Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
You can configure an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server, TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. , and LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. server for user authentication. You can configure guest network using External Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile for external authentication.
To configure a server, complete the following procedure:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under , click > .
A list of APs is displayed in the view.
- Click the icon.
The tabs to configure the APs are displayed.
- Click .
- Click the tab.
The Security page is displayed.
- In the panel, click to create a new server.
- Select any of the following server types and configure the parameters for your deployment scenario.
Table 1: Authentication Server Configuration
Type of Server
Parameters
Name of the external RADIUS server.
Set to to enable secure communication between the RADIUS server and IAP by creating a TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel between the IAP and the server. If is enabled, the following configuration options are displayed:
IP address or the FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the external RADIUS server.
Communication port number for RadSec TLS connection. By default, the port number is set to 2083.
Authorization port number of the external RADIUS server. The default port number is 1812.
To allow the APs to process RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS server, select this check box. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters. When you enable the option, the field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
Specifies the keepalive Signal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. message type to keep the Radsec server connection alive. Select one of the following Radsec Keepalive type options based on the Radsec server capabilities and system load requirements:
- TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. Keepalive—Sends TCP Keepalive messages periodically to keep the Radsec connection alive. TCP Keepalive are TCP level packets that does not involve processing RADIUS protocol headers. Hence, it consumes less resources as compared to status server Keepalive type. For example, TCP Keepalive type helps to reduce the system load in HPE Aruba Networking Cloud Guest server.
- Status Server—Sends RADIUS status server messages periodically to keep the Radsec connection alive. Radsec servers need status server Keepalive type as CPPM terminates the Radsec connection after 15 minutes of RADIUS inactivity even if TCP Keepalive packets are active.
Keepalive is recommended in a network where a RadSec server is connected to a large number of RadSec clients for tracking and port access sessions. The Radsec server requires additional resources to process status-server and access-request messages when compared to keepalive messages. This is because status server and access-request messages are RADIUS protocol packets. However, keepalive packets are TCP control packets that does not require any additional resources.
The Radsec Keepalive Type option is available only when Radsec option is enabled.
The accounting port number used for sending accounting records to the RADIUS server. The default port number is 1813.
Enter the IP address.
- For IAP based cluster deployments, ensure that you enter the VC IP address as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address.
- For Cloud AP based Campus WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. deployments, ensure that you enter the AP IP address as the NAS IP address.
and Retype Key
Shared key for communicating with the external RADIUS server.
Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.
The timeout duration for one RADIUS request. The IAP retries sending the request several times (as configured in the ) before the user is disconnected. For example, if the is 5 seconds, is 3, user is disconnected after 20 seconds. The default value is 5 seconds.
The maximum number of authentication requests that can be sent to the server group by the IAP. You can specify a value within the range of 1–5. The default value is 3 requests.
Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.
If Dynamic RADIUS Proxy (DRP) is enabled on the APs, configure the following parameters:
- —IP address to be used as source IP for RADIUS packets.
- —Subnet mask of the DRP IP address.
- —VLAN in which the RADIUS packets are sent.
- —Gateway IP address of the DRP VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..
Select any of the following check boxes to send the service type as in the access requests to the RADIUS server:
- —Changes the service type to frame for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.
- —Changes the service type to frame for MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.
- —Changes the service type to frame for Captive Portal authentication.
Select any of the following check boxes to detect the server status of the RADIUS server:
- —Select this check box to ensure the IAP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable.
- —Select this check box to ensure the IAP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.
Name of the LDAP server.
IP address of the LDAP server.
Authorization port number of the LDAP server. The default port number is 389.
A distinguished name for the admin user with read and search privileges across all the entries in the LDAP database (the admin user need not have write privileges, but the admin user must be able to search the database, and read attributes of other users in the database).
Password for the admin user.
Distinguished name for the node that contains the entire user database.
The filter to apply when searching for a user in the LDAP database. The default filter string is .
The attribute to use as a key while searching for the LDAP server. For Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed., the value is .
Timeout interval within a range of 1–30 seconds for one RADIUS request. The default value is 5.
The maximum number of authentication requests that can be sent to the server group. You can specify a value within the range of 1–5. The default value is 3.
Name of the server.
The secret key to authenticate communication between the TACACS client and server.
The TCP IP port used by the server. The default port number is 49.
A number between 1 and 30 seconds to indicate the timeout period for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. requests. The default value is 20 seconds.
IP address of the server.
The maximum number of authentication attempts to be allowed. The default value is 3.
Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.
Enable this option to allow the authorization of sessions.
—The external captive portal servers are used for authenticating guest users in a WLAN.
Enter a name for the profile.
Select any one of the following types of authentication:
- —Select this option to enable user authentication against a RADIUS server.
- Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
Enter the IP address or the host name of the external splash page server.
Enter the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the external captive portal server.
Enter the port number that is used for communicating with the external captive portal server.
Use VC IP in Redirect URL Select this check box to send the IP address of the virtual controller in the redirection URL when external captive portal servers are used. This option is disabled by default.
Select this to enforce clients to use HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select to prevent guest users from using the network, or to access the network.
Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted.
If the page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.
Specify a redirect URL if you want to redirect the users to another URL.
Name of the server.
IP address of the server.
A port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
A shared key for communicating with the external RADIUS server. Change of Authorization(CoA) is a subset of Dynamic Authorization include disconnecting messages.
- Click .
To assign the authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
You can also add an external RADIUS server when configuring a WLAN SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile.
To configure the IP MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. for EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. fragmentation, specify the value in the EAP Fragmentation MTU text box. The AP receives the EAP packet with certificate from the client and fragments it into smaller EAP fragments based on the configured IP MTU.
