Filter
Top Products
222 | DellPowerConnectW-SeriesArubaOS6.2 | User Guide
profile. Dell’s stateful NTLM authentication does not support placing users in various roles based upon group
membership or other role-derivation attributes.
Working With WISPr Authentication
WISPr authentication allows a “smart client” to authenticate on the network when they roam between Wireless
Internet Service Providers, even if the wireless hotspot uses an ISP for which the client may not have an account.
If you are a hotspot operator using WISPr authentication, and a client that has an account with your ISP attempts
to access the Internet at your hotspot, then your ISP’s WISPr AAA server authenticates that client directly, and
allows the client access on the network. If, however, the client only has an account with a
partner
ISP, then your
ISP’s WISPr AAA server forwards that client’s credentials to the partner ISP’s WISPr AAA server for authentication.
Once the client has been authenticated on the partner ISP, it is authenticated on your hotspot’s own ISP, as per
their service agreements. After your ISP sends an authentication message to the controller, the controller assigns the
default WISPr user role to that client.
ArubaOS supports the following smart clients, which enable client authentication and roaming between hotspots by
embedding iPass Generic Interface Specification (GIS)
redirect
,
proxy
,
authentication
and
logoff
messages within
HTLM messages to the controller.
l iPass
l Bongo
l Trustive
l weRoam
l AT&T
Understanding Stateful Authentication Best Practices
Before you can configure a stateful authentication feature, you should have defined a user role you want to assign to
the authenticated users, and created a server group that includes a RADIUS authentication server for stateful 802.1x
authentication or a Windows server for stateful NTLM authentication. For details on performing these tasks, see the
following sections of this User Guide:
l "Roles and Policies" on page 296
l "Configuring a RADIUS Server" on page 169
l "Configuring a Windows Server" on page 174
l "Configuring Server Groups" on page 177
You can use the default stateful NTLM authentication and WISPr authentication profiles to manage the settings for
these features, or you can create additional profiles as desired. Note, however, that unlike most other types of
authentication, stateful 802.lx authentication uses only a single Stateful 802.1x profile. This profile can be enabled or
disabled, but you can not configure more than one instance of a Stateful 802.1x profile.
Configuring Stateful 802.1x Authentication
When you configure 802.1x authentication for clients on non-Dell APs, you must specify the group of RADIUS
servers that performs the user authentication, and select the role to be assigned to those users who successfully
complete authentication. When the user logs off or shuts down the client machine, ArubaOSnote sthe
deauthentication message from the RADIUS server, and changes the user’s role from the specified authenticated role
back to the logon role. For details on defining a RADIUS server used for stateful 802.1x authentication, see
"Configuring a RADIUS Server" on page 169