Authentication Methods

When configuring a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. on APs, you can configure a number of supported authentication types for WLAN clients. These authentication methods can be configured for all traffic modes and are described in the following section:

802.1X Authentication802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication method authenticates the identity of a user before providing network access to the user. APs support external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers for 802.1X authentication. For authentication purpose, the wireless client can associate to a NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. or RADIUS client. NAS acts as a gateway to guard access to a protected resource. A client connecting to a SSID connects to the NAS first; therefore, based on the SSID specification, the APs or the Gateways can be configured as NAS clients to a RADIUS server to provide secure access to WLAN clients.

MAC AuthenticationMAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is used for authenticating devices based on their physical MAC addresses. MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses. This authentication method is not recommended for scalable networks and the networks that require stringent security settings. However, MAC authentication can be combined with other forms of authentication such as WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. authentication or 802.1X authentication for additional security.

MAC Authentication with 802.1X Authentication—The administrators can enable MAC authentication for 802.1X authentication. If a wireless or wired client connects to the network, MAC authentication is performed first. After a successful MAC authentication is successful, 802.1X authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only role.

Captive Portal Authentication—Captive portal authentication is used for authenticating guest users. If the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile is configured on an SSID and the guest users connect to this SSID for the Internet access, a web page with the usage policy and terms is presented to the guest users before providing access to the network. The SSID administrators can also enable authentication of guest users using an external server on cloud or outside the WLAN domain.

Walled Garden—When captive portal authentication is configured on an SSID, the administrators can configure Walled garden access to allow clients to view websites in a specific domain without connecting to the Internet. For example, in a hotel environment, clients can view to a designated login page (for example, a hotel website) and all its contents before connecting to the Internet. When clients try to access other websites that are not allowlisted for walled garden Walled garden is a feature that allows blocking of unauthorized users from accessing network resources. access, they are redirected to the login page for authentication.

Aruba APs support Walled Garden only for the HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. requests. For example, if you add yahoo.com in Walled Garden allowlist and the client sends an HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. request (https://yahoo.com), the requested page is not displayed and the users are redirected to the captive portal login page.