Owners manual

ManualsBrandsARUBA NETWORKS ManualsComputers & LaptopsAruba Instant IAP-325 IEEE 802.11ac 1.69 Gbit/s Wireless Access Point - 2.40 GHz, 5 GHz - 8 x Antenna(s) - 8 x Internal Antenna(

151

152

153

154

155

156

157

158

159

160

the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials

on the IAP to an external authentication server for user data backup.

l EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)— This EAP method is widely

supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.

Supported Authentication Servers

Based on the security requirements, you can configure internal or external authenticationservers. This section

describes the types of servers that can be configured for client authentication:

l Internal RADIUS Server on page 151

l External RADIUS Server on page 151

l Dynamic Load Balancing between Two Authentication Servers on page 155

In 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management users. For more

information, on management users and TACACS+ server based authentication, see Configuring Authentication

Parameters for Management Users .

Internal RADIUS Server

Each IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server

option for the network, the client on the IAP sends a RADIUS packet to the local IP address. The internal RADIUS

server listens and replies to the RADIUS packet. Instant itself serves as a RADIUS server for 802.1X

authentication. However, the internal RADIUS server can also be configured as a backup RADIUS server for an

external RADIUS server.

External RADIUS Server

In the external RADIUS server, the IP address of the Virtual Controller is configured as the NAS IP address. Instant

RADIUS is implemented on the Virtual Controller, and this eliminates the need to configure multiple NAS clients for

every IAP on the RADIUS server for client authentication. Instant RADIUS dynamically forwards all the

authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the

authentication request with an Access-Accept or Access-Reject message, and the clients are allowed or denied

access to the network depending on the response from the RADIUS server. When you enable an external RADIUS

server for the network, the client on the IAP sends a RADIUS packet to the local IP address. The external RADIUS

server then responds to the RADIUS packet.

Instant supports the following external authentication servers:

l RADIUS (Remote Authentication Dial-In User Service)

l LDAP (Lightweight Directory Access Protocol)

l CPPMServer for AirGroup CoA

To use an LDAP server for user authentication, configure the LDAP server on the Virtual Controller, and configure

user IDs and passwords. To use a RADIUS server for user authentication, configure the RADIUS server on the

Virtual Controller.

RADIUS Server Authentication with VSA

An external RADIUS server authenticates network users and returns to the IAP the vendor-specific attribute (VSA)

that contains the name of the network role for the user. The authenticated user is placed into the management role

specified by the VSA.

Instant supports the following VSAs for user role and VLANderivation rules:

l AP-Group

Aruba Instant 6.4.0.2-4.1 | User Guide Authentication and User Management | 151