802.1X Authentication

802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. is an IEEE Institute of Electrical and Electronics Engineers. standard that provides an authentication framework for WLANs Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.. The 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. standard uses the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. framework include EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216., PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS., and EAP-TTLS EAP–Tunneled Transport Layer Security. EAP-TTLS is an EAP method that encapsulates a TLS session, consisting of a handshake phase and a data phase. See RFC 5281.. These protocols allow the network to authenticate the client while also allowing the client to authenticate the network. For more information on EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  authentication framework supported by the Instant APs, see Supported EAP Authentication Frameworks.

The 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication method allows anInstant AP to authenticate the identity of a user before providing network access to the user. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  protocol provides centralized authentication, authorization, and accounting management. For authentication purpose, the wireless client can associate to a NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. or RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  client such as a wireless Instant AP. The wireless client can pass data traffic only after a successful 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. ArubaInstant supports the IMSI authentication process for device encryption. The EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -AKA protocol is used with 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. to authenticate client access to a client network. The EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -AKA makes use of IMSI as a permanent identity in the authentication exchange. It is a unique encryption method that is used to track device movement and protect user privacy.

This section consists of the following procedures:

• Configuring 802.1X Authentication for Wireless Network Profiles
• Configuring 802.1X Authentication for Wired Profiles

The Instant network supports internal RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

The steps involved in 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication are as follows:

1. The NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. requests authentication credentials from a wireless client.
2. The wireless client sends authentication credentials to the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. .
3. The NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. sends these credentials to a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.
4. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server checks the user identity and authenticates the client if the user details are available in its database. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server sends an Access-Accept message to the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. . If the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server cannot identify the user, it stops the authentication process and sends an Access-Reject message to the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. . The NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. forwards this message to the client and the client must re-authenticate with appropriate credentials.
5. After the client is authenticated, the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server forwards the encryption key to the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. . The encryption key is used for encrypting or decrypting traffic sent to and from the client.

In the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. termination-disabled mode, if the identity in the EAP-ID-Resp message is longer than or equal to 248 octets and the identity contains @FQDN at the end, then the EAP-ID-Resp message is not dropped. The RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  User-Name attribute contains the truncated-string (up to 127 octets) from the original identify before the last @FQDN followed by the last @FQDN.

Configuring 802.1X Authentication for Wireless Network Profiles

The following procedure describes how to configure 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication for a wireless network profile using the WebUI:

1. In the Configuration > Networks page, click + to create a new WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network profile or select an existing profile for which you want to enable 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication and click edit.
2. Ensure that all required WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. attributes are defined, and then click Next.
3. Under Security tab, specify the following parameters for the Enterprise security level:
4. Select any of the following options from the Key management  drop-down list.
   • WPA2 Enterprise
   • WPA Enterprise
   • Both (WPA2 & WPA)
   • Dynamic WEP with 802.1x. If you do not want to use a session key from the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server to derive pairwise unicast keys, select the Use Session Key for LEAP  check-box.
5. To terminate the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  portion of 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication on the Instant AP instead of the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, toggle the EAP Offload switch.
6. By default, for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, the client conducts an EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  exchange with the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, and the Instant AP acts as a relay for this exchange. When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  protocol, only relaying the innermost layer to the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.
7. Specify the type of authentication server to use and configure other required parameters. You can also configure two different authentication servers to function as primary and backup servers when EAP Offload is enabled. For more information on RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication configuration parameters, see External RADIUS Server.
8. Click Next to define access rules, and then click Finish to apply the changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configures 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication for a wireless network:

Configuring 802.1X Authentication for Wired Profiles

The following procedure describes how to configure 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication for a wired profile using the WebUI:

1. Go to the Configuration > Networks page.
2. Click + under the Networks window to create a new network or select an existing profile for which you want to enable 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication and then click +.
3. Under the Basic tab ensure that the required Wired and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. attributes are defined, and then click Next.
4. In the Security tab, toggle the 802.1X authentication switch to enable.
5. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see Configuring Security Settings for a Wired Profile.
6. Click Next to define access rules and then click Finish to apply the changes.
7. Assign the profile to an Ethernet Ethernet is a network protocol for data transmission over LAN. port. For more information, see Assigning a Profile to Ethernet Ports.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configures 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication for a wired profile: