AOS-W 6.5.3.x | User Guide Stateful and WISPr Authentication | 291
Chapter 12
Stateful and WISPr Authentication
AOS-W supports stateful 802.1X authentication, stateful NTLM authentication, and authentication for Wireless
Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.1X authentication in that
the switch does not manage the authentication process directly, but instead monitors the authentication
messages between a user and an external authentication server, then assigns a role to that user based upon
the information in those authentication messages. WISPr authentication allows clients to roam between
hotspots using different ISPs.
This chapter describes the following topics:
n Working With Stateful Authentication on page 291
n Working With WISPr Authentication on page 292
n Understanding Stateful Authentication Best Practices on page 292
n Configuring Stateful 802.1X Authentication on page 292
n Configuring Stateful NTLM Authentication on page 293
n Configuring Stateful Kerberos Authentication on page 294
n Configuring WISPr Authentication on page 295
Working With Stateful Authentication
AOS-W supports three different types of stateful authentication:
n Stateful 802.1X authentication: This feature allows the switch to learn the identity and role of a user
connected to a third-party AP, and is useful for authenticating users to networks with APs from multiple
vendors. When an 802.1X-capable access point sends an authentication request to a RADIUS server, the
switch inspects this request and the associated response to learn the authentication state of the user. It
then applies an identity-based user-role through the Policy Enforcement Firewall.
n Stateful Kerberos authentication: Stateful Kerberos authentication configures a switch to monitor the
Kerberos authentication messages between a client and a Windows authentication server. If the client
successfully authenticates via a Kerberos authentication server, the switch recognizes that the client has
been authenticated and assigns that client a specified user role.
n Stateful NTLM authentication: NT LAN Manager (NTLM) is a suite of Microsoft authentication and
session security protocols. You can use stateful NTLM authentication to configure a switch to monitor the
NTLM authentication messages between a client and a Windows authentication server. If the client
successfully authenticates via an NTLM authentication server, the switch recognizes that the client has been
authenticated and assigns that client a specified user role.
The default Windows authentication method has changed from the older NTLM protocol to the newer
Kerberos protocol, starting with Windows 2000. Therefore, stateful NTLM authentication is most useful for
networks with legacy, pre-Windows 2000 clients. Also note that unlike other types of authentication, all
users authenticated via stateful NTLM authentication must be assigned to the user role specified in the
Stateful NTLM Authentication profile. Alcatel-Lucent’s stateful NTLM authentication does not support
placing users in various roles based upon group membership or other role-derivation attributes.
To Next Page
Loading...