Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
External authentication is the use of third-party authentication sources to decide whether a user should be allowed access to a network. Also, the external authentication server controls the user's privileges on the network. WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. clients connecting to an SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. in the network can authenticate to a server based on the security profile configured on the SSID. This section describes the types of authentication servers that can be configured for a network profile.
HPE Aruba Networking Wireless Operating System 10 APs support the following external authentication servers for connecting clients:
- RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.
- LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.
- Dynamic Authorization
RADIUS Server
To process authentication attempts from the AP, the external RADIUS server must have the IP address of each AP added as a network access server (NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. ). The AP sends all authentication requests from the NAS to the remote RADIUS server. The RADIUS server responds to the authentication request with an Access-Accept Response from the RADIUS server indicating successful authentication and containing authorization information. or Access-Reject Response from RADIUS server indicating that a user is not authorized. message, and users are allowed or denied access to the network depending on the response from the RADIUS server. To use a RADIUS server for user authentication, you must configure the RADIUS server on the AP.
To configure RADIUS authentication server, see Configuring RADIUS Authentication Server for a WLAN SSID Profile.
LDAP Server
The LDAP server provides a centralized authentication repository that allows you to create user accounts and groups in one place. This makes it easy to manage user access to the network. When a user attempts to connect to a wireless network, the AP authenticates the user against the LDAP server and allows the user to connect to the network. To use an LDAP server for user authentication, configure the LDAP server on the AP, and configure user IDs and passwords.
To configure LDAP authentication server, see Configuring LDAP Authentication Server for a WLAN SSID Profile.
Dynamic Authorization Server
The Dynamic Authorization server provides the ability to dynamically make changes to a user account session while it is in progress. This ability includes disconnecting a session or updating authorization policies for users and devices on the wireless network. It also includes bringing down and then backing up the interface on which a client is connected by using Change of Authorization (CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. ). Dynamic authorization enables or disables the processing of Disconnect and Change of Authorization (CoA) messages from the RADIUS server.
To configure Dynamic Authorization server, see Configuring Dynamic Authorization Servers for a WLAN SSID Profile.
RADIUS Server Authentication with VSA
When a RADIUS server responds to an authentication attempt, additional attributes can be returned along with the Access-Accept message. Standard IETF RADIUS attributes along with vendor supplied attributes (VSA Vendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers.) are interpreted by the AP to apply identity-based restrictions such as user role or assigned VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. The external RADIUS server authenticates network users and returns to the AP the VSA that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.
RADIUS Communication over TLS (RadSec)
RADIUS over TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. , also known as RadSec, is a protocol that uses TLS protocol for end-to-end secure communication between the RADIUS server and AP. RadSec wraps the entire RADIUS packet payload into a TLS stream. Enabling RadSec increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that the RadSec protocol is used for safely transmitting the authentication and accounting data between the AP and the RadSec server.
The following conditions apply to RadSec configuration:
- The RADIUS packets go through the tunnel when the TLS tunnel is established.
- By default, the TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port 2083 is assigned for RadSec. Separate ports are not used for authentication, accounting, and dynamic authorization Dynamic authorization refers to the ability to make changes to a visitor account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session. changes.
- Classic Central supports dynamic authorization or CoA (RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576) over RadSec. The RADIUS server uses an existing TLS connection opened by the AP to send the request.
- By default, the AP uses a unique factory-installed device certificate to establish a TLS connection with the RadSec server. You can also upload or use enrollment over secure transport (EST) to install a custom certificate on the AP.
