Dell W-Series 207 Instant 6.5.1.0-4.3.1.0 User Guide - Page 162

Instant supports the following EAP standards for authentication survivability: l EAP-PEAP: The Protected Extensible Authentication Protocol, also known as Protected EAP or PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The EAP-PEAP supports MS-CHAPv2 and GTC methods. l EAP-TLS: EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer Security (TLS) protocol. When the authentication survivability feature is enabled, the following authentication process is used: 1. The client associates to a W-IAP and authenticates to the external authentication server. The external authentication server can be either ClearPass Policy Manager (for EAP-PEAP) or RADIUS server (EAP-TLS). 2. Upon successful authentication, the associated W-IAP caches the authentication credentials of the connected clients for the configured duration. The cache expiry duration for authentication survivability can be set within the range of 1-99 hours, with 24 hours being the default cache timeout duration. 3. If the client roams or tries to reconnect to the W-IAP and the remote link fails due to the unavailability of the authentication server, the W-IAP uses the cached credentials in the internal authentication server to authenticate the user. However, if the client tries to reconnect after the cache expiry, the authentication fails. 4. When the authentication server is available and if the client tries to reconnect, the W-IAP detects the availability of server and allows the client to authenticate to the server. Upon successful authentication, the W-IAP cache details are refreshed. Enabling Authentication Survivability You can enable authentication survivability for a wireless network profile through the UI or the CLI. In the Instant UI To configure authentication survivability for a wireless network: 1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable authentication survivability and click edit. 2. In the Edit or the New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next. 3. On the Security tab, under Enterprise security settings, select an existing authentication server or create a new server by clicking New. 4. To enable authentication survivability, select Enabled from the Authentication survivability drop-down list. On enabling this, the W-IAP authenticates the previously connected clients using EAP-PEAP and EAP-TLS authentication when connection to the external authentication server is temporarily lost. 5. Specify the cache timeout duration, after which the cached details of the previously authenticated clients expire. You can specify a value within the range of 1-99 hours and the default cache timeout duration is 24 hours. 6. Click Next and then click Finish to apply the changes. Important Points to Remember l Any client connected through ClearPass Policy Manager and authenticated through W-IAP remains authenticated with the W-IAP even if the client is removed from the ClearPass Policy Manager server during the ClearPass Policy Manager downtime. l Do not make any changes to the authentication survivability cache timeout duration when the authentication server is down. l For EAP-PEAP authentication, ensure that the ClearPass Policy Manager 6.0.2 or later version is used for authentication. For EAP-TLS authentication, any external or third-party server can be used. 162 | Authentication and User Management Dell Networking W-Series Instant 6.5.1.0-4.3.1.0 | User Guide