Configuring Authentication for Aruba Switches

doc title Help Center

You are here: Home > Managing Switches > Configuring Aruba Switches > Configuring Authentication for Aruba Switches

Configuring Authentication for Aruba Switches

Aruba Central supports enabling 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. and MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication for switches. You can enable and configure 802.1X authentication of clients at the switch and port level, and enable authentication of 802.1X access through a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server using either EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. or CHAPChallenge Handshake Authentication Protocol. CHAP is an authentication scheme used by PPP servers to validate the identity of remote clients. protocol. You can also enable and configure ports to authenticate clients based on MAC addresses.

802.1X Authentication

802.1X is a method for authenticating the identity of a user before providing network access. Aruba Centralsupports internal RADIUS server and external RADIUS server for 802.1X authentication.

Configuring 802.1X Authentication

To configure 802.1X authentication for the switch, complete the following steps:

1. In the Network Operations app, select one of the following options:

To select a switch group in the filter:

a. Set the filter to a group containing at least one switch.

The dashboard context for the group is displayed.

b. Under Manage, click Devices > Switches.

c. Click the Config icon to view the switch configuration dashboard.

To select a switch in the filter:

a. Set the filter to Global or a group containing at least one switch.

b. Under Manage, click Devices > Switches.

A list of switches is displayed in the List view.

c. Click a switch under Device Name.

The dashboard context for the switch is displayed.

d. Under Manage, click Device.

The tabs to configure the switch is displayed.

2. Click Security > Authentication.

3. Expand the 802.1X Authentication accordion.

4. To enable 802.1x Authentication at group level in the group context, slide the toggle switch to on position.

5. In the Authentication Method from the drop-down, select either Local , EAP or CHAP.

If you select EAP or CHAP, you must configure the RADIUS server.

The Port Settings table displays the number of ports and the parameters configured for the ports.

6. Select one or more ports for which you want to enable 802.1X authentication, and click the edit icon.

The Edit Ports Selected window is displayed.

7. Select Enable from the 802.1X drop-down.

Table 1: Configuring 802.1X Authentication
Name	Description	Value
Client Limit	The maximum number of clients to allow on the port.	Default: 0
UnAuthorized VLAN ID	The VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to use for an unauthorized client.	Default:0
Authorized VLAN ID	The VLAN to use for an authorized client.	Default: 0
Reauth Period	The time (in seconds) that the switch enforces on a client to re-authenticate. The client remains authenticated while the re-authentication occurs. When set to 0, re-authentication is disabled.	Default: 300 seconds
Cached Reauth Period	The time (in seconds) when cached re-authentication is allowed on the port.	Default: 0
Log off Period	The time (in seconds) that the switch enforces for an implicit logoff.	Default: 300 seconds
Quiet Period	The time (in seconds) during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails.	Default: 60 seconds
Tx Period	The time (in seconds) the port waits to retransmit the next EAPOL PDUPower Distribution Unit or Protocol Data Unit. Power Distribution Unit is a device that distributes electric power to the networking equipment located within a data center. Protocol Data Unit contains protocol control Information that is delivered as a unit among peer entities of a network. during an authentication session.	Default: 30 seconds
Server Timeout	The time (in seconds) that the switch waits for a server response to an authentication request	Default: 300 seconds
Supplicant Timeout	The time (in seconds) that the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out.	Default: 300 seconds

8. Click Save Settings.

MAC Authentication

MAC authentication is used for authenticating devices based on their physical MAC addresses. For MAC authentication, the MAC address of a machine must match an approved list of manually defined addresses on the switch.

MAC authentication can be used alone or it can be combined with 802.1X authentication.

To configure MAC authentication for the switch ports, complete the following steps:

1. In the Network Operations app, select one of the following options:

To select a switch group in the filter:

a. Set the filter to a group containing at least one switch.

The dashboard context for the group is displayed.

b. Under Manage, click Devices > Switches.

c. Click the Config icon to view the switch configuration dashboard.

To select a switch in the filter:

a. Set the filter to Global or a group containing at least one switch.

b. Under Manage, click Devices > Switches.

A list of switches is displayed in the List view.

c. Click a switch under Device Name.

The dashboard context for the switch is displayed.

d. Under Manage, click Device.

The tabs to configure the switch is displayed.

2. Click Security > Authentication.

3. In the Authentication tab, expand the MAC Authentication accordion. The Port Settings table displays the parameters configured for the port.

4. Select one or more ports for which you want to enable MAC authentication and click the edit icon.

The Edit Ports Selected window is displayed.

Select Enable from the MAC Auth drop-down.

5. Configure the following parameters.

Table 2: Configuring MAC Authentication
Name	Description	Value
Client Limit	The maximum number of clients to allow on the port.	Default: 0
UnAuthorized VLAN ID	The VLAN to use for an unauthorized client.	Default:0
Authorized VLAN ID	The VLAN to use for an authorized client.	Default: 0
Reauth Period	The time (in seconds) that the switch enforces on a client to re-authenticate. The client remains authenticated while the re-authentication occurs. When set to 0, re-authentication is disabled.	Default: 300 seconds
Cached Reauth Period	The time (in seconds) when cached re-authentication is allowed on the port.	Default: 0
Log off Period	The time (in seconds) that the switch enforces for an implicit logoff.	Default: 300 seconds
Quiet Period	The time (in seconds) during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails.	Default: 60 seconds

6. Click Save Settings.

/*]]>*/

Send Feedback