What is Authentication Survivability in MAS and how to configure it?

Aruba Employee

"Authentication Survivability"  is a newly added feature starting from MAS 7.4.0.0. This feature provides authentication and authorization availability against remote link failure for Instant Access Point,
when working with ClearPass Policy Manager. 

 

Mobility Access Switch Caches EAP-PEAP (for 802.1x [including machine authentication]) and PAP (For MAC and Captive Portal) authentication and attributes (Role and VLAN) sent via CPPM.

 

Use the following command to configure Auth Survivability (It’s a global command)

(host) (config) #aaa auth-survivability enable
(host) (config # aaa auth-survivability cache-lifetime <1-72> - default is 24

 

 

In case, a user passes the authentication from CPPM, however the role download fails, it will be in initial or previously known role.  In this case, the cache table will have a name of role which failed for download, however it will not be applied to user when CPPM server is down and clients needs to do fresh authentication via cached credentials.

In case a user fails the authentication via CPPM, its cached entry (if exist) will be deleted from cache table. On subsequent successful authentication, it will be re added in cache.

Upon every successful authentication, cached entry timer gets refreshed.

In case a client credentials are cached using server “CPPM1” and later for some other AAA profile if it is trying to authenticate using “CPPM2” server which is down, client will still get authenticated using cached credentials stored for “CPPM1” server if its mac address, username and auth-type (eap-pea or PAP) matches.

 

Once the feature is enabled, server existence can be confirmed via following command –

 (host) #show aaa authentication-server survival

Pri       Host        IP addr    Port  Acct  Retries  Timeout  Secret  Status   NAS-id  Nas-IP
---       ----       -------    ----  ----  -------  -------  ------  ------   ------  ------
1    __Auth-Surv__   127.0.0.1  1812  0     1        5        *****   Enabled          127.0.0.1
Total:1
Check the cache using the following command


(host) #show aaa auth-survivability-cache

Auth-Survivability Cached Data
------------------------------
       MAC         User Name          Authenticated By  Authenticated On  Attributes                             AuthType
-----------------  ---------          ----------------  ----------------  ----------                   --------
04:7d:7b:1e:d1:bf  user2              cppm              2014-07-22 08:58  CPPM Role(auth_surv_dacl-3086-5)          EAP-PEAP
04:7d:7b:1e:d1:bf  gues1              cppm              2014-07-22 08:59                                              PAP
aa:bb:cc:00:00:01  aa:bb:cc:00:00:01  cppm              2014-07-22 09:01  VSA Role(auth_surv_vsa_mac), VSA VLAN(3912) PAP
aa:bb:cc:00:00:65  user1              cppm              2014-07-22 09:03                                             EAP-PEAP
Total Entries: 4

 

Use the following command to clear the cache manually

   (host) (config) #clear aaa auth-survivability-cache mac <mac address of client>
   (host) (config) #clear aaa auth-survivability-cache all

Once the CPPM server is down and authentication happens via cached credentials – the user table will have the following

(host) #show user-table verbose
Users
-----
    IP           MAC            Name              Role     Age(d:h:m)  Auth          Connection  Interface  Profile   Vlan      Server
----------  ------------       ------             ----     ----------  ----          ----------  ---------  -------   ----      ------
2.2.2.46    04:7d:7b:1e:d1:bf  user1             scpinit   00:00:00    802.1x-Wired  Wired       2/0/0      saaaprof  1 (3911)  __Auth-Surv__
4.1.1.10    aa:bb:cc:00:00:01  aa:bb:cc:00:00:01 guest      00:00:00   MAC           Wired       0/0/44     smacaaa   1 (3911)  __Auth-Surv__

User Entries: 2/2

Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 01:54 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: