08-26-2017 11:29 AM - edited 08-26-2017 11:32 AM
I am working on AAA fastconnect but having confusion. In normal situation when AAA fastconnect is disabled and once the EAP-TLS process is completed, then the 4-way hand shake is done from AS to client but once we enable the AAA fastconnect then 4-way hand shake is done between client and Controller which means we offload the 4-way hand shake from AS to controller. Please need support to clear my this confusion, is i understand correct or not.
Solved! Go to Solution.
Re: AAA Fastconnect
Re: AAA Fastconnect
08-26-2017 12:23 PM
08-26-2017 10:29 PM
Under normal configuration, it is the RADIUS server that is keying/rekeying for the clients authenticating. Depending upong your RADIUS server capabilities, it can be a resource hungry process.
AAA Fast connect (or simply EAP-termination), offloads this function from the RADIUS server. The keying/rekeying function will be done on contraller hardware (atleast Aruba does it in hardware) now and RADIUS will only be authenticating the clients only.
That essentially means by enabling AAA fast connect, you are freeing up some resources for your RADIUS server. But with modern deployments, I am not sure if that will add any signifact performence effect. I never use this option.
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
08-26-2017 11:30 PM - edited 08-26-2017 11:31 PM
Thanks Cappalli for support.
Sorry, my question may be stuppied but i didn't understand the purpose of termination (AAA Fastconnect).
Termination was more relevant back in the days where nobody had a radius server. The radius server is responsible for the keying/rekeying and for authentication. AAA fast connect would allow you to put the radius server certificate on the controller (and a CA certificate if this is eap-tls) and make it responsible for keying/rekeying client. You would not need a radius server; You could either define usernames and passwords in the controller itself, or configure an LDAP server for authentication (you would also have to install an EAP-GTC supplicant on all of your clients, and that was a big drawback when you use an LDAP server).
These days typically everyone is using active directory, and Microsoft Windows comes with a free radius server (NPS), so that is what should be used instead of AAA Fastconnect (termination).
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.