Configuring 802.1X Authentication

802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. is a method for authenticating the identity of a user before providing network access. HPE Aruba Networking Central supports internal RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and external RADIUS server for 802.1X authentication.

To configure 802.1X authentication for the switch, complete the following steps:

  1. In the WebUI, select one of the following options:
    • To select a switch group in the filter:
      1. Set the filter to a group containing at least one switch.

        The dashboard context for the group is displayed.

      2. Under Manage, click Devices > Switches.
      3. Click the AOS-S or Config icon to view the switch configuration dashboard.
    • To select a switch in the filter:
      1. Set the filter to Global or a group containing at least one switch.
      2. Under Manage, click Devices > Switches.

        A list of switches is displayed in the List view.

      3. Click a switch under Device Name.

        The dashboard context for the switch is displayed.

      4. Under Manage, click Device.

        The tabs to configure the switch is displayed.

  2. Click Security > Authentication. The Authentication page is displayed.
  3. Expand the 802.1X Authentication accordion.
  4. To enable 802.1x Authentication at group level in the group context, slide the toggle switch to on position.
  5. In the Authentication Method from the drop-down, select either EAP or CHAP.

    If you select EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  or CHAP Challenge-Handshake Authentication Protocol. CHAP is a challenge and response authentication method used to verify the identity of a remote user., you must configure the RADIUS server.

    The Port Settings table displays the number of ports and the parameters configured for the ports.

  6. Select one or more ports for which you want to enable 802.1X authentication, and click the edit icon.
    The Edit Ports Selected window is displayed.
  7. Select Enable from the 802.1X drop-down.
  8. Configure the following parameters.

    Table 1: Configuring 802.1X Authentication

    Name

    Description

    		Value

    Client Limit

    The maximum number of clients to allow on the port.

    Default: 0

    UnAuthorized VLAN ID

    The VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to use for an unauthorized client.

    Default:0

    Authorized VLAN ID

    The VLAN to use for an authorized client.

    Default: 0

    Reauth Period

    The time (in seconds) that the switch enforces on a client to re-authenticate. The client remains authenticated while the re-authentication occurs. When set to 0, re-authentication is disabled.

    Default: 300 seconds

    Cached Reauth Period

    The time (in seconds) when cached re-authentication is allowed on the port.

    Default: 0

    Log off Period

    The time (in seconds) that the switch enforces for an implicit logoff.

    Default: 300 seconds

    Quiet Period

    The time (in seconds) during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails.

    Default: 60 seconds

    Tx Period

    The time (in seconds) the port waits to retransmit the next EAPOL PDU Power Distribution Unit or Protocol Data Unit. Power Distribution Unit is a device that distributes electric power to the networking equipment located within a data center. Protocol Data Unit contains protocol control Information that is delivered as a unit among peer entities of a network. during an authentication session.

    Default: 30 seconds

    Server Timeout

    The time (in seconds) that the switch waits for a server response to an authentication request

    Default: 300 seconds

    Supplicant Timeout

    The time (in seconds) that the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out.

    Default: 300 seconds

  9. Click Save Settings.