ArubaOS 8.6.0.0Help Center

You are here: Home > Managed Devices > WAN认证由此可见bility Overview

WAN认证由此可见bility Overview

Authentication survivability is critical tomanaged deviceWLANsWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.since mostmanaged devicesuse geographically remote authentication servers to provide authentication and authorization services. When those authentication servers are not accessible, clients cannot access theWLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.because themanaged devicecannot authenticate them.ArubaOSauthentication survivability allowsmanaged devicesto provide client authentication and authorization survivability when remote authentication servers are not accessible. When this feature is enabled,ArubaOSstores user access credentials and key reply attributes whenever clients are authenticated with externalRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.servers orLDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.authentication servers. When external authentication servers are not accessible, themanaged deviceuses its internal survival server to continue providing authentication and authorization functions by using the user access credentials and key reply attributes that were stored earlier.

When authentication survivability is enabled, an internal survival server on the managed node performs authentication functions, as well asEAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.-termination using theRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.protocol. The survival server performs authentication or query requests when authentication survivability is enabled,andone of the following is true:

1.All servers are out of service in the server group if fail-through is disabled.

2.All in-service servers failed the authentication and at least one server is out of service when fail-through is enabled.

All access credentials and key reply attributes saved in the local survival server remain in the system until they expire. The system-wide lifetime parameterauth-survivability cache-lifetimehas a range from 1 to 168 hours, and a default value of 24 hours. Expired user credential attributes and key reply attributes stored in the survival server cache are purged every 10 minutes.

Best practices is to import a customer server certificate into themanaged deviceand assign it to the local survival server.

The survival server can store the following types of client data:

Client username

Encrypted Passwords. ForPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.authentication, the survival server receives the password provided by the client and then stores the encryptedSHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants.-1 hashed value of the password.

EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.indicator: When employing802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.with disabled termination usingEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.,EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.indicator is stored.

TheCNCommon Name. CN is the primary name used to identify a certificate.lookupEXISTindicator

Supported Client and Authentication Types

The following combination of clients and authentication types are supported with the authentication survivability feature see the table below:

Table 1:Clients and Supported Authentication Types

Clients	Authentication Methods
Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.clients	PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.
802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.clients	Termination disabled: Extensible Authentication Protocol-Transport Layer Security with an externalRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server Termination enabled:EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.withCNCommon Name. CN is the primary name used to identify a certificate.lookup with an external authentication server
ExternalCaptive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.客户使用XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software.	PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.
MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.-based Authentication clients	PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.
VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.clients	PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.with an external authentication server CNCommon Name. CN is the primary name used to identify a certificate.lookup with an external authentication server
VIAVirtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network.and otherVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.clients	PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.method andCNCommon Name. CN is the primary name used to identify a certificate.lookup
Wireless Internet Service Provider roaming clients	PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.

Supported Key Reply Attributes

The following key reply attributes are supported:

ARUBA_NAMED_VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

ARUBA_NO_DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network._FINGERPRINT

ARUBA_ROLE

ARUBA_VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

MS_TUNNEL_MEDIUM_TYPE

MS_TUNNEL_PRIVATE_GROUP_ID

MS_TUNNEL_TYPE

PW_SESSION_TIMEOUT

PW_USER_NAME

Feature Restrictions and Limitations

The authentication survivability feature has the following support restrictions:

The Survival Server cache database is station-based (thus, theMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.address is the key), so authentication survivability is not supported for any station with a zeroMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.address.

For a client usingEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.,您必须安装的发行者证书urvival Server certificate as a TrustedCA certificate in the client station.

For an802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.client usingEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.that does not terminate at themanaged device,issuer certificate for the client certificate must be imported as a TrustedCA or an intermediateCA certificate at themanaged device—just as the same certificate must be installed at the terminating ExternalRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server.

The Survival Server does not support theOCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.nor theCRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority.forEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..

Authentication survivability will not activate if Authentication Server Dead Time is configured as 0.

To configure Authentication Server Dead Time, on themanaged device, navigate to:Configuration>SECURITY>Authentication>Advanced>Authentication Timers>Authentication ServerDeadTime (min).

Captive Portal Authentication Workflow

This section describes the authentication procedures forCaptive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.clients, both when the branch authentication servers are available and when they are not available. When the authentication servers are not available, the Survival Server takes over the handling of authentication requests.

Captive Portal Client Authentication Using PAP

Table 2describes what occurs forCaptive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.clients usingPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.as the authentication method.

Table 2:Captive Portal Authentication Using PAP

When Authentication Servers Are Available	When Authentication Servers Are Not Available
If authentication succeeds, the associated access credential with an encryptedSHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants.‑1 hash of the password and Key Reply attributes are stored in the Survival Server database. If authentication fails, the associated access credential and Key Reply attributes associated with thePAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.method (if they exist) are deleted from the Survival Server database.	When no in-service server in the associated server group is available, the Survival Server is used to authenticate theCaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.client usingPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.. The Survival Server uses the previously stored unexpired access credential to perform authentication and, upon successful authentication, returns the previously stored Key Reply attributes.

When Authentication Servers Are Available

When Authentication Servers Are Not Available

If authentication succeeds, the associated access credential with an encryptedSHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants.‑1 hash of the password and Key Reply attributes are stored in the Survival Server database.

If authentication fails, the associated access credential and Key Reply attributes associated with thePAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.method (if they exist) are deleted from the Survival Server database.

When no in-service server in the associated server group is available, the Survival Server is used to authenticate theCaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.client usingPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure..

The Survival Server uses the previously stored unexpired access credential to perform authentication and, upon successful authentication, returns the previously stored Key Reply attributes.

External Captive Portal Client Authentication Using the XML-API

Table 3describes the authentication procedures for ExternalCaptive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.客户使用XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software., both when the branch authentication servers are available and when they are not available. When the authentication servers are not available, the Survival Server takes over the handling of authentication requests.

Table 3:Captive Portal Authentication Using XML-API

When Authentication Servers Are Available	When Authentication Servers Are Not Available
For authentication requests from an ExternalCaptive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.using theXMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software.,PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.is used to authenticate these requests with an external authentication server. If authentication succeeds, the associated access credential with an encryptedSHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants.‑1 hash of the password and Key Reply attributes are stored in the Survival Server database. If authentication fails, the associated access credential and Key Reply attributes associated with thePAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.method (if they exist) are deleted from the Survival Server database.	When no in-service server in the associated server group is available, the Survival Server is used to authenticate theCaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.client usingPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.. The Survival Server uses the previously stored unexpired access credential to perform authentication and, upon successful authentication, returns the previously stored Key Reply attributes.

When Authentication Servers Are Available

When Authentication Servers Are Not Available

For authentication requests from an ExternalCaptive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.using theXMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software.,PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.is used to authenticate these requests with an external authentication server.

The Survival Server uses the previously stored unexpired access credential to perform authentication and, upon successful authentication, returns the previously stored Key Reply attributes.

802.1X Authentication Workflow

This section describes the authentication procedures for802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.clients with termination at an ExternalRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server, or at thecontroller.

Table 4:802.1X Authentication Terminating at an External Server

When Authentication Servers Are Available	When Authentication Servers Are Not Available
For an802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.client that terminates at an externalRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server usingEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.: If authentication is accepted, the associated access credential with theEAP-TLSindicator, in addition to the Key Reply attributes, are stored in the Survival Server database. If authentication is rejected, the associated access credential and Key Reply attributes associated with theEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.method (if they exist) are deleted from the Survival Server database.	When there is no available in-service server in the associated server group, the Survival Server terminates and authenticates802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.clients usingEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.. The Survival Server uses the previously stored unexpired access credential to perform authentication and, upon successful authentication, returns the previously stored Key Reply attributes. 在这种情况下,必须配置客户端站d to accept the server certificate assigned to the Survival Server.

When Authentication Servers Are Available

When Authentication Servers Are Not Available

For an802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.client that terminates at an externalRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server usingEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.:

If authentication is accepted, the associated access credential with theEAP-TLSindicator, in addition to the Key Reply attributes, are stored in the Survival Server database.

If authentication is rejected, the associated access credential and Key Reply attributes associated with theEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.method (if they exist) are deleted from the Survival Server database.

When there is no available in-service server in the associated server group, the Survival Server terminates and authenticates802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.clients usingEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..

The Survival Server uses the previously stored unexpired access credential to perform authentication and, upon successful authentication, returns the previously stored Key Reply attributes.

在这种情况下,必须配置客户端站d to accept the server certificate assigned to the Survival Server.

For an802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.client for which termination is enabled at themanaged deviceusingEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.withCNCommon Name. CN is the primary name used to identify a certificate.lookup, a query request about the Common Name is sent to the external authentication server.

The external authentication server can be either aRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server or anLDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network.server.

Table 5:802.1X Client Authentication Using EAP_TLS with CN Lookup

When Authentication Servers Are Available	When Authentication Servers Are Not Available
If the query succeeds, the associated access credential with a returned indicator ofEXIST, plus the Key Reply attributes, are stored in the Survival Server database. If the query fails, the associated access credential and Key Reply attributes associated with the Query method (if they exist) are deleted from the Survival Server database.	When there is no available in-service server in the associated server group, the Survival Server performsCNCommon Name. CN is the primary name used to identify a certificate.lookup for802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.clients for which termination is enabled at themanaged deviceusingEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.. The Survival Server returns previously stored Key Reply attributes as long as the client with theEXISTindicator is in the Survival Server database.

When Authentication Servers Are Available

When Authentication Servers Are Not Available

If the query succeeds, the associated access credential with a returned indicator ofEXIST, plus the Key Reply attributes, are stored in the Survival Server database.

If the query fails, the associated access credential and Key Reply attributes associated with the Query method (if they exist) are deleted from the Survival Server database.

When there is no available in-service server in the associated server group, the Survival Server performsCNCommon Name. CN is the primary name used to identify a certificate.lookup for802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.clients for which termination is enabled at themanaged deviceusingEAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..

The Survival Server returns previously stored Key Reply attributes as long as the client with theEXISTindicator is in the Survival Server database.

MAC Authentication Workflow

This section describes the authentication procedures for clients.

Table 6:MAC-Based Client Authentication Using PAP

When Authentication Servers Are Available	When Authentication Servers Are Not Available
If authentication succeeds, the associated access credential, along with an encryptedSHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants.-1 hash of the password and Key Reply attributes, are stored in the Survival Server database. If authentication fails, the associated access credential and Key Reply attributes associated with thePAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.method (if they exist) are deleted from the Survival Server database.	When there is no available in-service server in the associated server group, the Survival Server authenticates theMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.-based authentication client usingPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.. The Survival Server returns previously stored Key Reply attributes as long as the client with theEXISTindicator is in the Survival Server database.

When Authentication Servers Are Available

When Authentication Servers Are Not Available

If authentication succeeds, the associated access credential, along with an encryptedSHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants.-1 hash of the password and Key Reply attributes, are stored in the Survival Server database.

When there is no available in-service server in the associated server group, the Survival Server authenticates theMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.-based authentication client usingPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure..

The Survival Server returns previously stored Key Reply attributes as long as the client with theEXISTindicator is in the Survival Server database.

WISPr Authentication

This section describes the authentication procedures forWISPrWireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs.clients, both when the branch authentication servers are available and when they are not available. When the authentication servers are not available, the Survival Server takes over the handling of authentication requests.

Table 7:WISPr Authentication Using PAP

When Authentication Servers Are Available	When Authentication Servers Are Not Available
For aWISPrWireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs.client authenticated by an external server usingPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.: If authentication succeeds, the associated access credential, along with an encryptedSHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants.-1 hash of the password and Key Reply attributes, are stored in the Survival Server database. If authentication fails, the associated access credential and Key Reply attributes (if they exist) associated with thePAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.method are deleted from the Survival Server database.	When there is no available in-service server in the associated server group, the Survival Server authenticates theWISPrWireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs.client usingPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.. Upon successful authentication, the Survival Server uses the previously stored unexpired credential to perform authentication, and returns the previously stored Key Reply attributes .

When Authentication Servers Are Available

When Authentication Servers Are Not Available

For aWISPrWireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs.client authenticated by an external server usingPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.:

If authentication fails, the associated access credential and Key Reply attributes (if they exist) associated with thePAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.method are deleted from the Survival Server database.

When there is no available in-service server in the associated server group, the Survival Server authenticates theWISPrWireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs.client usingPAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure..

Upon successful authentication, the Survival Server uses the previously stored unexpired credential to perform authentication, and returns the previously stored Key Reply attributes .

/*]]>*/

Send Feedback