Manualshelf

User's Manual

ManualsBrandsHP ManualsSoftwareHP Cloud Network Manager Software Series
41424344454647484950
authentication message to the AP. For more information on WISPr authentication, see Configuring WISPr
authentication on page 54.
Supported authentication servers
Based on the security requirements, you can configure internal or external RADIUSī€ƒservers. This section
describes the following types of authentication servers and authentication termination, which can be configured for
a network profile:
External RADIUS server
In the external RADIUS server, the IP address of the VC is configured as the NAS IP address. Cloud Network
Manager RADIUS is implemented on the VC, and this eliminates the need to configure multiple NAS clients for
every AP on the RADIUS server for client authentication. Cloud Network Manager RADIUS dynamically forwards
all the authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the
authentication request with an Access-Accept or Access-Reject message, and users are allowed or denied
access to the network depending on the response from the RADIUS server.
When you enable an external RADIUS server for the network, the client on the AP sends a RADIUS packet to the
local IP address. The external RADIUS server then responds to the RADIUS packet.
Cloud Network Manager supports the following external authentication servers:
l RADIUS
l LDAP
To use an LDAP server for user authentication, configure the LDAP server on the VC, and configure user IDs and
passwords.
To use a RADIUS server for user authentication, configure the RADIUS server on the VC.
RADIUS server authentication with VSA
An external RADIUS server authenticates network users and returns to the AP the Vendor-Specific Attribute
(VSA) that contains the name of the network role for the user. The authenticated user is placed into the
management role specified by the VSA.
Internal RADIUS server
Each AP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server
option for the network, the client on the AP sends a RADIUS packet to the local IP address. The internal RADIUS
server listens and replies to the RADIUS packet.
The following authentication methods are supported in the Cloud Network Manager network:
l EAP-TLS ā€” The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the
termination of EAP-TLS security using the internal RADIUS server. The EAP-TLS requires both server and
Certification Authority (CA) certificates installed on the AP. The client certificate is verified on the VC (the client
certificate must be signed by a known CA), before the username is verified on the authentication server.
l EAP-TTLS (MSCHAPv2) ā€” The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-
TTLS) method uses server-side certificates to set up authentication between clients and servers. However, the
actual authentication is performed using passwords.
l EAP-PEAP (MSCHAPv2) ā€” The Extensible Authentication Protocol-Protected Extensible Authentication
Protocol (EAP-PEAP) is an 802.1X authentication method that uses server-side public key certificates to
authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the
client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the
user credentials are kept secure.
HP Cloud Network Manager | User Guide Wireless configuration | 48