292| Stateful and WISPr Authentication AOS-W 6.5.3.x| User Guide
Working With WISPr Authentication
WISPr authentication allows a “smart client” to authenticate to the network when roaming between Wireless
Internet Service Providers, even if the wireless hotspot uses an ISP, which the client may not have an account
for.
If you are a hotspot operator using WISPr authentication, and a client that has an account with your ISP
attempts to access the Internet at your hotspot, your ISP’s WISPr AAA server authenticates that client directly
and allows the client to access the network. If, however, the client only has an account with a partner ISP, your
ISP’s WISPr AAA server forwards that client’s credentials to the partner ISP’s WISPr AAA server for
authentication. Once the client has been authenticated on the partner ISP, it is authenticated on your hotspot’s
own ISP, as per their service agreements. After your ISP sends an authentication message to the switch, the
switch assigns the default WISPr user-role to that client.
AOS-W supports the following smart clients, which enable client authentication and roaming between hotspots
by embedding iPass Generic Interface Specification (GIS) redirect, proxy, authentication, and logoff messages
within HTML messages to the switch.
n iPass
n Boingo
n Trustive
n weRoam
n AT&T
Understanding Stateful Authentication Best Practices
Before you can configure a stateful authentication feature, you must define a user-role you want to assign to
the authenticated users and create a server group that includes a RADIUS authentication server for stateful
802.1X authentication or a Windows server for stateful NTLM authentication. For details on performing these
tasks, refer to the following sections of this User Guide:
n Roles and Policies on page 375
n Configuring a RADIUS Server on page 179
n Configuring a Windows Server on page 196
n Configuring Server Groups on page 199
You can use the default stateful NTLM authentication and WISPr authentication profiles to manage the
settings for these features, or you can create additional profiles as desired. Note that unlike most other types
of authentication, stateful 802.lx authentication uses only a single Stateful 802.1X profile. This profile can be
enabled or disabled, but you cannot configure more than one Stateful 802.1X profile.
Configuring Stateful 802.1X Authentication
When you configure 802.1X authentication for clients on non-Alcatel-Lucent APs, you must specify the group
of RADIUS servers that performs the user authentication and select the role to assign to users who successfully
complete authentication. When the user logs off or shuts down the client machine, AOS-W notes the
deauthentication message from the RADIUS server and changes the user’s role from the specified
authenticated role back to the login role. For details on defining a RADIUS server used for stateful 802.1X
authentication, see Configuring a RADIUS Server on page 179.
In the WebUI
To configure the Stateful 802.1X Authentication profile via the WebUI:
To Next Page
Loading...