About Me

My photo
GTA, Ontario, Canada
Hold the Door!!! CCIE 25938: CCIE Routing & Switching, Security,Voice, and latest CCIE Datacenter. Python+SDN is on going

Thursday, December 29, 2011

Aruba Authentication Adv Options and Misc.

There are couple Adv options under  the 802.1x authentication. Let's get some brief introduction. :)
The difference between Normal EAP and AAA FastConnect (EAP-Offload) :

Normal EAP:

AAA FastConnect (EAP-Offload):
It is easy to understand and configure :

2. Machine Authentication :
when a Windows device boots, it logs onto the network domain using a machine account: host/<pc-name>.<domain>
You can configure 802.1x for both User and Machine Authentication.
Machine Authentication optional : it is under L2 Authentication .

Setting Roles for Machine/User Authentication:
  3 Blacklist due to failed authentication :

Aruba Controller Authentication Part 2 WPA/WPA2 and 802.1X

This part is about configuring WPA or WPA2 and 802.1x on Aruba Controllers.
1. Configure the external auth-server or internal-db
2. Create a server group and assign the configured auth-server to it.
3. Create a dot1x profile and configure the required dot1x parameters (EAP-Offload, Key rotation, re-auth, etc)
4. Create a AAA profile and assign the dot1x profile and dot1x server-groups created in Step 2 and 3.
5. Create an AP Group and Virtual AP
6. Assign the AAA to the Virtual AP
7. Configure the SSID profile with the SSID and required operations mode and authentication (etc.) to use with dot1x... and other parameters.

 802.1x Configuration Example WPA2-AES

Step 1 - Configure a Server :

 Step 2 - Configure the Server Group : Create a Server Group and assign the server to it.
 NOTE: Multiple servers are allowed. When "Fail Through" box is unchecked, if one server denied the auth, then no request sent to rest servers. When "Fail Through" box is checked, if one server denied the auth, the auth request will keep sending to rest servers. Furthermore, when using 802.1x authentication, Fail Through only works with AAA FastConnect enabled.

 Step 3 - Configure the AAA Profile to use dot1x

 Step 4 - Configure L2 dot1x Profile:

 Step 5 Create an AP Group and Virtual AP:

 Step 6 Assign the AAA Profile to the VAP

Step 7 Configure SSID to WPA2-AES

 Note: 802.11i supports both TKIP and AES-CCM. 802.11i intends for users to ultimately take advantage of AES-CCM as it is better than other existing options. However, as mentioned in earlier slides, it generally requires a hardware upgrade for the wireless clients. Therefore, TKIP is available as an alternative to basic WEP to improve security without the neeed for a full-fledged hardware upgrade.

A better solution than PSK is to use dynamic keys. Here, dynamic keys are used to provide te greatest level of security.

Aruba Controller Authentication Part 1 MAC-Auth

Aruba Controllers provide us couple servers types for Authentication such as : Radius, LDAP, Internal DB, Tacacs server, XML API server, RFC 3576 server and Windows Server.

This blog is going to talk about how to setup Authentication on Aruba Controller.
1st of all, MAC Authentication: appropriate for devices that cannot run authentication software or when there are no users like : scanners, printers and etc.
NOTE: MAC Authentication easily spoofed. Not recommended for most environments.

MAC Address Authentication Configuration Steps:
1. Create or use the "Default" MAC Authentication profile.
2. Create or use an existing server (Auth>Server Group)
3. If an external server is used assign it to a server group. If "Internal" server is used assign it to the Server group ( more than one server can be used)
4. Create a AAA profile for MAC authentication. The server(s)/Server Group and Mac Authentication profiles are assigned to the AAA profile. (Auth>AAA)
5. Assign the AAA profile to the Virtual AP

Create or Configure a MAC Authentication File---->

Create a server or use an existing server. Configure appropriate Mac Authentication settings----->

Assign server to server group---->

Create  a AAA Profile. Assign the MAC Auth Profile and the server group to the AAA profile---->

Assign AAA profile to the Virtual AP