Controllerless Networks

Occasional Contributor I

Authentication Survivability - Assign Pre-Authentication Role



I am testing out Aruba Central with Instant and there is an option for "Authentication Survivability".  When I enable the option, I see next to it "Assign Pre-Authentication Role".  Can someone explain what it means by "Assing Pre-Authentication Role"? 


Does it still assign the correct 802.1x-user/802.1x-machine/802.1x auth roles when the RADIUS server is unreachable?  To me, it sounds like it is going to assing the "login" role like RAPs or MAS do before an actual 802.1x role is assigned.


Another question:

Does 802.1x-machine Auth work correctly with the Authentication Survivability?  I can't fully test it because we dont have clear pass and use server 2012 NPS as our RADIUS server with EAP-PEAP (as far as i know Auth-survivabilty only works with EAP-TLS if your using NPS).


The reason i ask is because i turned on auth-survivability and i could see my user auth cached in the IAP when i ran "show auth-survivability cached-info" but i didnt see a machine auth there.  Does the machine auth work the same way as RAPs and it caches the MAC address in the internal DB?  If that is the case - would 802.1x-machine auth still pass even if the RADIUS server is down and authentication survivability isnt enabled?  If the MAC is stored in the internal DB of the virtual controller, it should still complete the 802.1x-machine part of the auth without the RADIUS server.


How does PKC/OKC work without auth-survivability?  Would users keep their auth and be able to roam to other APs without needing to auth and thus preventing them from dropping from the wireless?


Thank you for the help.

Search Airheads
Showing results for 
Search instead for 
Did you mean: