Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Smart Card Authentication
Smart card authentication allows users with physical cards such as Common Access Cards (CAC) or Personal Identity Verification (PIV) cards to authenticate into HPE Aruba Networking Central On-Premises. Smart cards based authentication method is an alternative for password based authentication. The user credentials on a smart card are in the form of a private key and a certificate. When smart card authentication is enabled, HPE Aruba Networking Central On-Premises access is provided to the user by placing the smart card on the reader and entering the PIN Personal Identification Number. PIN is a numeric password used to authenticate a user to a system. .
Prerequisites:
-
Root CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. and intermediate certificate is uploaded under Network Structure > Certificates. For more information, see Uploading Certificates.
Figure 1 Smart Card Certificate
-
Ensure user roles are configured on RADIUS Remote Authentication Dial-In User Service is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service server. For more information, see Configuring RADIUS Service in HPE Aruba Networking ClearPass Policy Manager and RADIUS Server User Roles.
-
Ensure to create an authorize-only service to support the passwordless authentication for Smart Card. For more information, see Configuring Authorize Only Service on HPE Aruba Networking ClearPass Policy Manager
You can configure smart card authentication only on the following servers:
- RADIUS—Using RADIUS servers to authenticate HPE Aruba Networking Central On-Premises users. For more information, see Configuring RADIUS Authentication and Authorization .
- RadSec RadSec is an authentication and authorization protocol for transporting RADIUS datagrams over TCP and TLS. —Using RadSec increases the level of security for authentication. RadSec uses Transport Layer Security (TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. ) to encrypt all communication between the client and the server. For more information, see Configuring RadSec Authentication and Authorization.
For information about how to enable and use smart card, see the following topics:
