gateway-IP-address)

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable RadSec:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server "name")# ip <host>

(Instant AP)(Auth Server "name")# radsec [port <port>]

(Instant AP)(Auth Server "name")# rfc3576

(Instant AP)(Auth Server "name")# rfc5997 {auth-only|acct-only}

(Instant AP)(Auth Server "name")# nas-id <id>

(Instant AP)(Auth Server "name")# nas-ip <ip>

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure an LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server:

(Instant AP)(config)# wlan ldap-server <profile-name>

(Instant AP)(LDAP Server <profile-name>)# ip <IP-address>

(Instant AP)(LDAP Server <profile-name>)# port <port>

(Instant AP)(LDAP Server <profile-name>)# admin-dn <name>

(Instant AP)(LDAP Server <profile-name>)# admin-password <password>

(Instant AP)(LDAP Server <profile-name>)# base-dn <name>

(Instant AP)(LDAP Server <profile-name>)# filter <filter>

(Instant AP)(LDAP Server <profile-name>)# key-attribute <key>

(Instant AP)(LDAP Server <profile-name>)# timeout <seconds>

(Instant AP)(LDAP Server <profile-name>)# retry-count <number>

(Instant AP)(LDAP Server <profile-name>)# deadtime <minutes>

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server:

(Instant AP)(config)# wlan tacacs-server <profile-name>

(Instant AP)(TACACS Server <profile-name>)# ip <IP-address>

(Instant AP)(TACACS Server <profile-name>)# port <port>

(Instant AP)(TACACS Server <profile-name>)# key <key>

(Instant AP)(TACACS Server <profile-name>)# timeout <seconds>

(Instant AP)(TACACS Server <profile-name>)# retry-count <number>

(Instant AP)(TACACS Server <profile-name>)# deadtime <minutes>

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a ClearPass Policy Manager server used for AirGroup CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. :

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server <profile-name>)# ip <host>

(Instant AP)(Auth Server <profile-name>)# key <key>

(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-port <port>

(Instant AP)(Auth Server <profile-name>)# cppm-rfc3576-only

Customizing the RADIUS Attributes

Starting from Aruba Instant 8.3.0.0, the users can now configure RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  modifier profile to customize the attributes that are included, excluded and modified in the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request before it is sent to the authentication server. The RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  modifier profile can be configured and applied to either Access-RequestRADIUS packet sent to a RADIUS server requesting authorization. or Accounting-RequestRADIUS packet type sent to a RADIUS server containing accounting summary information. or both on a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server.

This profile can contain up to 64 RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes with static values that are used either to add or update in the request and another 64 RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes to be excluded from the Requests.

Two new parameters have been added in the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication-server profile :

l auth-modifier: When assigned, it references to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  modifier profile which is applied to all Access-Requests sending to this RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication-server.

l acct-modifier: When assigned, it references to a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  modifier profile which is applied to all Accounting-Requests sending to this RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication-server.

/*]]>*/