Owners manual

ManualsBrandsARUBA NETWORKS ManualsComputers & LaptopsAruba Instant IAP-325 IEEE 802.11ac 1.69 Gbit/s Wireless Access Point - 2.40 GHz, 5 GHz - 8 x Antenna(s) - 8 x Internal Antenna(

161

162

163

164

165

166

167

168

169

170

identify the user, it stops the authentication process and sends an

Access-Reject

message to the NAS. The

NAS forwards this message to the client and the client must re-authenticate with appropriate credentials.

5. After the client is authenticated, the RADIUS server forwards the encryption key to the NAS. The encryption key

is used for encrypting or decrypting traffic sent to and from the client.

The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first

connects to the NAS.

Configuring 802.1X Authentication for a Wireless Network Profile

You can configure 802.1X authentication for a wireless network profile in the Instant UI or CLI.

In the Instant UI

To enable 802.1X authentication for a wireless network:

1. In the Network tab, click New to create a new network profile or select an existing profile for which you want to

enable 802.1X authentication and click edit.

2. In the Edit <profile-name> or New WLAN window, ensure that all required WLAN and VLAN attributes are

defined, and then click Next.

3. In the Security tab, specify the following parameters for the Enterprise security level:

a. Select any of the following options from the Key management drop-down list.

l WPA-2 Enterprise

l WPA Enterprise

l Both (WPA-2 & WPA)

l Dynamic WEP with 802.1X

4. If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys, set Session

Key for LEAP to Enabled.

5. To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server, set

Termination to Enabled.

By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the AP

acts as a relay for this exchange. When Termination is enabled, the IAP by itself acts as an authentication

server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external

RADIUS server.

6. Specify the type of authentication server to use and configure other required parameters. You can also configure

two different authentication servers to function as primary and backup servers when termination is enabled. For

more information on RADIUSauthentication configuration parameters, see Configuring an External Server for

Authentication on page 158.

7. Click Next to define access rules, and then click Finish to apply the changes.

In the CLI

To configure 802.1X authentication for a wireless network:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# type {<Employee>|<Voice>}

(Instant AP)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip|wpa-tkip,wpa2-aes|dynamic-wep}

(Instant AP)(SSID Profile <name>)# leap-use-session-key

(Instant AP)(SSID Profile <name>)# termination

(Instant AP)(SSID Profile <name>)# auth-server <server1>

(Instant AP)(SSID Profile <name>)# auth-server <server2>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>

(Instant AP)(SSID Profile <name>)# auth-survivability

(Instant AP)(SSID Profile <name>)# exit

Aruba Instant 6.4.0.2-4.1 | User Guide Authentication and User Management | 165