Authentication Survivability

The authentication survivability feature supports a survivable authentication framework against any remote link failures when working with external authentication servers. When enabled, this feature allows the Instant APs to authenticate the previously connected clients against the cached credentials if the connection to the authentication server is temporarily lost. This feature is now available for WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. with open, personal (MPSK-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.) and enterprise security levels.

Instant supports the following authentication standards for authentication survivability:

EAP-MSCHAPv2: The PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS., also known as Protected EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. , is a protocol that encapsulates EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  within a potentially encrypted and authenticated TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel.

EAP-TLS: EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. is an IETF open standard that uses the TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. protocol.

MAC Authentication: MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -based authentication is a standard that authenticates devices based on their physical media access control (MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ) address.

When the authentication survivability feature is enabled, the following authentication process is used:

1. Upon successful authentication, the associated Instant AP caches the authentication credentials of the connected clients for the configured duration. The cache expiry duration for authentication survivability can be set within the range of 1–99 hours, with 24 hours being the default cache timeout duration.

2. If the client roams or tries to reconnect to the Instant AP and the remote link fails due to the unavailability of the authentication server, the Instant AP uses the cached credentials in the internal authentication server to authenticate the user. However, if the client tries to reconnect after the cache expiry, the authentication fails.

3. When the authentication server is available and if the client tries to reconnect, the Instant AP detects the availability of server and allows the client to authenticate to the server. Upon successful authentication, the Instant AP cache details are refreshed.

Starting from Aruba Instant 8.4.0.0, access credentials, user roles, and other key attributes are cached when clients are authenticated by an external authentication server.

Below are the cached RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes:

ARUBA_NAMED_VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

ARUBA_NO_DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. _FINGERPRINT

ARUBA_ROLE

ARUBA_VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

MS_TUNNEL_MEDIUM_TYPE

MS_TUNNEL_PRIVATE_GROUP_ID

MS_TUNNEL_TYPE

PW_SESSION_TIMEOUT

PW_USER_NAME

Important Points to Remember

Any client connected through ClearPass Policy Manager and authenticated through Instant AP remains authenticated with the Instant AP even if the client is removed from the ClearPass Policy Manager server during the ClearPass Policy Manager downtime.

Do not make any changes to the authentication survivability cache timeout duration when the authentication server is down.

For EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). authentication, ensure that the ClearPass Policy Manager 6.0.2 or later version is used for authentication. For EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication, any external or third-party server can be used.

For EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication, ensure that the server and CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificates from the authentication servers are uploaded on the Instant AP. For more information, see Authentication Certificates.

Authentication cache will be lost if the Instant AP on which the user credentials are cached, is rebooted.

EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). authentication survivability is supported on Aruba CPPM Server version 6.0.2 or later versions.

Limitations

Authentication survivability is not supported under the following conditions:

1. When EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  Termination is enabled.

2. When the RadSec server is used as an authentication server.

3. When the internal server is used as a secondary authentication server.

Enabling Authentication Survivability

The following procedure describes how to enable authentication survivability for a wireless network profile through the WebUI:

Table 1: Enabling Authentication Survivability

New WebUI

Old WebUI

1. In the Configuration > Networks page,

a. Click + to create a new WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, or

b. Select an existing profile for which you want to enable authentication survivability and click edit.

2. Ensure that the required WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. attributes are defined under Basic and VLAN tabs.

3. Under Security tab, select Open, Personal (MPSK-AES) or Enterprise in Security Level list box.

4. Select an existing authentication server or create a new server by clicking +.

5. To enable authentication survivability, toggle the Authentication survivability switch. On enabling this, the Instant AP authenticates the previously connected clients using EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled)., EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216., and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication when connection to the external authentication server is temporarily lost.

6. In the Cache timeout (global) text box, specify the cache timeout duration, after which the cached details of the previously authenticated clients expire. You can specify a value within the range of 1–99 hours and the default cache timeout duration is 24 hours.

7. Click Next and until Finish to apply the changes.

1. On the Networks tab, click New to create a new WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile or select an existing profile for which you want to enable authentication survivability and click edit.

2. In the Edit <profile-name> or the New WLAN window, ensure that the required WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. attributes are defined, and then click Next.

3. On the Security tab, under Open, Personal (MPSK-AES) or Enterprise security settings, select an existing authentication server or create a new server by clicking New.

4. To enable authentication survivability, select Enabled from the Authentication survivability drop-down list. On enabling this, the Instant AP authenticates the previously connected clients using EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled)., EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication when connection to the external authentication server is temporarily lost.

5. In the Cache timeout (global) text box, specify the cache timeout duration, after which the cached details of the previously authenticated clients expire. You can specify a value within the range of 1–99 hours and the default cache timeout duration is 24 hours.

6. Click Next and then click Finish to apply the changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configures authentication survivability for a wireless network:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>|<Guest>}

(Instant AP)(SSID Profile <name>)# auth-server <server-name1>

(Instant AP)(SSID Profile <name>)# auth-survivability

(Instant AP)(SSID Profile <name>)# exit

(Instant AP)(config)# auth-survivability cache-time-out <hours>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command shows the cache expiry duration:

(Instant AP)# show auth-survivability time-out

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command shows information on auth-survivability cached by the Instant AP:

(Instant AP)# show auth-survivability cached-info

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command shows logs for debugging:

(Instant AP)# show auth-survivability debug-log

Priority for Local Cache Authentication

Priority for Local Cache Authentication for wireless networks is based on the Authentication Survivability framework of Aruba Instant. When Priority for Local Cache Authentication is enabled, the Instant AP first attempts to authenticate clients with the local cache data maintained for authentication survivability and uses the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server to authenticate only those clients whose data is not available in the local cache. This feature can be used only if Authentication Survivability is enabled.

Configuring Priority for Local Cache Authentication

Priority for Local Cache Authentication is only available for clients authenticated through MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and 802.1x authentication.

The following procedure describes how to prioritize local cache for authentication using the New WebUI:

1. Select the network for which you want to enable local authentication in the Configuration> Networks page and click edit.

2. Navigate to the Security Tab.

3. Enable Authentication Survivability.

4. Toggle the Priority for Local Cache Authentication button to enable or disable the feature.

5. Click Next to configure Access settings for the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network and click Finish.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enables Priority for Local Cache Authentication for an WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:

(Instant AP)(config)# wlan ssid-profile <profile name>

(Instant AP)(SSID Profile "<profile name>")# auth-survivability

(Instant AP)(SSID Profile "<profile name>")# priority-use-local-cache-auth

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands disables Priority for Local Cache Authentication for an WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:

(Instant AP)(config)# wlan ssid-profile <profile name>

(Instant AP)(SSID Profile "<profile name>")# no priority-use-local-cache-auth