Wireless Access

last person joined: 7 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Help understanding Controller auth termination

Jump to Best Answer
  • 1.  Help understanding Controller auth termination

    Posted Nov 02, 2015 04:55 PM
      |   view attached

    Hi Forum,

     

    I'm not sure what is it used for when it comes to dot1x. Can someone help to summarize that for me please? see attached.

     

    Thanks,



  • 2.  RE: Help understanding Controller auth termination

    Posted Nov 02, 2015 04:59 PM

    This shoudn't be needed in modern networks with a robust RADIUS server.  Essentially, this terminated the EAP transaction from the client during authentication with the controller. By default, this termination eith regards to EAP is done between the client and the RADIUS server.



  • 3.  RE: Help understanding Controller auth termination

    Posted Nov 02, 2015 05:01 PM

    Seth,

     

    Is it required if I have clearpass?

    Is it required if I do eap-tls without clearpass in the picture?

     

    When exactley would I need to terminated the auth on the controller and not the Radius server or clearpass?



  • 4.  RE: Help understanding Controller auth termination

    Posted Nov 02, 2015 05:04 PM

    It is not required in either of those scenarios.  We'd "like" you to have ClearPass :-) but any RADIUS server will do and most of the time, we would recommend that termination be disabled anyway.  This feature was meant to offlead the RADIUS server in a sense but also allow customers to deploy without any RADIUS server and use LDAP for user/pass verification.

     

    For TLS, termination isn't needed and if you do need to turn it on, that would entail adding trusted certs to the controller itself vs. the authentication server where IMO they should reside.



  • 5.  RE: Help understanding Controller auth termination
    Best Answer

    Posted Nov 02, 2015 05:01 PM

    Historically, it was to avoid installing and putting a server certificate on a radius server, or if you have an LDAP server, you would avoid installing a radius server period. There are two ways you could do this:

     

    1 - Setup a radius server with no server certificate.  Setup a controller with a server certificate, enable termination and have the controller point to another radius server for authentication*.  The drawback is that with Microsoft Windows Radius servers, you could not do machine authentication with this setup.

    2 - Setup an LDAP server.  Setup a controller with a server certificate, enable termination and have the controller point to the LDAP server for authentication**.  The only problem with this setup is that you would have to install custom supplicants on all of your windows endpoints, because they do not support EAP-GTC, so you would end up installing software on all of your endpoints.

     

    These days, everyone has gotten used to installing a radius server, whether it is the built-in Microsoft One or ClearPass, Cisco ACS, etc, so termination has too many drawbacks to use IMHO.