• All Files
doc title Help Center
You are here: Home > Managing Access Points > Configuring Access Points > Supported Authentication Methods

Supported Authentication Methods

Authentication is a process of identifying a user through a valid username and password. Clients can also be authenticated based on their MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses.

The authentication methods supported by the Instant APs managed through Aruba Central are described in the following sections.

802.1X Authentication

802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. is a method for authenticating the identity of a user before providing network access to the user. The Aruba Central network supports internal RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and external RADIUS server for 802.1X authentication. For authentication purpose, the wireless client can associate to a NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. or RADIUS client such as a wireless Instant AP. The wireless client can pass data traffic only after successful 802.1X authentication.

The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first connects to the NAS.

Configuring 802.1X Authentication for a Network Profile

To configure 802.1X authentication for a wireless network profile, complete the following steps:

1. In the Network Operations app, set the filter to a group that contains at least one AP.

The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

A list of access points is displayed in the List view.

3. Click the Config icon.

The tabs to configure the access points are displayed.

4. Click the WLANs tab.

The WLANsWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. details page is displayed.

5. In the Wireless SSIDs table, select a network profile for which you want to enable 802.1X authentication, and then click the edit icon.

You can directly edit the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. name under the Display Name column in the Wireless SSIDs table. Double-click the relevant SSID that you want to rename, and type the new name. Press Enter to complete the process.

6. Under Security, for the Enterprise security level, select the preferred option from Key Management.

7. To terminate the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  portion of 802.1X authentication on the Instant AP instead of the RADIUS server, set Termination to Enabled.

For 802.1X authorization, by default, the client conducts an EAP exchange with the RADIUS server, and the AP acts as a relay for this exchange. When Termination is enabled, the Instant AP itself acts as an authentication server, terminates the outer layers of the EAP protocol, and only relays the innermost layer to the external RADIUS server.

8. Specify the type of authentication server to use.

9. Click Save Settings.

MAC Authentication

MAC authentication is used for authenticating devices based on their physical MAC addresses. MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses. This authentication method is not recommended for scalable networks and the networks that require stringent security settings.

MAC authentication can be used alone or it can be combined with other forms of authentication such as WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. authentication.

Configuring MAC Authentication for a Network Profile

To configure MAC authentication for a wireless profile, complete the following steps:

1. In the Network Operations app, set the filter to a group that contains at least one AP.

The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

A list of access points is displayed in the List view.

3. Click the Config icon.

The tabs to configure the access points are displayed.

4. Click the WLANs tab.

The WLANs details page is displayed.

5. In the WLANs tab, select a network profile for which you want to enable MAC authentication and click the edit icon.

6. In Security, turn on the MAC Authentication toggle switch to enable Personal or Open security level.

7. Specify the type of authentication server to use.

8. Click Save Settings.

MAC Authentication with 802.1X Authentication

The administrators can enable MAC authentication for 802.1X authentication. MAC authentication shares all the authentication server configurations with 802.1X authentication. If a wireless or wired client connects to the network, MAC authentication is performed first. If MAC authentication fails, 802.1X authentication does not trigger. If MAC authentication is successful, 802.1X authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only role.

You can also configure the following authentication parameters for MAC+802.1X authentication:

MAC authentication only—Allows you to create a mac-auth-only role to allow role-based access rules when MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication is successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients.

L2 authentication fall-through—Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by default.

Configuring MAC Authentication with 802.1X Authentication

To configure MAC authentication with 802.1X authentication for wireless network profile, configure the following parameters:

1. In the Network Operations app, set the filter to a group that contains at least one AP.

The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

A list of access points is displayed in the List view.

3. Click the Config icon.

The tabs to configure the access points are displayed.

4. Click the WLANs tab.

The WLANs details page is displayed.

5. In the WLANs tab, select a network profile for which you want to enable MAC and 802.1X authentication and click the edit icon.

6. Turn on the Perform MAC Authentication Before 802.1X toggle switch to use 802.1X authentication only when the MAC authentication is successful.

7. Turn on the MAC Authentication Fail Through toggle switch to use 802.1X authentication even when the MAC authentication fails.

8. Click Save Settings.

Captive Portal Authentication

Captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication is used for authenticating guest users. For more information, see Splash Page Profiles.

MAC Authentication with Captive Portal Authentication

The following conditions apply to a network profile with MAC authentication and Captive Portal authentication enabled:

If the captive portal splash page type is Internal-Authenticated or External-RADIUS Server, MAC authentication reuses the server configurations.

If the captive portal splash page type is Internal-Acknowledged or External-Authentication Text and MAC authentication is enabled, a server configuration page is displayed.

If the captive portal splash page type is None, MAC authentication is disabled.

The MAC authentication with captive portal authentication supports the mac-auth-only role.

Configuring MAC Authentication with Captive Portal Authentication

To configure the MAC authentication with captive portal authentication for a network profile, complete the following steps:

1. In the Network Operations app, set the filter to a group that contains at least one AP.

The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

A list of access points is displayed in the List view.

3. Click the Config icon.

The tabs to configure the access points are displayed.

4. Click the WLANs tab.

The WLANs details page is displayed.

5. In the WLANs tab, select an existing wireless profile for which you want to enable MAC authentication with captive portal authentication, and then click the edit icon.

6. Under Access, specify the following parameters for a network with Role Based rules:

a. Turn on the Enforce Machine Authentication toggle switch, when MAC authentication is enabled for captive portal. If the MAC authentication fails, the captive portal authentication role is assigned to the client.

b. For wireless network profile, turn on the Enforce MAC Auth Only Role toggle switch, when MAC authentication is enabled for captive portal. After successful MAC authentication, the MAC Auth Only role is assigned to the client.

7. Click Next.

802.1X Authentication with Captive Portal Authentication

This authentication method allows you to configure different captive portal settings for clients on the same SSID. For example, you can configure an 802.1X SSID and create a role for captive portal access, so that some of the clients using the SSID derive the captive portal role. You can configure rules to indicate access to external or internal Captive portal, or none.

For more information on configuring captive portal roles for an SSID with 802.1X authentication, see Splash Page Profiles.

WISPr Authentication

WISPrWireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs. authentication allows a smart client to authenticate on the network when they roam between wireless Internet service providers, even if the wireless hotspotHotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet. uses an ISPInternet Service Provider. An ISP is an organization that provides services for accessing and using the Internet. with whom the client may not have an account.

If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the Internet at that hotspot, the WISPr AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. server configured for the ISP authenticates the client directly and allows the client to access the network. If the client only has an account with a partner ISP, the WISPr AAA server forwards the client’s credentials to the partner ISPs WISPr AAA server for authentication. When the client is authenticated on the partner ISP, it is also authenticated on your hotspot own ISP as per their service agreements. The Instant AP assigns the default WISPr user role to the client when your ISP sends an authentication message to the Instant AP.

Instant APs support the following smart clients:

iPass

Boingo

These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic Interface Specification (GIS) redirect, authentication, and logoff messages within HTML messages that are sent to the Instant AP.

Configuring WISPr Authentication

To configure WISPr authentication, complete the following steps:

1. In the Network Operations app, set the filter to a group that contains at least one AP.

The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

A list of access points is displayed in the List view.

3. Click the Config icon.

The tabs to configure the access points are displayed.

4. Click Show Advanced, and click the System tab.

The System details page is displayed.

5. Click the WISPr accordion.

6. Under WISPr, configure the following parameters:

ISO Country Code—The ISO Country Code for the WISPr Location ID.

E.164 Area Code—The E.164 Area Code for the WISPr Location ID.

Operator Name—The operator name of the hotspot.

E.164 Country Code—The E.164 Country Code for the WISPr Location ID.

SSID/Zone—The SSID/Zone for the WISPr Location ID.

Location Name—Name of the hotspot location. If no name is defined, the name of the Instant AP, to which the user is associated, is used.

7. Click Save Settings.

The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication. Contact your ISP to determine these values. You can find a list of ISO and ITU country and area codes at the ISO and ITU websites (www.iso.org and http://www.itu.int).

A Boingo smart client uses a NAS identifier in the format <CarrierID>_<VenueID> for location identification. To support Boingo clients, ensure that you configure the NAS identifier parameter in the RADIUS server profile for the WISPr server.

Walled Garden

On the Internet, a walled gardenWalled garden is a feature that allows blocking of unauthorized users from accessing network resources. typically controls access to web content and services. The Walled garden access is required when an external captive portal is used. For example, a hotel environment where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents.

The users who do not sign up for the Internet service can view the allowed websites (typically hotel property websites). The website names must be DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.-based and support the option to define wildcards. When a user attempts to navigate to other websites that are not in the whitelist of the walled garden profile, the user is redirected to the login page. Instant AP supports Walled Garden only for the HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. requests. For example, if you add yahoo.com in Walled Garden whitelist and the client sends an HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. request (https://yahoo.com), the requested page is not displayed and the users are redirected to the captive portal login page.

In addition, a blacklisted walled garden profile can also be configured to explicitly block the unauthenticated users from accessing some websites.

Configuring Walled Garden Access

To configure walled garden access, complete the following steps:

1. In the Network Operations app, set the filter to a group that contains at least one AP.

The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

A list of access points is displayed in the List view.

3. Click the Config icon.

The tabs to configure the access points are displayed.

4. Click Show Advanced, and click the Security tab.

The Security details page is displayed.

5. Click the Walled Garden accordion.

6. To allow access to a specific set of websites, click + under Whitelist, enter the domain name in the window. This allows access to a domain while the user remains unauthenticated. Specify a POSIX regular expression (regexRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.(7)). For example:

yahoo.com matches various domains such as news.yahoo.com, travel.yahoo.com and finance.yahoo.com

www.apple.com/library/test is a subset of www.apple.com site corresponding to path /library/test/*

favicon.ico allows access to /favicon.ico from all domains.

7. To deny users access to a domain, click + under Blacklist, and enter the domain name in the window. This prevents the unauthenticated users from viewing specific websites. When a URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. specified in the blacklist is accessed by an unauthenticated user, Instant AP sends an HTTP 403 response to the client with an error message.

8. Click Save Settings.

/*]]>*/