802.1X Wired, Wireless, and Wireless Service Templates

Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.

802.1X Wired, 802.1X Wireless, and Aruba 802.1X Wireless Service Template

Policy Manager includes the following 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. service templates. All three of these 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. service templates are configured using identical parameters.

The 802.1X Wired service template is designed for wired end-hosts connecting through an Ethernet Ethernet is a network protocol for data transmission over LAN. LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. using IEEE Institute of Electrical and Electronics Engineers. 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. The 802.1X Wired service template allows configuration of both identity-based and posture-based policies.

The 802.1X Wireless template is for wireless end-hosts connecting through an 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. wireless access device or controller using IEEE Institute of Electrical and Electronics Engineers. 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. The 802.1X Wireless template allows configuring both identity-based and posture-based policies.

The Aruba 802.1X Wireless template is designed for wireless end-hosts connecting through an Aruba802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. wireless access device or controller using IEEE Institute of Electrical and Electronics Engineers. 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication (service rules customized for a Aruba WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. controller).

Adding a Service to an 802.1X Template

To access the 802.1X Wired and Wireless service templates:

1. Navigate to Configuration > Service Templates & Wizards.

2. From the Service Templates & Wizards page, select the desired 802.1X Wired or Wireless service template. The desired 802.1X Wired or Wireless service template page opens to the General tab.

Figure 1 Service Templates > 802.1X Wired Service Template

3. Specify a unique Name Prefix (applies only to the selected template) in the General tab.

4. Specify the parameters in the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. Wired, 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. Wireless, and Aruba 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. Wireless service templates as described in the following table:

Table 1: 802.1X Service Parameters

Parameter	Action/Description
General
Select Prefix	Select a prefix from the existing list of prefixes. This populates the preconfigured information in the Authentication and Enforcement Details sections. The Name Prefix field is not editable.
Name Prefix	Enter a prefix that is appended to services using this template. Use this to identify the services that use this template.
Authentication
Select Authentication Source	Select any available authentication source from the drop-down list. When you select an existing authentication source, the "Create an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. Authentication Source" section is removed. The information required for the Authentication and Enforcement Details tabs is automatically populated.
Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. Name	To create a new Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. authentication source, enter the name of the Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed.. This field is mandatory.
Description	Enter a description that helps you to identify the characteristics of this template. This field is mandatory.
Server	Enter the hostname or the IP address of the Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. server. This field is mandatory.
Port	Enter the TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port where the server is listening for a connection. This field is mandatory.
Identity	Enter the Distinguished Name (DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.) of the administrator account. This field is mandatory.
Password	Enter the account password. This field is mandatory.
NetBIOS Network Basic Input/Output System. A program that lets applications on different computers communicate within a LAN.	Enter the server Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain name. This field is mandatory.
Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.	Enter the Distinguished Name (DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.) of the node in your directory tree from which to start searching for records. This field is mandatory.
Wired Network Settings (for Wired 802.1X services only)
Select Switch	Select any switch from the drop-down list.
Device Name	When you select a switch from the drop-down list, Policy Manager automatically populates the name of the device.
IP Address	When you select a switch from the drop-down list, Policy Manager automatically populates the IP address of the device.
Vendor Name	When you select a switch from the drop-down list, Policy Manager automatically populates the manufacturer of the wired controller.
RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Shared Secret	When you select a switch from the drop-down list, Policy Manager automatically populates the shared secret that is configured on the controller and inside Policy Manager to send and receive RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. requests.
Enable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Dynamic Authorization:	When you select a switch from the drop-down list, Policy Manager automatically populates enables RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. dynamic authorization Dynamic authorization refers to the ability to make changes to a visitor account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session. on the network device.
Dynamic Authorization Port:	Specifies the default port 3799 when Enable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Dynamic Authorization is enabled. Change this value only if you defined a custom port on the network device.
Enable RadSec	To enable RadSec, click the Enable RadSec check box. When RadSec is enabled, the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. shared secret is populated with a default shared secret named “radsec.”
Wireless Network Settings (For Wireless 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. Services only)
Wireless Controller Name	Enter the name of the wireless controller.
Controller IP Address	Enter the IP address of the wireless controller.
Vendor Name	Select the manufacturer of the wireless controller.
RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Shared Secret	Enter the shared secret that is configured on the controller and Policy Manager to send and receive RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. requests.
Enable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Dynamic Authorization:	When you select a switch from the drop-down list, Policy Manager automatically populates enables RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. dynamic authorization Dynamic authorization refers to the ability to make changes to a visitor account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session. on the network device.
Dynamic Authorization Port:	Specifies the default port 3799 when Enable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Dynamic Authorization is enabled. Change this value only if you defined a custom port on the network device.
Enable RadSec	To enable RadSec, click the Enable RadSec check box. When RadSec is enabled, the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. shared secret is populated with a default shared secret named “radsec.” NOTE: It's important that the wireless controller is configured with the same shared secret.
Posture Settings
Enable Posture Checks	Select the check box to perform health checks post-authentication. This enables the Host Operating System and Quarantine Message fields.
Host Operating System	Select the operating system: Windows, Linux, or macOS.
Quarantine Message	Specify the quarantine message that will appear on the client.
Enforcement Details
Attribute Name	The attributes defined in the Authentication Source are listed here. Configure an optional enforcement policy based on the following attributes: Account Expires Department Email Name Phone UserDN Company member of For example, you can configure an enforcement policy for a contractor specifying that "If Name equals <contractor_name>, then assign the [Contractor] Role."
Attribute Value	Enter the active directory attribute value for the selected name in the Attribute Name field.
VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID	Enter the standard RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. -IETF VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID.
Default VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN./Role	You can specify a default VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or role for instances in which the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or role is not specified.

5. Update the required fields in the Authentication and Enforcement Details sections.

6. Click Add Service. An entry for the new configuration is created under the Services, Roles, Role Mapping, Enforcement Policies and Profiles menus.

Not all the Policy Manager service templates include the same sections as the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. service templates. It is recommended to customize the respective templates when you add a new service.

Once you add a new service to the service template, the service denoted by the Name Prefix field appears in the Select Prefix drop-down. Selecting a prefix from the drop-down populates the existing configuration for the service.

Deleting a Service

To delete a service:

1. Select the appropriate service from the Select Prefix drop-down.

2. Click Delete.

All the configured entries under the Services, Authentication Source, Roles, Role Mapping, Enforcement Policies and Profiles menus are deleted if these entities were created from the service template.

When you edit or delete the entities of a service, a message is displayed at the top of the entity page stating that the selected entity was created through the service template. Do not delete entities used in service configurations that were not created using the service template.