Configuring Authentication on AOS-CX

Aruba Central (on-premises) supports the following authentication methods for AOS-CX switches:

• 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. Authentication—Used for authenticating the identity of a user before providing network access. 802.1x
  • Supplicant: Device that tries to access the LANLocal Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server..
  • Authenticator: A network device, such as an EthernetEthernet is a network protocol for data transmission over LAN. switch that authenticates the supplicant.

  • Authentication Server: Typically a host running software supporting the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  and EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  protocols that provides an authentication service to the authenticator.

• MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Authentication—Used for authenticating devices based on their physical MAC addresses. For MAC authentication, the MAC address of a machine must match an approved list of MAC addresses defined on the RADIUS server.

To configure authentication at port level, complete the following steps:

1. In the Network Operations app, select one of the following options:
   • To select a switch group in the filter:
     1. Set the filter to a group.
        

        The dashboard context for the group is displayed.

     2. Under Manage, click Devices > Switches.
     3. Click the AOS-CX icon to view the switch configuration dashboard.
   • To select a switch in the filter:
     1. Set the filter to Global or a group containing at least one switch.
     2. Under Manage, click Devices > Switches.
        

        A list of switches is displayed in the List view.

     3. Click an AOS-CX switch under Device Name.
        

        The dashboard context for the switch is displayed.

     4. Under Manage, click Device.
        

        The AOS-CX UI configuration page is displayed.

2. Click Security > Authentication.

   The Authentication page is displayed.

3. Under the MAC authentication, select one of the following modes to communicate with RADIUS servers.

   • PAP (Password Authentication Protocol)

   • CHAP (Challenge-Handshake Authentication Protocol)

   At the global level, 802.1X Authentication uses the EAP (Extensible Authentication Protocol) mode to communicate with the RADIUS server.
4. In the Ports table, select one or more ports for which you want to configure authentication, and click the edit icon.

   The Edit Ports page is displayed.

5. Configure the following parameters:

   Table 1: Configuring Authentication

   Name	Description	Value
   Authentication	The method of authentication.	Select any one of the following authentication methods: None—Disables authentication. By default, the authentication is disabled. 802.1X—Enables 802.1X method for authentication. MAC—Enables MAC method for authentication 802.1X, then MAC—Enables both 802.1X and MAC authentication methods and sets the precedence to 802.1X authentication. MAC, then 802.1X—Enables both 802.1X and MAC authentication methods and sets the precedence to MAC authentication. Concurrent—Enables both 802.1X and MAC authentication methods to start simultaneously for faster onboarding process. You can select 802.1X or MAC authentication from the Priority drop-down menu. Default priority for concurrent is 802.1X followed by MAC authentication.
   Client Limit	The maximum number of clients to be allowed on the port.	Enter up to a maximum of 256 clients. Default: 1 Following are the maximum clients supported on switches: AOS-CX 4100i, 6100, 6200, switch series—32 AOS-CX 6300 switch series—256 At the group level, the maximum clients supported is 256. NOTE:   Port access authentication is not supported on AOS-CX 8320, 8325, and 8360 switch series. AOS-CX 6400 and 8400 switch series are not supported in Aruba Central (on-premises) UI configuration.
   Reauthentication Timeout	The time (in seconds) that the switch enforces on a client to re-authenticate. The client remains authenticated while the re-authentication occurs. By default, this field is disabled and the default value is displayed. To edit the default value, select the check box and specify the value.	Default: 3600 seconds
   Cached Reauthentication Timeout	The time (in seconds) when cached re-authentication is allowed on the port. By default, this field is disabled and the default value is displayed. To edit the default value, select the check box and specify the value.	Default: 30 seconds
   Quiet Period	The time (in seconds) during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails.	Default: 60 seconds

6. Click Apply. The authentication parameters are displayed in the Ports table.
7. Click Save.