Owners manual

ManualsBrandsARUBA NETWORKS ManualsComputers & LaptopsAruba Instant IAP-325 IEEE 802.11ac 1.69 Gbit/s Wireless Access Point - 2.40 GHz, 5 GHz - 8 x Antenna(s) - 8 x Internal Antenna(

151

152

153

154

155

156

157

158

159

160

Network Type Authentication Encryption

Employee 802.1X AES

Guest Network Captive Portal None

Voice Network or Handheld

devices

802.1X or PSK as

supported by the device

AES if possible, TKIP or WEP if

necessary (combine with security

settings assigned for a user role).

Table 31:

Recommended Authentication and Encryption Combinations

Support for Authentication Survivability

The authentication survivability feature supports a survivable authentication framework against the remote link

failure when working with the external authentication servers. When enabled, this feature allows the IAPs to

authenticate the previously connected clients against the cached credentials if the connection to the authentication

server is temporarily lost.

Instant supports the following EAP standards for authentication survivability:

l EAP-PEAP: The Protected Extensible Authentication Protocol also known as Protected EAP or PEAP is a

protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS)

tunnel. The EAP-PEAP supports the MSCHAPv2 and GTC methods.

l EAP-TLS: EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer

Security (TLS) protocol.

When the authentication survivability feature is enabled, the following authentication process is used:

1. The client associates to an IAP and authenticates to the external authentication server. The external

authentication server can be either CPPM(for EAP-PEAP)or RADIUSserver (EAP-TLS).

2. Upon successful authentication, the associated IAP caches the authentication credentials of the connected

users for the configured duration. The cache expiry duration for authentication survivability can be set within the

range of 1-99 hours, with 24 hours being the default cache timeout duration.

3. If the client roams or tries to reconnect to the IAP and the remote link fails due to the unavailability of the

authentication server, the IAP uses the cached credentials in the internal authentication server to authenticate

the user. However, if the user tries to reconnect after the cache expiry, the authentication fails.

4. When the authentication server is available and if the client tries to reconnect, the IAP detects the availability of

server and allows the client to authenticate to the server. Upon successful authentication, the IAP cache details

are refreshed.

Configuring Authentication Survivability

You can enable authentication survivability for a wireless network profile through the UI or CLI.

In the Instant UI

To configure authentication survivability for a wireless network:

1. In the Network tab, click New to create a new network profile or select an existing profile for which you want to

enable authentication survivability and click edit.

2. In the Edit <profile-name> or New WLAN window, ensure that all required WLAN and VLAN attributes are

defined, and then click Next.

Aruba Instant 6.4.0.2-4.1 | User Guide Authentication and User Management | 157