"Authentication Survivability" is a newly added feature starting from MAS 7.4.0.0. This feature provides authentication and authorization availability against remote link failure for Instant Access Point,
when working with ClearPass Policy Manager.
Mobility Access Switch Caches EAP-PEAP (for 802.1x [including machine authentication]) and PAP (For MAC and Captive Portal) authentication and attributes (Role and VLAN) sent via CPPM.
Use the following command to configure Auth Survivability (It’s a global command)
(host) (config) #aaa auth-survivability enable
(host) (config # aaa auth-survivability cache-lifetime <1-72> - default is 24
In case, a user passes the authentication from CPPM, however the role download fails, it will be in initial or previously known role. In this case, the cache table will have a name of role which failed for download, however it will not be applied to user when CPPM server is down and clients needs to do fresh authentication via cached credentials.
In case a user fails the authentication via CPPM, its cached entry (if exist) will be deleted from cache table. On subsequent successful authentication, it will be re added in cache.
Upon every successful authentication, cached entry timer gets refreshed.
In case a client credentials are cached using server “CPPM1” and later for some other AAA profile if it is trying to authenticate using “CPPM2” server which is down, client will still get authenticated using cached credentials stored for “CPPM1” server if its mac address, username and auth-type (eap-pea or PAP) matches.
Once the feature is enabled, server existence can be confirmed via following command –
(host) #show aaa authentication-server survival
Pri Host IP addr Port Acct Retries Timeout Secret Status NAS-id Nas-IP
--- ---- ------- ---- ---- ------- ------- ------ ------ ------ ------
1 __Auth-Surv__ 127.0.0.1 1812 0 1 5 ***** Enabled 127.0.0.1
Total:1
Check the cache using the following command
(host) #show aaa auth-survivability-cache
Auth-Survivability Cached Data
------------------------------
MAC User Name Authenticated By Authenticated On Attributes AuthType
----------------- --------- ---------------- ---------------- ---------- --------
04:7d:7b:1e:d1:bf user2 cppm 2014-07-22 08:58 CPPM Role(auth_surv_dacl-3086-5) EAP-PEAP
04:7d:7b:1e:d1:bf gues1 cppm 2014-07-22 08:59 PAP
aa:bb:cc:00:00:01 aa:bb:cc:00:00:01 cppm 2014-07-22 09:01 VSA Role(auth_surv_vsa_mac), VSA VLAN(3912) PAP
aa:bb:cc:00:00:65 user1 cppm 2014-07-22 09:03 EAP-PEAP
Total Entries: 4
Use the following command to clear the cache manually
(host) (config) #clear aaa auth-survivability-cache mac <mac address of client>
(host) (config) #clear aaa auth-survivability-cache all
Once the CPPM server is down and authentication happens via cached credentials – the user table will have the following
(host) #show user-table verbose
Users
-----
IP MAC Name Role Age(d:h:m) Auth Connection Interface Profile Vlan Server
---------- ------------ ------ ---- ---------- ---- ---------- --------- ------- ---- ------
2.2.2.46 04:7d:7b:1e:d1:bf user1 scpinit 00:00:00 802.1x-Wired Wired 2/0/0 saaaprof 1 (3911) __Auth-Surv__
4.1.1.10 aa:bb:cc:00:00:01 aa:bb:cc:00:00:01 guest 00:00:00 MAC Wired 0/0/44 smacaaa 1 (3911) __Auth-Surv__
User Entries: 2/2