150
| Authentication and User Management
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the
Internet at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and
allows the client to access the network. If the client only has an account with a
partner
ISP, the WISPr AAA
server forwards the client’s credentials to the partner ISP’s WISPr AAA server for authentication. When the
client is authenticated on the partner ISP, it is also authenticated on the hotspot’s own ISP as per their service
agreements. The IAP assigns the default WISPr user role to the client when the client's ISP sends an
authentication message to the IAP. For more information on WISPr authentication, see
.
Supported EAP Authentication Frameworks
The following EAP authentication frameworks are supported in the Instant network:
l
EAP-TLS—The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the
termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and
certification authority (CA) certificates installed on the IAP. The client certificate is verified on the VC (the
client certificate must be signed by a known CA) before the username is verified on the authentication
server.
l
EAP-TTLS (MS-CHAPv2)—The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-
TTLS) method uses server-side certificates to set up authentication between clients and servers. However,
the actual authentication is performed using passwords.
l
EAP-PEAP (MS-CHAPv2)—EAP-PEAP is an 802.1X authentication method that uses server-side public key
certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL/TLS
tunnel between the client and the authentication server. Exchange of information is encrypted and stored
in the tunnel ensuring the user credentials are kept secure.
l
LEAP—Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys for authentication
between the client and authentication server.
To use the IAP’s internal database for user authentication, add the usernames and passwords of the users to
be authenticated.
Aruba does not recommend the use of LEAP authentication, because it does not provide any resistance to
network attacks.
Authentication Termination on IAP
IAPs support EAP termination for enterprise WLAN SSIDs. The EAP termination can reduce the number of
exchange packets between the IAP and the authentication servers. Instant allows Extensible Authentication
Protocol (EAP) termination for Protected Extensible Authentication Protocol-Generic Token Card (PEAP-GTC)
and Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol
version 2 (PEAP-MS-CHAV2). PEAP-GTC termination allows authorization against a Lightweight Directory Access
Protocol (LDAP) server and external RADIUS server while PEAP-MS-CHAV2 allows authorization against an
external RADIUS server.
This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft
Active Directory (MAD) server with LDAP authentication.
l
EAP-Generic Token Card (GTC)—This EAP method permits the transfer of unencrypted usernames and
passwords from the client to the server. The main uses for EAP-GTC are procuring one-time token cards
such as SecureID and using LDAP or RADIUS as the user authentication server. You can also enable caching
of user credentials on the IAP to an external authentication server for user data backup.
l
EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)—This EAP method is widely
supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.