288| 802.1X Authentication AOS-W 6.5.3.x| User Guide
made from the client to a web server is redirected to the IDP for authentication. If the user has already been
authenticated using L2 credentials, the IDP server already knows the authentication details and returns a SAML
response, redirecting the client browser to the web-based application. The user enters the web-based
application without needing to enter the credentials again.
Enabling application SSO using L2 network information requires configuration on the switch and on the IDP
server. The Alcatel-Lucent ClearPass Policy Manager (CPPM) is the only IDP supported. The switch has been
optimized to work with CPPM to provide better functionality as an IDP.
Important Points to Remember
n CPPM is the only supported IDP.
n SSO occurs after 802.1X authentication. Therefore, SSO after captive portal authentication is not
supported. Roles for captive portal and SSO are mutually exclusive and, therefore, a user in the captive
portal role cannot perform SSO and vice-versa.
n SSO with VIA is not supported.
n There is a limit on the number of concurrent sessions that can be serviced at a given instant. This limit is set
at the webserver level using the web-server profile web-max-clients command. The default value is 320
for OAW-40xx Series and OAW-4x50 Series switches platforms and 25 for other switch platforms. The
maximum number of concurrent SSO sessions that can be handled is dependent on the other web services
being handled and the same time.
Enabling Application SSO
Enabling application SSO using L2 authentication information requires configuration on the switch and CPPM.
This feature is enabled by completing the following steps:
n Switch:
l Configuring an SSO-IDP Profile
l Applying an SSO Profile to a User Role
l Selecting an IDP Certificate
n CPPM (refer to the ClearPass Policy Manager for configuration of the following procedures):
l Add the switch’s IP address as a network device
l Add the user to the local user DB
l Create an enforcement profile to return the Aruba vendor-specific attribute (VSA) SSO token
l Create an IDP attribute enforcement profile
l Create an enforcement policy binding the Aruba VSA SSO token enforcement profile
l Create an enforcement policy binding the IDP enforcement profile
l Create a service, allowing the respective authentication types and authentication database, and bind the
Aruba VSA SSO token enforcement policy.
l Create a service, allowing the respective authentication types and authentication database, and bind the
IDP enforcement policy.
l Configure SSO for the CPPM.
Configuring SSO IDP-Profiles
Before SSO can be enabled, you must configure an SSO profile by completing the procedure detailed below.
In the WebUI
1. Navigate to Configuration > Advanced Services > All Profiles > Wireless LANs > SSO.
2. Enter the name of the SSO profile and click Add.
To Next Page
Loading...