Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-3200

281

282

283

284

285

286

287

288

289

290

Table 56: Captive Portal Authentication Using XML-API

When Authentication Servers Are Available

When Authentication Servers Are Not

Available

For authentication requests from an External Captive

Portal using the XML-API, PAP is used to authenticate

these requests with an external authentication server.

l If authentication succeeds, the associated access

credential with an encrypted SHA-1 hash of the

password and Key Reply attributes are stored in

the Survival Server database.

l If authentication fails, the associated access

credential and Key Reply attributes associated with

the PAP method (if they exist) are deleted from the

Survival Server database.

When no in-service server in the associated server

group is available, the Survival Server is used to

authenticate the Captive portal client using PAP.

The Survival Server uses the previously stored

unexpired access credential to perform authentication

and, upon successful authentication, returns the

previously stored Key Reply attributes.

Authentication for 802.1X Clients

This section describes the authentication procedures for 802.1X clients, both when the branch's authentication

servers are available and when they are not available. When the authentication servers are not available, the

Survival Server takes over the handling of authentication requests.

For 802.1X clients, the authentication scenarios include two different 802.1X termination modes:

l 802.1X termination disabled at the Wireless LAN Controller

l 802.1X termination enabled at the Wireless LAN Controller

802.1X Termination Disabled at the Wireless LAN Controller

Table 57: 802.1X Authentication Using EAP-TLS

When Authentication Servers Are Available

When Authentication Servers Are Not

Available

For an 802.1X client that terminates at an external RADIUS

server using EAP-TLS:

l If authentication is accepted, the associated access

credential with the EAP-TLS indicator, in addition to the

Key Reply attributes, are stored in the Survival Server

database.

l If authentication is rejected, the associated access

credential and Key Reply attributes associated with the

EAP-TLS method (if they exist) are deleted from the

Survival Server database.

When there is no available in-service server in the

associated server group, the Survival Server

terminates and authenticates 802.1X clients using

EAP-TLS.

The Survival Server uses the previously stored

unexpired access credential to perform

authentication and, upon successful authentication,

returns the previously stored Key Reply attributes.

In this case, the client station must be configured to

accept the server certificate assigned to the

Survival Server.

802.1X Termination Enabled at the Wireless LAN Controller

For an 802.1X client for which termination is enabled at the wireless LAN controllerusing EAP-TLS with

Common Name (CN) lookup, a query request about the Common Name is sent to the external authentication

server.

Dell Networking W-Series ArubaOS 6.4.x | User Guide BranchController Config for Controllers | 288