Users Guide
Enabling Authentication Survivability on a Local Branch Controller
You can configure each local branch controller to enable or disable Authentication Survivability; by default, this
feature is disabled.
When authentication survivability is enabled, the enabled authentication survivability state is published, which
instructs the Survival Server to start storing client access credential attributes and Key Reply attributes.
Configuring the Survival Server Certificate
A default server certificate is provided in the controller so that the local Survival Server can terminate EAP-TLS
802.1X requests.
Best practices is to import a customer server certificate into the controller and assign it to the local survival server.
Configuring the Lifetime of the Authentication Survivability Cache
All access credentials and Key Reply attributes that are saved in the local Survival Server remain in the system
until they expire. The system-wide lifetime parameter auth-survivability cache-lifetime has a range from 1
to 72 hours, and a default value of 24 hours. You must configure this parameter in each controller.
User Credential and Key Reply Attributes Are Saved Automatically
When a station is authenticated by an external authentication server, required access credential attributes and
Key Reply attributes are stored in the local Survival Server RADIUS database in an enabled authentication
survivability ArubaOScontroller.
Expired User Credential and Key Reply Attributes Are Purged Automatically
At the controller, a timer task that runs every 10 minutes purges expired user credential attributes and Key
Reply attributes that are stored in the Survival Server cache.
About the Survival Server
A local Survival Server runs on the controller to perform authentication functions, as well as EAP-termination
using the RADIUS protocol.
The Survival Server consists of a turn-key FreeRADIUS server, plus MySQL database tables.
When authentication survivability is enabled, a FreeRADIUS server runs on the controller. The Survival Server is
configured to accept RADIUS requests from the local host and retrieve the access credential and Key Reply
attributes from the MySQL database. The Survival Server supports EAP-TLS, PAP, and Common Name (CN)
lookup.
Trigger Conditions for Critical Actions
This section describes the trigger conditions for critical authentication survivability actions.
Storing User Access Credential and Key Reply Attributes to Survival Cache
Aruba OS stores the user access credential and Key Reply attributes under the following conditions:
1. Authentication survivability is enabled >AND >
2. The non-zero MAC-address client is authenticated > AND >
a. Authenticated with an External RADIUS server using PAP or EAP-TLS > OR >
b. Authenticated with an External LDAP server using PAP > OR >
c. Successful query on Common Name (CN) with an External RADIUS or LDAP server
Dell Networking W-Series ArubaOS 6.4.x | User Guide BranchController Config for Controllers | 286