User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerConnect W-6000

281

282

283

284

285

286

287

288

289

290

286 | Stateful and WISPr Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Working With WISPr Authentication

WISPr authentication allows a “smart client” to authenticate on the network when they roam between Wireless

Internet Service Providers, even if the wireless hotspot uses an ISP for which the client may not have an

account.

If you are a hotspot operator using WISPr authentication, and a client that has an account with your ISP

attempts to access the Internet at your hotspot, then your ISP’s WISPr AAA server authenticates that client

directly, and allows the client access on the network. If, however, the client only has an account with a partner

ISP, then your ISP’s WISPr AAA server forwards that client’s credentials to the partner ISP’s WISPr AAA server

for authentication. Once the client has been authenticated on the partner ISP, it is authenticated on your

hotspot’s own ISP, as per their service agreements. After your ISP sends an authentication message to the

controller, the controller assigns the default WISPr user role to that client.

ArubaOS supports the following smart clients, which enable client authentication and roaming between

hotspots by embedding iPass Generic Interface Specification (GIS) redirect, proxy, authentication, and logoff

messages within HTLM messages to the controller.

l iPass

l Boingo

l Trustive

l weRoam

l AT&T

Understanding Stateful Authentication Best Practices

Before you can configure a stateful authentication feature, you must define a user role you want to assign to

the authenticated users, and create a server group that includes a RADIUS authentication server for stateful

802.1X authentication or a Windows server for stateful NTLM authentication. For details on performing these

tasks, see the following sections of this User Guide:

l Roles and Policies on page 364

l Configuring a RADIUS Server on page 226

l Configuring a Windows Server on page 235

l Configuring Server Groups on page 238

You can use the default stateful NTLM authentication and WISPr authentication profiles to manage the

settings for these features, or you can create additional profiles as desired. Note, however, that unlike most

other types of authentication, stateful 802.lx authentication uses only a single Stateful 802.1X profile. This

profile can be enabled or disabled, but you can not configure more than one Stateful 802.1X profile.

Configuring Stateful 802.1X Authentication

When you configure 802.1X authentication for clients on non-Dell APs, you must specify the group of RADIUS

servers that performs the user authentication, and select the role to be assigned to those users who

successfully complete authentication. When the user logs off or shuts down the client machine, ArubaOSnote

sthe deauthentication message from the RADIUS server, and changes the user’s role from the specified

authenticated role back to the logon role. For details on defining a RADIUS server used for stateful 802.1X

authentication, see Configuring a RADIUS Server on page 226.

In the WebUI

To configure the Stateful 802.1X Authentication profile via the WebUI: