User's Manual

Dell Networking W-Series ArubaOS 6.4.x| User Guide Stateful and WISPr Authentication | 285
Chapter 12
Stateful and WISPr Authentication
ArubaOS supports stateful 802.1X authentication, stateful NTLM authentication and authentication for
Wireless Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.1X authentication
in that the controller does not manage the authentication process directly, but monitors the authentication
messages between a user and an external authentication server, and then assigns a role to that user based
upon the information in those authentication messages. WISPr authentication allows clients to roam between
hotspots using different ISPs.
This chapter describes the following topics:
l Working With Stateful Authentication on page 285
l Working With WISPr Authentication on page 286
l Understanding Stateful Authentication Best Practices on page 286
l Configuring Stateful 802.1X Authentication on page 286
l Configuring Stateful NTLM Authentication on page 287
l Configuring Stateful Kerberos Authentication on page 288
l Configuring WISPr Authentication on page 289
Working With Stateful Authentication
ArubaOS supports three different types of stateful authentication:
l Stateful 802.1X authentication: This feature allows the controller to learn the identity and role of a user
connected to a third-party AP, and is useful for authenticating users to networks with APs from multiple
vendors. When an 802.1X-capable access point sends an authentication request to a RADIUS server, the
controller inspects this request and the associated response to learn the authentication state of the user. It
then applies an identity-based user role through the Policy Enforcement Firewall.
l Stateful Kerberos authentication: Use stateful Kerberos authentication to configure a controller to
monitor the Kerberos authentication messages between a client and a Windows authentication server. If
the client successfully authenticates via an Kerberos authentication server, the controller recognizes that
the client has been authenticated and assigns that client a specified user role.
l Stateful NTLM authentication: NT LAN Manager (NTLM) is a suite of Microsoft authentication and
session security protocols. You can use stateful NTLM authentication to configure a controller to monitor
the NTLM authentication messages between a client and a Windows authentication server. If the client
successfully authenticates via an NTLM authentication server, the controller recognizes that the client has
been authenticated and assigns that client a specified user role.
The default Windows authentication method changed from the older NTLM protocol to the newer Kerberos
protocol, starting with Windows 2000. Therefore, stateful NTLM authentication is most useful for networks
with legacy, pre-Windows 2000 clients. Note also that unlike other types of authentication, all users
authenticated via stateful NTLM authentication must be assigned to the user role specified in the Stateful
NTLM Authentication profile. Dell’s stateful NTLM authentication does not support placing users in various
roles based upon group membership or other role-derivation attributes.