Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-3200

351

352

353

354

355

356

357

358

359

360

359 | Stateful and WISPr Authentication Dell Networking W-Series ArubaOS 6.4.x| User Guide

Working With WISPr Authentication

WISPr authentication allows a “smart client” to authenticate to the network when roaming between Wireless

Internet Service Providers, even if the wireless hotspot uses an ISP, which the client may not have an account

for.

If you are a hotspot operator using WISPr authentication, and a client that has an account with your ISP

attempts to access the Internet at your hotspot, your ISP’s WISPr AAA server authenticates that client directly

and allows the client to access the network. If, however, the client only has an account with a partner ISP, your

ISP’s WISPr AAA server forwards that client’s credentials to the partner ISP’s WISPr AAA server for

authentication. Once the client has been authenticated on the partner ISP, it is authenticated on your hotspot’s

own ISP, as per their service agreements. After your ISP sends an authentication message to the controller, the

controller assigns the default WISPr user-role to that client.

ArubaOS supports the following smart clients, which enable client authentication and roaming between

hotspots by embedding iPass Generic Interface Specification (GIS) redirect, proxy, authentication, and logoff

messages within HTML messages to the controller.

l iPass

l Boingo

l Trustive

l weRoam

l AT&T

Understanding Stateful Authentication Best Practices

Before you can configure a stateful authentication feature, you must define a user-role you want to assign to

the authenticated users and create a server group that includes a RADIUS authentication server for stateful

802.1X authentication or a Windows server for stateful NTLM authentication. For details on performing these

tasks, refer to the following sections of this User Guide:

l Roles and Policies on page 438

l Configuring a RADIUS Server on page 250

l Configuring a Windows Server on page 263

l Configuring Server Groups on page 266

You can use the default stateful NTLM authentication and WISPr authentication profiles to manage the

settings for these features, or you can create additional profiles as desired. Note that unlike most other types

of authentication, stateful 802.lx authentication uses only a single Stateful 802.1X profile. This profile can be

enabled or disabled, but you cannot configure more than one Stateful 802.1X profile.

Configuring Stateful 802.1X Authentication

When you configure 802.1X authentication for clients on non-Dell APs, you must specify the group of RADIUS

servers that performs the user authentication and select the role to assign to users who successfully complete

authentication. When the user logs off or shuts down the client machine, ArubaOSnotes the deauthentication

message from the RADIUS server and changes the user’s role from the specified authenticated role back to the

RADIUS Server on page 250.

In the WebUI

To configure the Stateful 802.1X Authentication profile via the WebUI: