Table of Contents
Advertisement
Important Points to Remember
Any client connected through ClearPass Policy Manager and authenticated through IAP remains
l
authenticated with the IAP even if the client is removed from the ClearPass Policy Manager server during
the ClearPass Policy Manager downtime.
Do not make any changes to the authentication survivability cache timeout duration when the
l
authentication server is down.
For EAP-PEAP authentication, ensure that the ClearPass Policy Manager 6.0.2 or later version is used for
l
authentication. For EAP-TLS authentication, any external or third-party server can be used.
For EAP-TLS authentication, ensure that the server and CA certificates from the authentication servers are
l
uploaded on the IAP. For more information, see
In the CLI
To configure authentication survivability for a wireless network:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>|<Guest>}
(Instant AP)(SSID Profile <name>)# auth-server <server-name1>
(Instant AP)(SSID Profile <name>)# auth-survivability
(Instant AP)(SSID Profile <name>)# exit
(Instant AP)(config)# auth-survivability cache-time-out <hours>
(Instant AP)(config)# end
(Instant AP)# commit apply
To view the cache expiry duration:
(Instant AP)# show auth-survivability time-out
To view the information cached by the IAP:
(Instant AP)# show auth-survivability cached-info
To view logs for debugging:
(Instant AP)# show auth-survivability debug-log
Configuring 802.1X Authentication for a Network Profile
This section consists of the following procedures:
Configuring 802.1X Authentication for Wireless Network Profiles on page 168
l
Configuring 802.1X Authentication for Wired Profiles on page 168
l
The Instant network supports internal RADIUS server and external RADIUS server for 802.1X authentication.
The steps involved in 802.1X authentication are as follows:
1. The NAS requests authentication credentials from a wireless client.
2. The wireless client sends authentication credentials to the NAS.
3. The NAS sends these credentials to a RADIUS server.
4. The RADIUS server checks the user identity and authenticates the client if the user details are available in its
database. The RADIUS server sends an Access-Accept message to the NAS. If the RADIUS server cannot
identify the user, it stops the authentication process and sends an Access-Reject message to the NAS. The
NAS forwards this message to the client and the client must re-authenticate with appropriate credentials.
5. After the client is authenticated, the RADIUS server forwards the encryption key to the NAS. The encryption
key is used for encrypting or decrypting traffic sent to and from the client.
The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network
first connects to the NAS.
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
Uploading Certificates on page
Authentication and User Management |
179.
167
Hide quick links:
Advertisement
Table of Contents
