Filter
Top Products
DellPowerConnectW-SeriesArubaOS6.2 | User Guide Statefuland WISPr Authentication | 221
Chapter 15
Stateful and WISPr Authentication
ArubaOS supports stateful 802.1x authentication, stateful NTLM authentication and authentication for Wireless
Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.1X authentication in that the
controller does not manage the authentication process directly, but monitors the authentication messages between a
user and an external authentication server, and then assigns a role to that user based upon the information in those
authentication messages. WISPr authentication allows clients to roam between hotspots using different ISPs.
This chapter describes the following topics:
l "Working With Stateful Authentication" on page 221
l "Working With WISPr Authentication" on page 222
l "Understanding Stateful Authentication Best Practices" on page 222
l "Configuring Stateful 802.1x Authentication" on page 222
l "Configuring Stateful NTLM Authentication" on page 223
l "Configuring Stateful Kerberos Authentication" on page 224
l "Configuring WISPr Authentication" on page 225
Working With Stateful Authentication
ArubaOS supports two different types of stateful authentication, stateful 802.1x and stateful NTLM.
l Stateful 802.1x authentication: This feature allows the controller to learn the identity and role of a user
connected to a third-party AP, and is useful for authenticating users to networks with APs from multiple vendors.
When an 802.1x-capable access point sends a authentication request to a RADIUS server, the controller inspects
this request and the associated response to learn the authentication state of the user. It then applies an identity-
based user role through the Policy Enforcement Firewall.
l Stateful Kerberos authentication: Use stateful Kerberos authentication to configure a controller to monitor the
Kerberos authentication messages between a client and a Windows authentication server. If the client
successfully authenticates via an Kerberos authentication server, the controller can recognize that the client has
been authenticated and assign that client a specified user role.
l Stateful NTLM authentication: NT LAN Manager (NTLM) is a suite of Microsoft authentication and session
security protocols. You can use stateful NTLM authentication to configure a controller to monitor the NTLM
authentication messages between a client and a Windows authentication server. If the client successfully
authenticates via an NTLM authentication server, the controller can recognize that the client has been
authenticated and assign that client a specified user role.
The default Windows authentication method changed from the older NTLM protocol to the newer Kerberos
protocol, starting with Windows 2000. Therefore, stateful NTLM authentication is most useful for networks with
legacy, pre-Windows 2000 clients. Note also that unlike other types of authentication, all users authenticated via
stateful NTLM authentication must be assigned to the user role specified in the Stateful NTLM Authentication