Wireless Access

Reply
Regular Contributor II
Posts: 242
Registered: ‎09-11-2013

Help understanding Controller auth termination

[ Edited ]

Hi Forum,

 

I'm not sure what is it used for when it comes to dot1x. Can someone help to summarize that for me please? see attached.

 

Thanks,

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Help understanding Controller auth termination

This shoudn't be needed in modern networks with a robust RADIUS server.  Essentially, this terminated the EAP transaction from the client during authentication with the controller. By default, this termination eith regards to EAP is done between the client and the RADIUS server.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Regular Contributor II
Posts: 242
Registered: ‎09-11-2013

Re: Help understanding Controller auth termination

Seth,

 

Is it required if I have clearpass?

Is it required if I do eap-tls without clearpass in the picture?

 

When exactley would I need to terminated the auth on the controller and not the Radius server or clearpass?

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Help understanding Controller auth termination

Historically, it was to avoid installing and putting a server certificate on a radius server, or if you have an LDAP server, you would avoid installing a radius server period. There are two ways you could do this:

 

1 - Setup a radius server with no server certificate.  Setup a controller with a server certificate, enable termination and have the controller point to another radius server for authentication*.  The drawback is that with Microsoft Windows Radius servers, you could not do machine authentication with this setup.

2 - Setup an LDAP server.  Setup a controller with a server certificate, enable termination and have the controller point to the LDAP server for authentication**.  The only problem with this setup is that you would have to install custom supplicants on all of your windows endpoints, because they do not support EAP-GTC, so you would end up installing software on all of your endpoints.

 

These days, everyone has gotten used to installing a radius server, whether it is the built-in Microsoft One or ClearPass, Cisco ACS, etc, so termination has too many drawbacks to use IMHO.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Help understanding Controller auth termination

It is not required in either of those scenarios.  We'd "like" you to have ClearPass :-) but any RADIUS server will do and most of the time, we would recommend that termination be disabled anyway.  This feature was meant to offlead the RADIUS server in a sense but also allow customers to deploy without any RADIUS server and use LDAP for user/pass verification.

 

For TLS, termination isn't needed and if you do need to turn it on, that would entail adding trusted certs to the controller itself vs. the authentication server where IMO they should reside.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: