Alcatel-Lucent AOS-W 6.5.3.x

To Next Page

To Previous Page

220| BranchSwitch Config for Cloud Services Switches AOS-W 6.5.3.x| User Guide

Enabling Authentication Survivability on a Local Branch Switch

You can configure each local branch switch to enable or disable Authentication Survivability; by default, this

feature is disabled.

When authentication survivability is enabled, the enabled authentication survivability state is published, which

instructs the Survival Server to start storing client access credential attributes and Key Reply attributes.

Configuring the Survival Server Certificate

A default server certificate is provided in the switch so that the local Survival Server can terminate EAP-TLS

802.1X requests.

Best practices is to import a customer server certificate into the switch and assign it to the local survival server.

Configuring the Lifetime of the Authentication Survivability Cache

All access credentials and Key Reply attributes that are saved in the local Survival Server remain in the system

until they expire. The system-wide lifetime parameter auth-survivability cache-lifetime has a range from 1

to 72 hours, and a default value of 24 hours. You must configure this parameter in each switch.

User Credential and Key Reply Attributes Are Saved Automatically

When a station is authenticated by an external authentication server, required access credential attributes and

Key Reply attributes are stored in the local Survival Server RADIUS database in an enabled authentication

survivability AOS-Wswitch.

Expired User Credential and Key Reply Attributes Are Purged Automatically

At the switch, a timer task that runs every 10 minutes purges expired user credential attributes and Key Reply

attributes that are stored in the Survival Server cache.

About the Survival Server

A local Survival Server runs on the switch to perform authentication functions, as well as EAP-termination using

the RADIUS protocol.

The Survival Server consists of a turn-key FreeRADIUS server, plus MySQL database tables.

When authentication survivability is enabled, a FreeRADIUS server runs on the switch. The Survival Server is

configured to accept RADIUS requests from the local host and retrieve the access credential and Key Reply

attributes from the MySQL database. The Survival Server supports EAP-TLS, PAP, and Common Name (CN)

lookup.

Trigger Conditions for Critical Actions

This section describes the trigger conditions for critical authentication survivability actions.

Storing User Access Credential and Key Reply Attributes to Survival Cache

Aruba OS stores the user access credential and Key Reply attributes under the following conditions:

1. Authentication survivability is enabled

2. The non-zero MAC-address client is authenticated using one of the following options:

a. Authenticated with an External RADIUS server using PAP or EAP-TLS

b. Authenticated with an External LDAP server using PAP

c. Successful query on Common Name (CN) with an External RADIUS or LDAP server

Alcatel-Lucent AOS-W 6.5.3.x - Page 220