“Wi-Fi that won’t die!” It’s a slogan you’ve probably heard the Devinator use time and time again to describe Aerohive’s distributed architecture. Well, it’s more than a catchy marketing phrase. One feature that helps ensure Aerohive Wi-Fi networks operate at all times is the RADIUS server built into our operating system, HiveOS.
Watch this training video to learn about the benefits of using the Aerohive RADIUS server and credential caching in remote branch offices.
To summarize, some of the key benefits include:
1. Expense reduction – eliminates the need to distribute RADIUS servers to each remote location for high availability should the WAN circuit go down. It also removes the need for remote directory services (e.g. Active Directory) to support 802.1X authentication.
2. Better Performance – rather than relying on RADIUS servers across a high-latency WAN link, a local RADIUS server in the branch can respond to client authentication requests faster and reduce authentication time. This can be important to reduce roaming times on 802.1X secured WLANs. For example, a typical PEAP authentication requires 16 packets between the AP and RADIUS server. If all 16 frames traverse the WAN, that can require 500-800ms or longer to complete. With local RADIUS all packets stay local except for the directory lookup which is typically only 4 packets across the WAN.
3. High Availability – building on top of our local RADIUS server is the ability to cache user credentials right on our APs (don’t worry, it’s secured in RAM using a TPM security chip). Since Aerohive devices provide full integration with Active Directory, they can join the domain as a computer object and cache user credentials just like a Windows PC for offline login. Administrators have full control over what get’s cached and for how long. This enables the WLAN at remote sites to continue operating even when the central directory service is unavailable due to WAN issues.
4. Consistent Security Policy – direct integration with LDAP serves another great purpose, enforcing a consistent security policy. Aerohive devices can leverage LDAP attributes to enforce security policies based on an object’s location within the directory, group membership, or object attributes. This makes it easier to ensure consistent policy enforcement by leveraging the centralized repository within LDAP, rather than relying on mappings between LDAP and RADIUS attributes.
I’ve also described how this works in my previous post on my personal blog: Aerohive Credential Caching Improves Branch Office Availability.
The Aerohive RADIUS server and credential caching are important features valued by our customers, helping them build Wi-Fi networks that truly won’t die!