User Access Security
Summit 300-48 Switch Software User Guide 95
for wired networks, it is not effective on the wireless side, and is therefore not recommended for the
enterprise wireless network.
Authentication Method: WEP
Wired Equivalency Privacy (WEP) is the first generation security option for 802.11 networks and
includes both an authentication and encryption (privacy) mechanism. Unfortunately, weaknesses in the
RC4 encryption scheme have left the WEP method open to theft of login and password information
and, consequently, to compromise of the authentication process. WEP is best used as part of a
multi-tiered security scheme and in legacy environments.
Authentication Method: 802.1x/EAP
Extensible Authentication Protocol (EAP) provides numerous improvements over earlier generation
WEP authentication methods. The 802.1x specification incorporates EAP as implemented directly on
Ethernet. In 802.1X/EAP authentication, the user’s identity, not MAC address, is the basis for
authentication. When the user requests access to the wireless port, the access point forces the user’s
station into an unauthorized state. In this state, the client station sends an EAP start message. The
switch responds with a request for user identity, which it passes to a central authentication server. The
server software authenticates the user and returns an permit or deny message to the switch, which then
extends or denies access as instructed, and passes along configuration information such as VLAN and
priority.
802.1x supports several EAP-class advanced authentication protocols, which differ in the specific
identification types and encryption methods for the authentication:
• EAP-TLS (Transport Layer Security) — Performs mutual authentication using security certificates.
Good for wired and wireless networks
• EAP-TTLS (Tunneled TLS) — Extends TLS flexibility and is compatible with a wide range of
authentication algorithms. Good for wired and wireless networks
• PEAP (protected EAP) — Is compatible with a wide range of authentication algorithms and is
effective for wired and wireless networks
802.1x security is compatible with legacy 802.1x and with newer clients that support Wi-Fi Protected
Access (WPA) based 802.1x. It is possible to configure both versions (legacy and WPA) on the same
Summit 300-48 switch port. When a client associates to the Summit 300-48 switch port, it indicates
802.11 open authentication. Then if 802.1x is enabled on the port, the client is able to associate, and
further authentication is performed. If the authentication is successful, a backend RADIUS server
optionally specifies a VLAN tag using Vendor Specific Attributes in the Access Accept message.
Location Based Authentication
Location-based authentication restricts access to users in specific buildings. The Summit 300-48 switch
sends the user’s location information to the RADIUS server, which then determines whether or not to
permit user access. When you configure a location field, the information is sent out in RADIUS access
request packets as a VSA and can be used to enforce location-based policies.
Time-Based Authentication
Time-based authentication restricts access to users to certain dates or times. The RADIUS server can
determine policies based on the time of day when the authentication request is received from the
Summit 300-48 switch.
To Next Page
Loading...
