Authentication Support Matrix

It is important to understand the compatibility between AAA servers and different WLANs.

Proxy Mode

In proxy mode, authentication requests are set through the controller.

Table 33 Proxy Mode Compatibility
Authentication Source 802.1X HS 2.0 Secure Web Auth Hotspot/WISPr
Local Database No Yes No Yes
IDM-Provisioned Local DB Yes Yes NA NA
Active Directory No* No Yes Yes
RADIUS Yes Yes Yes Yes
LDAP Yes No Yes Yes
NOTE

To support 802.1X with Active Directory, an external RADIUS server (such as NPS) must be used.

NOTE
IDM Provisioned username (also called local cache credential) is relevant only in secure access after Onboarding.
NOTE
802.1X (MSCHAPv2 via built-in RADIUS using AD-NPS), WebAuth, and WISPr support AD authentication from SmartZone release in 3.2.
NOTE
802.1X, WebAuth, and WISPr support LDAP authentication from SmartZone release in 3.2. For 802.1X authentication, the user password must be in clear text in the LDAP database.

Non-proxy Mode

In the Non-proxy mode, authentication requests are sent directly by AP and not through the controller. The local database is stored on the controller, therefore, authentication sources such as local database and IDM-provisioned local databases are not supported.

Table 34 Non-proxy Mode Compatibility
Authentication Source 802.1X Zero-IT Onboard HS 2.0 Onboard HS 2.0 Secure Web Auth Hotspot/WISPr
Active Directory No No* No* No Yes No
RADIUS Yes No* No* No Yes Yes*
LDAP No No* No* No Yes No

(*) From the configuration it may seem like non-proxy RADIUS is supported in WISPr, but the call flow goes through the controller.

Profile Configuration

The following table details proxy and non-proxy AAA server configurations against various platforms.

Table 35 Profile Configuration
Feature SZ100 vSZ-E vSZ-H Description
Per-Zone ProxyAAA Profiles NA NA NA Ability to configure a ProxyAAA profile in a specific zone
Global ProxyAAA Profiles Yes Yes Yes Ability to configure a ProxyAAA profile globally and then use it across zones
Per-Zone NonProxy AAA Profiles NA NA Yes Ability to configure a NonProxyAAA profile in a specific zone
Global NonProxy AAA Profiles Yes Yes No Ability to configure a NonProxy AAA profile globally and then use it across zones

Dynamic Policy Assignment (Proxy Authentication Types)

The following table details dynamic policy assignments across authentication types.

Table 36 Dynamic Policy Assignment (Proxy)
Feature 802.1X Zero-IT Onboard HS 2.0 Onboard HS 2.0 Secure Web Auth Hotspot/WISPr MAC Auth Description
Dynamic Role Assignment Yes Yes Yes Yes Yes Yes Yes Ability to assign a user to a particular local Role via a group/role attribute from RADIUS, AD, LDAP. From SmartZone 3.4, Role can contain UTP. Therefore, , when you assign a role, you also get the ACL and Rate Limiting policies.
Dynamic VLAN / VLAN Pool Yes NA NA NA No No Yes Ability to assign a user to a VLAN through a VLAN attribute from RADIUS, AD, LDAP.

From SmartZone release 3.5, you can also assign VLANs and VLAN pools based on the user role.

Dynamic UTP Yes       Yes Yes Yes Ability to assign a user to a UTP through an attribute from an authentication source.
Dynamic ACL Yes Yes Yes No Yes Yes Yes Ability to assign a specific ACL to a user through an attribute from RADIUS, AD, LDAP.
Dynamic Rate Limit Yes Yes Yes     Yes Yes Ability to assign a specific Rate Limit to a user through an attribute from RADIUS, AD, LDAP.
NOTE
In dynamic ACL and Rate limit, since ACL and rate limit are associated with a UTP, assigning a UTP also assigns an ACL or rate limit.

Dynamic Policy Assignment (Non-Proxy Authentication Types)

The following table details dynamic policy assignments across authentication types.

Table 37 Dynamic Policy Assignment (Non-Proxy)
Feature 802.1X HS 2.0 Secure Web Auth Description
Dynamic Role Assignment No     Ability to assign a user to a local Role through a group/role attribute from the authentication source.
Dynamic VLAN / VLAN Pool       Ability to assign a user to a VLAN through a VLAN attribute from the authentication source.
Dynamic UTP       Ability to assign a user to a UTP through an attribute from the authentication source.
NOTE
From SmartZone release 3.4, UTP contains ACL and rate limit.
Dynamic ACL      

Ability to assign a specific ACL to a user through an attribute from the authentication source.

NOTE
ACLs are a part of a UTP. If you configure a UTP without a rate limit,you effectively only have an ACL.
Dynamic Rate Limit       Ability to assign a specific Rate Limit to a user through an attribute from the authentication source.
NOTE
Rate limiting is also a part of a UTP. If you configure a UTP without ACL, you effectively only have a rate limiting policy.

Other Authentication Features

The following table details authentication support for various authentication features.

Table 38 Authentication Features
Feature Supported Description
Test AAA - RADIUS Yes Ability to test a specific username/password against a configured RADIUS serve.
Test AAA - Active Directory Yes Ability to test a specific username/password against a configured AD serve.
Test AAA - LDAP Yes Ability to test a specific username/password against a configured LDAP serve.
NOTE
Only Non-Proxy LDAP is supported at the Zone Level.
Test AAA - Return a Role Yes - supported by RADIUS, AD and LDAP Ability to return a role assignment when testing a AAA server.
RADIUS CoA - Change Role   Ability to change a user's Role through a Change of Authorization (CoA).
RADIUS CoA - Change VLAN   Ability to change a user's VLAN through a Change of Authorization (CoA).
RADIUS CoA - Change ACL   Ability to change a user's ACL through a Change of Authorization (CoA).
RADIUS CoA - Change Rate Limit   Ability to change a user's rate limit through a Change of Authorization (CoA).
RADIUS CoA - Change Authorization   Ability to authorize or deauthorize a user through a Change of Authorization (CoA).

PAP/CHAP Support

The following table details PAP and CHAP support for various authentication features.

Table 39 PAP/CHAP Support
Feature 802.1X Web Auth Hotspot/ WISPr MAC Auth Notes
Proxy-Mode  
Active Directory Yes Yes* Yes No PAP / CHAP is supported for Web Authentication and HotSpot/WISPr. NPS interface (AD) is required for WebAuthenticaiton (CHAP) and 802.1X (MSCHAPv2).
RADIUS Yes Yes* Yes Yes  
LDAP Yes Yes* Yes No PAP / CHAP is supported for Web Authentication and HotSpot/WISPr
LDAP-TLS Yes Yes* Yes No This support is available from SmartZone version 3.5.
Active Directory (TLS) Yes Yes* Yes No This support is available from SmartZone version 3.5. NPS interface (AD) is required for WebAuthenticaiton (CHAP) and 802.1X (MSCHAPv2).
Non-proxy Mode  
Active Directory No Yes* Yes No  
RADIUS Yes Yes* Yes Yes  
LDAP No Yes* Yes No  
NOTE
(*) This is an AP CLI setting: 
set aaa auth-method pap|chap
It is a global setting for all WebAuth WLANs on the AP. The default is CHAP.
Parent topic: Authentication