Aruba AP RSSO Integration Guide

You configure your WatchGuard Firebox to support RADIUS Single Sign-On (RSSO) for Aruba AP devices. This document describes the steps to integrate an Aruba AP device for RSSO with your WatchGuard Firebox.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox or WatchGuard XTM device installed with Fireware v11.11
  • Aruba IAP205 with version 6.4.2.3-4.1.2.1_49445
  • FreeRADIUS version 2.1.10 on Ubuntu 12.04.1

Test Topology and Workflow

This diagram shows the test topology for this integration.

You can connect to either an Optional or Trusted interface.

Authentication workflow:

  1. A mobile device connects to the AP device with WPA/WPA2 enterprise authentication.
  2. User authenticates with credentials that exist on the RADIUS server.
  3. AP interacts with the RADIUS server to authenticate the user.
  4. Mobile device connects to the network.
  5. AP device sends accounting message to the Firebox. These messages include the user name and client IP address.
  6. The Firebox creates an SSO session for this user.

Set Up the Firebox

Log in to the Fireware Web UI to do the configuration steps described below.

  1. Select Authentication > Single Sign-On > RADIUS.
  2. Select the Enable Single Sign-On (SSO) with RADIUS check box.
  3. In the IP Address text box, type the IP address of the RADIUS server.
  4. In the Secret and Confirm Secret text boxes, type the secret to use for messages to the RADIUS server.
  5. Do not change the other settings.

  1. Enable the DHCP server in the settings for the trusted interface, so that the Firebox can provide an IP address to the Aruba AP.

Set Up the Aruba AP

Log in to the Aruba AP Web UI to set up RADIUS authentication and accounting servers on the Aruba AP.

  1. Select Security at the right top of the home page.

  1. On the Authentication Server page, add a new RADIUS server.
  2. Configure the RADIUS server with the settings shown below. The Server address is the IP address of the RADIUS server.

  1. From the Authentication Server page, add another new RADIUS server.
  2. Configure it with the settings shown below. The Server address must match the Firebox interface IP address.

  1. After both servers are configured, you can see the two added servers in the Authentication Servers tab.

  1. Click New on the home page to add a new network.

  1. In the Name text box, type the wireless network SSID.
  2. Select the Primary usage for this network.

  1. Configure the Client IP assignment and Client VLAN assignment settings.

  1. Configure the Enterprise security level settings as shown below. Use the two authentication servers you configured earlier.

  1. Configure the Access Rules for this network.

  1. After the network is added, it is shown in the list of networks.

Test the Integration

Use a phone or tablet to make a WiFi connection to the SSID you configured. In our example, this is SSID: Aruba_AP_RSSO. Once you are connected, specify the credentials of a user who exists on the RADIUS server.

For our integration example, we used these credentials:

  • Username: admin
  • Password: password

To verify that the user was automatically authenticated to the Firebox:

  1. Log in to Fireware Web UI.
  2. Select System Status > Authentication List.
    The list of authenticated users appears.

  1. Verify that the user name appears in the Authenticated Users list, with the Client listed as Single Sign-On.

To see information about the authenticated user on the Aruba AP:

  1. Log in to the Aruba AP Web UI.

  1. Verify that the user name appears in the Client list.