80 | Aruba Configuration Reference AirWave Wireless Management Suite | Configuration Guide
3. Click Add or Save. The added or edited 802.1x Auth profile appears on the AAA Profiles page, and on the
802.1x Auth details page.
Profiles > AAA > Stateful NTLM Auth
When the user logs off or shuts down the client machine, this profile allows the user to remain in the
authenticated role until the user ages out. Aging out means the user has sent no traffic for the amount of
time specified for the
Timeout parameter of this profile.
The Stateful NT LAN Manager (NTLM) Authentication profile requires that you specify the following
components:
z a server group that includes the servers performing NTLM authentication
z a default role to be assigned to authenticated users.
The Wireless Internet Service Provider roaming (WISPr) protocol allows users to roam between service
providers. A RADIUS server is used to authenticate subscriber credentials.
For details on defining a Windows server used for NTLM authentication, refer to “Security > Server Groups
> Windows” on page156.
Perform these steps to configure a
Stateful NTLM Auth profile.
1. Click
Profiles > AAA > Stateful NTLM Auth in the Aruba Navigation pane. The details page summarizes the
current profiles of this type.
2. Click the
Add button to create a new Stateful NTLM Auth profile, or click the pencil icon next to an existing
profile to edit that profile. The
Details page appears. Complete the settings as described in Table 18:
Ignore EAPOL-
START After
Authentication
No Enable or disable this setting.
EAP authentication starts with a EAPOL-start frame that is sent by the
wireless client to the AP. Upon reception of such a frame, the AP responds
back to the wireless client with an EAP-Identify-Request and also does
internal resource allocation. Attackers can use this vulnerability by sending
a lot of EAPOL-start frames to the Access point, either by spoofing the
MAC address or by emulating wireless clients. This forces the AP to
allocate increasing resource and eventually bringing it down. Enable this
setting to reduce the risk.
Handle EAPOL-
Logoff
No Specify whether authentication should manage logoff activity.
Ignore EAP ID
During Negotiation
No Specify whether EAP should be ignored during authentication.
WPA-Fast-
Handover
No In the 802.1x Authentication profile, the WPA fast handover feature allows
certain WPA clients to use a pre-authorized PMK, significantly reducing
handover interruption. Check with the manufacturer of your handset to see
if this feature is supported. This feature is disabled by default.
Disable Rekey and
Reauthentication
for Clients on Call
No
Although reauthentication and rekey timers are configurable on a per-SSID
basis, an 802.1x transaction during a call can affect voice quality. If a client
is on a call, 802.1x reauthentication and rekey are disabled by default until
the call is completed. You disable or re-enable the “voice aware” feature in
the 802.1x authentication profile. This setting requires a voice service
license.
Table 17 Aruba Configuration > Profiles > AAA > 802.1x Auth Profile Settings (Continued)
Field Default Description
To Next Page
Loading...
