Owners manual
150 | Authentication and User Management Aruba Instant 6.4.0.2-4.1 | User Guide
WISPr authentication
Wireless Internet Service Provider roaming (WISPr) authentication allows a smart client to authenticate on the
network when they roam between wireless Internet service providers, even if the wireless hotspot uses an Internet
Service Provider (ISP) with whom the client may not have an account.
If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the Internet
at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and allows the client to
access the network. If the client only has an account with a
partner
ISP, the WISPr AAA server forwards the client’s
credentials to the partner ISP’s WISPr AAA server for authentication. When the client is authenticated on the partner
ISP, it is also authenticated on your hotspot’s own ISP as per their service agreements. The IAP assigns the default
WISPr user role to the client when your ISP sends an authentication message to the IAP. For more information on
WISPr authentication, see Configuring WISPr Authentication on page 171.
Supported EAP Authentication Frameworks
The following EAP authentication frameworks are supported in the Instant network:
l EAP-TLS— The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the
termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and
certification authority (CA) certificates installed on the IAP. The client certificate is verified on the Virtual
Controller (the client certificate must be signed by a known CA), before the username is verified on the
authentication server.
l EAP-TTLS (MSCHAPv2)— The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-
TTLS) method uses server-side certificates to set up authentication between clients and servers. However, the
actual authentication is performed using passwords.
l EAP-PEAP (MSCHAPv2)— EAP-PEAP is an 802.1X authentication method that uses server-side public key
certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel
between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel
ensuring the user credentials are kept secure.
l LEAP— Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys for authentication
between the client and authentication server.
To use the IAP’s internal database for user authentication, add the names and passwords of the users to be
authenticated.
Aruba does not recommend the use of LEAP authentication, because it does not provide any resistance to network
attacks.
Authentication Termination on IAP
IAPs support EAP termination for enterprise WLANSSIDs. The EAP termination can reduce the number of
exchange packets between the IAP and the authentication servers. Instant allows Extensible Authentication
Protocol (EAP) termination for Protected Extensible Authentication Protocol (PEAP)-Generic Token Card (PEAP-
GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2
(PEAP-MSCHAV2). PEAP-GTC termination allows authorization against an Lightweight Directory Access Protocol
(LDAP) server and external RADIUS server while PEAP-MSCHAV2 allows authorization against an external
RADIUS server.
This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft Active
Directory server with LDAP authentication.
l EAP-Generic Token Card (GTC)— This EAP method permits the transfer of unencrypted usernames and
passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and