Concept Guide
162 | Authentication and User Management Dell Networking W-Series Instant 6.5.1.0-4.3.1.0 | User Guide
Instant supports the following EAP standards for authentication survivability:
l EAP-PEAP: The Protected Extensible Authentication Protocol, also known as Protected EAP or PEAP, is a
protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security
(TLS) tunnel. The EAP-PEAP supports MS-CHAPv2 and GTC methods.
l EAP-TLS: EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that uses the Transport Layer
Security (TLS) protocol.
When the authentication survivability feature is enabled, the following authentication process is used:
1. The client associates to a W-IAP and authenticates to the external authentication server. The external
authentication server can be either ClearPass Policy Manager (for EAP-PEAP)ī¢or RADIUSī¢server (EAP-TLS).
2. Upon successful authentication, the associated W-IAP caches the authentication credentials of the
connected clients for the configured duration. The cache expiry duration for authentication survivability can
be set within the range of 1ā99 hours, with 24 hours being the default cache timeout duration.
3. If the client roams or tries to reconnect to the W-IAP and the remote link fails due to the unavailability of the
authentication server, the W-IAP uses the cached credentials in the internal authentication server to
authenticate the user. However, if the client tries to reconnect after the cache expiry, the authentication
fails.
4. When the authentication server is available and if the client tries to reconnect, the W-IAP detects the
availability of server and allows the client to authenticate to the server. Upon successful authentication, the
W-IAP cache details are refreshed.
Enabling Authentication Survivability
You can enable authentication survivability for a wireless network profile through the UI or the CLI.
In the Instant UI
To configure authentication survivability for a wireless network:
1. On the Network tab, click New to create a new network profile or select an existing profile for which you
want to enable authentication survivability and click edit.
2. In the Edit <profile-name> or the New WLAN window, ensure that all required WLAN and VLAN
attributes are defined, and then click Next.
3. On the Security tab, under Enterprise security settings, select an existing authentication server or create a
new server by clicking New.
4. To enable authentication survivability, select Enabled from the Authentication survivability drop-down
list. On enabling this, the W-IAP authenticates the previously connected clients using EAP-PEAP and EAP-TLS
authentication when connection to the external authentication server is temporarily lost.
5. Specify the cache timeout duration, after which the cached details of the previously authenticated clients
expire. You can specify a value within the range of 1ā99 hours and the default cache timeout duration is 24
hours.
6. Click Next and then click Finish to apply the changes.
Important Points to Remember
l Any client connected through ClearPass Policy Manager and authenticated through W-IAP remains
authenticated with the W-IAP even if the client is removed from the ClearPass Policy Manager server during
the ClearPass Policy Manager downtime.
l Do not make any changes to the authentication survivability cache timeout duration when the
authentication server is down.
l For EAP-PEAP authentication, ensure that the ClearPass Policy Manager 6.0.2 or later version is used for
authentication. For EAP-TLS authentication, any external or third-party server can be used.