Authentication Servers for IAPs
Based on the security requirements, you can configure internal or external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. servers. This section describes the types of authentication servers and authentication termination, that can be configured for a network profile.
External RADIUS Server
In the external RADIUS server, the IP address of the Virtual Controller (VC) is configured as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address. Aruba Central RADIUS is implemented on the VC, and this eliminates the need to configure multiple NAS clients for every Instant Access Points (IAPs) on the RADIUS server for client authentication. Aruba Central RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the authentication request with an or message, and users are allowed or denied access to the network depending on the response from the RADIUS server.
When you enable an external RADIUS server for the network, the client on the IAP sends a RADIUS packet to the local IP address. The external RADIUS server then responds to the RADIUS packet.
Aruba Central supports the following external authentication servers:
- LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.
To use an LDAP server for user authentication, configure the LDAP server on the VC, and configure user IDs and passwords.
To use a RADIUS server for user authentication, configure the RADIUS server on the VC.
RADIUS Server Authentication with VSA
An external RADIUS server authenticates network users and returns to the IAP the VSA Vendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.
Internal RADIUS Server
Each IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the IAP sends a RADIUS packet to the local IP address. The internal RADIUS server listens and replies to the RADIUS packet.
The following authentication methods are supported in the Aruba Central network:
- EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. method supports the termination of EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. security using the internal RADIUS server. The EAP-TLS requires both server and CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificates installed on the IAP. The client certificate is verified on the virtual controller (the client certificate must be signed by a known CA), before the username is verified on the authentication server. —The
- EAP-TTLS EAP–Tunneled Transport Layer Security. EAP-TTLS is an EAP method that encapsulates a TLS session, consisting of a handshake phase and a data phase. See RFC 5281. method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords. —The
- EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). is an 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication method that uses server-side public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. certificates to authenticate clients with server. The PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS. authentication creates an encrypted SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet./TLS tunnel between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure. —
- LEAP Lightweight Extensible Authentication Protocol. LEAP is a Cisco proprietary version of EAP used in wireless networks and Point-to-Point connections. uses dynamic WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. keys for authentication between the client and authentication server. —
To use the internal database of an AP for user authentication, add the names and passwords of the users to be authenticated.
Aruba does not recommend the use of LEAP authentication because it does not provide any resistance to network attacks.
RADIUS Communication over TLS (RadSec)
RADIUS over TLS, also known as RadSec, is a RADIUS protocol that uses TLS protocol for end-to-end secure communication between the RADIUS server and IAP. RadSec wraps the entire RADIUS packet payload into a TLS stream. Enabling RadSec increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that the RadSec protocol is used for safely transmitting the authentication and accounting data between the IAP and the RadSec server.
The following conditions applies to RadSec configuration:
- The RADIUS packets go through the tunnel when TLS tunnel is established.
- By default, the TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port 2083 is assigned for RadSec. Separate ports are not used for authentication, accounting, and dynamic authorization Dynamic authorization refers to the ability to make changes to a visitor account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session. changes.
- Aruba Central supports dynamic CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. (RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576) over RadSec and the RADIUS server uses an existing TLS connection opened by the IAP to send the request.
- By default, the IAP uses its device certificate to establish a TLS connection with RadSec server. You can also upload your custom certificates on to IAP. For more information on uploading certificates, see Certificates.
Authentication Termination on IAP
Aruba Central allows EAP termination for PEAP-Generic Token Card (PEAP-GTC Generic Token Card. GTC is a protocol that can be used as an alternative to MSCHAPv2 protocol. GTC allows authentication to various authentication databases even in cases where MSCHAPv2 is not supported by the database.) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2 (PEAP-MSCHAPv2). PEAP-GTC termination allows authorization against an LDAP server and external RADIUS server while PEAP-MSCHAPv2 allows authorization against an external RADIUS server.
This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. server with LDAP authentication.
- EAP-GTC EAP – Generic Token Card. (non-tunneled). is mainly used for one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the IAP to an external authentication server for user data backup. —This EAP method permits the transfer of unencrypted usernames and passwords from client to server. The
- —This EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.
Dynamic Load Balancing between Authentication Servers
You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers. Load balancing of authentication servers ensures that the authentication load is split across multiple authentication servers and enables the IAPs to perform load balancing of authentication requests destined to authentication servers such as RADIUS or LDAP.
The load balancing in IAP is performed based on the outstanding authentication sessions. If there are no outstanding sessions and if the rate of authentication is low, only primary server will be used. The secondary is used only if there are outstanding authentication sessions on the primary server. With this, the load balance can be performed across asymmetric capacity RADIUS servers without the need to obtain inputs about the server capabilities from the administrators.