To use an RSA server fronted by radius as the authentication server for an Aruba controller, here are the recommendations to follow on the Aruba controller and on the wireless clients:
· Configure the radius sever in a similar manner as any other radius server with an ip address and a secret
· Enable local termination in the dot1x profile
· Enable EAP-PEAP with EAP-GTC as the Inner protocol
· Enable token caching
· Adjust the caching period (default is 24 hours)
Windows XP wireless client:
· If using the windows supplicant (WZC), an EAP-GTC plugin is required. Such plugin is downloadable from the Aruba support site.
· Configure Protected EAP )PEAP
· Configure the authentication protocol as EapToken
· On the first authentication attempt, the user is prompted to enter his userid and his token+pin as a password.
· Once the authentication succeeds, the user credentials is cached in the windows registry under the following location:
· With caching enabled on the aruba controller, the same user credentials are cached on the controller in the local-userdb with an expiration time of 24 hours by default.
· Such caching ensures that the wireless client could roam to other AP's without failure. Without controller caching, the windows cached user credentials are sent to the RA server which denies the auth request since the token is changed every minute.
· After the controller caching period is over, the user fails the authentication once. Windows clears its cache and prompts the user to re-enter his password. If the user enters the right token+pin, his authentication succeeds and the cache gets renewed for another 24 hours on the controller.
· If the Aruba server group configuration contains two radius servers for redundancy purposes and both servers front the same RSA server, it is important NOT to enable the fail-through option.
Such option will cause the RSA to receive at least two (2) auth requests that fail and causes the user token to possibly go into next token mode that is not supported by WZC.