Filter
Top Products
Figure 59: 802.1X Authentication with RADIUS Server
The supplicant and authentication server must be configured to use the same EAP type. The controller does not
need to know the EAP type used between the supplicant and authentication server.
For the controller to communicate with the authentication server, you must configure the IP address, authentication
port, and accounting port of the server on the controller. The authentication server must be configured with the IP
address of the RADIUS client, which is the controller in this case. Both the controller and the authentication server
must be configured to use the same shared secret.
NOTE: Additional information on EAP types supported in a Windows environment, Microsoft supplicants, and
authentication server, is available at http://technet.microsoft.com/en-us/library/cc782851(WS.10).aspx.
The client communicates with the controller through a GRE tunnel in order to form an association with an AP and
to authenticate to the network. Therefore, the network authentication and encryption configured for an ESSID must
be the same on both the client and the controller.
Configuring Authentication Terminated on Controller
User authentication is performed either via the controller’s internal database or a non-802.1X server. See "802.1x
Authentication Profile Basic WebUI Parameters" on page 196 for an overview of the parameters that you need to
configure on 802.1X authentication components when 802.1X authentication is terminated on the controller (AAA
FastConnect).
Figure 60: 802.1X Authentication with Termination on Controller
In this scenario, the supplicant is configured for EAP-Transport Layer Security (TLS) or EAP-Protected EAP
(PEAP).
l EAP-TLS is used with smart card user authentication. A smart card holds a digital certificate which, with the
user-entered personal identification number (PIN), allows the user to be authenticated on the network. EAP-TLS
relies on digital certificates to verify the identities of both the client and server.
EAP-TLS requires that you import server and certification authority (CA) certificates onto the controller (see
"Configuring and Using Certificates with AAA FastConnect" on page 200). The client certificate is verified on
the controller (the client certificate must be signed by a known CA) before the user name is checked on the
authentication server.
l EAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of the following “inner EAP”
methods is used:
n EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of
unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token
cards such as SecureID and the use of an LDAP or RADIUS server as the user authentication server. You can
also enable caching of user credentials on the controller as a backup to an external authentication server.
DellPowerConnectW-SeriesArubaOS6.2 | User Guide 802.1XAuthentication | 194