Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

AAA Fastconnect

This thread has been viewed 15 times

  • 1.  AAA Fastconnect

    Posted Aug 26, 2017 02:29 PM

     

    Hi All,

     

    I am working on AAA fastconnect but having confusion. In normal situation when AAA fastconnect is disabled and once the EAP-TLS process is completed, then the 4-way hand shake is done from AS to client but once we enable the AAA fastconnect then 4-way hand shake is done between client and Controller which means we offload the 4-way hand shake from AS to controller. Please need support to clear my this confusion, is i understand correct or not.

     



  • 2.  RE: AAA Fastconnect

    EMPLOYEE
    Posted Aug 26, 2017 03:24 PM

    No, the 4 way handshake is always done between the client and the controller in a controller-based environment.

     

    It's generally not recommended to use AAA FastConnect (EAP termination).



  • 3.  RE: AAA Fastconnect

    Posted Aug 26, 2017 04:25 PM

    Thanks Cappalli for support.

    Sorry, my question may be stuppied but i didn't understand the purpose of termination (AAA Fastconnect).



  • 4.  RE: AAA Fastconnect
    Best Answer

    Posted Aug 27, 2017 01:30 AM

    Under normal configuration, it is the RADIUS server that is keying/rekeying for the clients authenticating. Depending upong your RADIUS server capabilities, it can be a resource hungry process.

     

    AAA Fast connect (or simply EAP-termination), offloads this function from the RADIUS server. The keying/rekeying function will be done on contraller hardware (atleast Aruba does it in hardware) now and RADIUS will only be authenticating the clients only.

     

    That essentially means by enabling AAA fast connect, you are freeing up some resources for your RADIUS server. But with modern deployments, I am not sure if that will add any signifact performence effect. I never use this option.

     

     



  • 5.  RE: AAA Fastconnect

    Posted Aug 27, 2017 06:04 AM

    Thanks jibran bhai. great explaination. 



  • 6.  RE: AAA Fastconnect
    Best Answer

    EMPLOYEE
    Posted Aug 27, 2017 02:30 AM
    w.ullah@bmc.com.sa wrote:

    Thanks Cappalli for support.

    Sorry, my question may be stuppied but i didn't understand the purpose of termination (AAA Fastconnect).

    Termination was more relevant back in the days where nobody had a radius server.  The radius server is  responsible for the keying/rekeying and for authentication.  AAA fast connect would allow you to put the radius server certificate on the controller (and a CA certificate if this is eap-tls) and make it responsible for keying/rekeying client.  You would not need a radius server;  You could either define usernames and passwords in the controller itself, or configure an LDAP server for authentication (you would also have to install an EAP-GTC supplicant on all of your clients, and that was a big drawback when you use an LDAP server).

     

    These days typically everyone is using active directory, and Microsoft Windows comes with a free radius server (NPS), so that is what should be used instead of AAA Fastconnect (termination).

     



  • 7.  RE: AAA Fastconnect

    Posted Aug 27, 2017 06:03 AM

    Thanks for such a great explaination.