Skip to main content (Press Enter).
Register | Sign in
Skip auxiliary navigation (Press Enter).
Skip main navigation (Press Enter).
Toggle navigation
Discussion
Support
Aruba Documentation Portal
Aruba Support Knowledge Base
Community Learning
News
ACEX Hall of Fame
MVP Overview
Tech Corners
Search
View Entry
Controller Based WLANs
View Only
Community Home
Library
2.7K
Members
14
last person joined: one year ago
APs, Controllers, VIA
Back to Library
How to connect to an RSA server using eap-gtc
0
Kudos
Jul 07, 2014 01:21 AM
vikrams@aruba
To use an RSA server fronted by radius as the authentication server for an Aruba controller, here are the recommendations to follow on the Aruba controller and on the wireless clients:
Aruba controller:
·
Configure the radius sever in a similar manner as any other radius server with an ip address and a secret
·
Enable local termination in the dot1x profile
·
Enable EAP-PEAP with EAP-GTC as the Inner protocol
·
Enable token caching
·
Adjust the caching period (default is 24 hours)
Windows XP wireless client:
·
If using the windows supplicant (WZC), an EAP-GTC plugin is required. Such plugin is downloadable from the Aruba support site.
·
Configure Protected EAP )PEAP
·
Configure the authentication protocol as EapToken
Operation:
·
On the first authentication attempt, the user is prompted to enter his userid and his token+pin as a password.
·
Once the authentication succeeds, the user credentials is cached in the windows registry under the following location:
Hkey_Current_User\Software\Microsoft\Eapol\UserEapInfo
·
With caching enabled on the aruba controller, the same user credentials are cached on the controller in the local-userdb with an expiration time of 24 hours by default.
·
Such caching ensures that the wireless client could roam to other AP's without failure. Without controller caching, the windows cached user credentials are sent to the RA server which denies the auth request since the token is changed every minute.
·
After the controller caching period is over, the user fails the authentication once. Windows clears its cache and prompts the user to re-enter his password. If the user enters the right token+pin, his authentication succeeds and the cache gets renewed for another 24 hours on the controller.
·
If the Aruba server group configuration contains two radius servers for redundancy purposes and both servers front the same RSA server, it is important NOT to enable the fail-through option.
Such option will cause the RSA to receive at least two (2) auth requests that fail and causes the user token to possibly go into next token mode that is not supported by WZC.
Statistics
0 Favorited
6 Views
0 Files
0 Shares
0 Downloads
Related Entries and Links
No Related Resource entered.
Privacy policy
Terms of service
Site Map
Legal
© Copyright 2024 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Higher Logic