Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Configuring External Authentication Servers for APs
You can configure an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server, TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. , and LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server for user authentication. You can configure guest network using External Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile for external authentication.
To configure a server, complete the following steps:
- In the WebUI, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed. - Under , click > .
- Click the icon.
The tabs to configure APs are displayed. - Click , and click the tab.
The details for the selected group or the device are displayed. - In the panel, click to create a new server.
- Select any of the following server types and configure the parameters for your deployment scenario.
Table 1: Authentication Server Configuration
Type of Server
Parameters
Name of the external RADIUS server.
IP address or the FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the external RADIUS server.
Set to to enable secure communication between the RADIUS server and AP by creating a TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel between the AP and the server.
If is enabled, the following configuration options are displayed:
—Communication port number for RadSec TLS connection. By default, the port number is set to 2083.
Authorization port number of the external RADIUS server. The default port number is 1812.
To allow the APs to process RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS server, select this check box. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters. When you enable the option, the field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
The accounting port number used for sending accounting records to the RADIUS server. The default port number is 1813.
and Retype Key
Shared key for communicating with the external RADIUS server.
The timeout duration for one RADIUS request. The AP retries sending the request several times (as configured in the ) before the user is disconnected. For example, if the is 5 seconds, is 3, user is disconnected after 20 seconds. The default value is 5 seconds.
The maximum number of authentication requests that can be sent to the server group by the AP. You can specify a value within the range of 1–5. The default value is 3 requests.
Enter the IP address.
For AP-based cluster deployments, ensure that you enter the VC IP address as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address.
For Cloud AP based Campus WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. deployments, ensure that you enter the AP IP address as the NAS IP address.
Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.
Select any of the following check boxes to send the service type as in the access requests to the RADIUS server:
—Changes the service type to frame for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.
—Changes the service type to frame for MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.
—Changes the service type to frame for Captive Portal authentication.
Select any of the following check boxes to detect the server status of the RADIUS server:
—Select this check-box to ensure the AP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.
—Select this check-box to ensure the AP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.
When you enable the option, the field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port.
The default value is 5999.
Name of the LDAP server.
IP address of the LDAP server.
Authorization port number of the LDAP server. The default port number is 389.
A distinguished name for the admin user with read and search privileges across all the entries in the LDAP database (the admin user need not have write privileges, but the admin user must be able to search the database, and read attributes of other users in the database).
and Retype Admin Password
Password for the admin user.
Distinguished name for the node that contains the entire user database.
The filter to apply when searching for a user in the LDAP database. The default filter string is .
The attribute to use as a key while searching for the LDAP server. For Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed., the value is .
Timeout interval within a range of 1–30 seconds for one RADIUS request. The default value is 5.
The maximum number of authentication requests that can be sent to the server group. You can specify a value within the range of 1–5. The default value is 3.
Name of the server.
and Retype Key
The secret key to authenticate communication between the TACACS client and server.
The TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. IP port used by the server. The default port number is 49.
A number between 1 and 30 seconds to indicate the timeout period for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. requests. The default value is 20 seconds.
IP address of the server.
The maximum number of authentication attempts to be allowed. The default value is 3.
Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.
Enable this option to allow the authorization of sessions.
—The external captive portal servers are used for authenticating guest users in a WLAN.
Enter a name for the profile.
Enter the IP address or the host name of the external splash page server.
Enter the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the external captive portal server.
Enter the port number that is used for communicating with the external captive portal server.
Select this to enforce clients to use HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select to prevent guest users from using the network, or to access the network.
Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
Specify a redirect URL if you want to redirect the users to another URL.
Use AP IP in Redirect URL
Select this check box to use the access point IP address as a redirect URL.
Name of the server.
IP address of the server.
and Retype Key
The secret key to authenticate communication between the TACACS client and server.
CPPM Username
CPPM Password and Retype CPPM Password
Enter the ClearPass ClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. Policy Manager admin password.
A port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
A shared key for communicating with the external RADIUS server.
Change of Authorization(CoA) is a subset of Dynamic Authorization include disconnecting messages.
- Click .
To assign the authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
You can also add an external RADIUS server when configuring a WLAN SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile.
To configure the IP MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. for EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. fragmentation, specify the value in the EAP Fragmentation MTU text box. The AP receives the EAP packet with certificate from the client and fragments it into smaller EAP fragments based on the configured IP MTU.
