Wireless Access

Reply
Frequent Contributor I

AAA Fastconnect

 

Hi All,

 

I am working on AAA fastconnect but having confusion. In normal situation when AAA fastconnect is disabled and once the EAP-TLS process is completed, then the 4-way hand shake is done from AS to client but once we enable the AAA fastconnect then 4-way hand shake is done between client and Controller which means we offload the 4-way hand shake from AS to controller. Please need support to clear my this confusion, is i understand correct or not.

 

Guru Elite

Re: AAA Fastconnect

No, the 4 way handshake is always done between the client and the controller in a controller-based environment.

 

It's generally not recommended to use AAA FastConnect (EAP termination).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: AAA Fastconnect

Thanks Cappalli for support.

Sorry, my question may be stuppied but i didn't understand the purpose of termination (AAA Fastconnect).

Contributor II

Re: AAA Fastconnect

Under normal configuration, it is the RADIUS server that is keying/rekeying for the clients authenticating. Depending upong your RADIUS server capabilities, it can be a resource hungry process.

 

AAA Fast connect (or simply EAP-termination), offloads this function from the RADIUS server. The keying/rekeying function will be done on contraller hardware (atleast Aruba does it in hardware) now and RADIUS will only be authenticating the clients only.

 

That essentially means by enabling AAA fast connect, you are freeing up some resources for your RADIUS server. But with modern deployments, I am not sure if that will add any signifact performence effect. I never use this option.

 

 

JayBee
ACDX | CCIE (RnS/SP,DC) | ACCP | ACMP | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Guru Elite

Re: AAA Fastconnect


w.ullah@bmc.com.sa wrote:

Thanks Cappalli for support.

Sorry, my question may be stuppied but i didn't understand the purpose of termination (AAA Fastconnect).


Termination was more relevant back in the days where nobody had a radius server.  The radius server is  responsible for the keying/rekeying and for authentication.  AAA fast connect would allow you to put the radius server certificate on the controller (and a CA certificate if this is eap-tls) and make it responsible for keying/rekeying client.  You would not need a radius server;  You could either define usernames and passwords in the controller itself, or configure an LDAP server for authentication (you would also have to install an EAP-GTC supplicant on all of your clients, and that was a big drawback when you use an LDAP server).

 

These days typically everyone is using active directory, and Microsoft Windows comes with a free radius server (NPS), so that is what should be used instead of AAA Fastconnect (termination).

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: AAA Fastconnect

Thanks for such a great explaination. 

Frequent Contributor I

Re: AAA Fastconnect

Thanks jibran bhai. great explaination. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: