6 - 10 WiNG 5.5 Access Point System Reference Guide
802.1X requires a 802.1X capable RADIUS server to authenticate users and a 802.1X client installed on each devices accessing
the EAP supported WLAN. An 802.1X client is included with most commercial operating systems, including Microsoft
Windows, Linux and Apple OS X.
The RADIUS server authenticating 802.1X EAP users resides externally to the access point. User account creation and
maintenance can be provided centrally using RFMS or individually maintained on each device. If an external RADIUS server is
used, EAP authentication requests are forwarded.
When using PSK with EAP, packets are sent requesting a secure link using a pre-shared key. The access point and
authenticating device must use the same authenticating algorithm and passcode. EAP-PSK is useful when transitioning from a
PSK network to one that supports EAP. The only encryption types supported with this are TKIP, CCMP and TKIP-CCMP.
To configure EAP on a WLAN:
1. Select the Configuration tab from the Web UI.
2. Select Wireless.
3. Select Wireless LANs to display a high level display of existing WLANs.
4. Select the Add button to create an additional WLAN, or select an existing WLAN and Edit to modify its security properties.
5. Select Security.
6. Select EAP, EAP-PSK or EAP MAC as the Authentication Type.
Either authentication type enables the radio buttons for various encryption options as an additional measure of security
with the WLAN that can be used with EAP.
Either select an existing AAA Policy from the drop-down menu, select the Create icon to the right of the AAA Policy
parameter to create a new AAA policy, or select the Edit icon to modify the selected AAA policy’s configuration.
Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling access to the network,
enforcing user authorization policies and auditing and tracking usage. These combined processes are central for securing
wireless client resources and wireless network data flows. For information on defining a new AAA policy, see AAA Policy
on page 7-12.
7. Select the Reauthentication radio button to force EAP supported clients to reauthenticate. Use the spinner control set the
number of seconds (from 30 - 86,400) that, once exceeded, forces the EAP supported client to reauthenticate to use the
resources supported by the WLAN.
8. Select OK to update the WLAN’s EAP configuration. Select Reset to revert back to the last saved configuration.
EAP, EAP-PSK and EAP MAC Deployment Considerations
802.1x EAP, EAP-PSK and EAP MAC
Before defining a 802.1x EAP, EAP-PSK or EAP MAC supported configuration on a WLAN, refer to the following deployment
guidelines to ensure the configuration is optimally effective:
• Motorola Solutions recommends a valid certificate be issued and installed on devices providing 802.1X EAP. The certificate
should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the
authentication server prior to forwarding credentials.
• If using an external RADIUS server for EAP authentication, Motorola Solutions recommends the round trip delay over the
WAN does not exceed 150 ms. Excessive delay over a WAN can cause authentication and roaming issues and impact
wireless client performance.
6.1.2.2 MAC Authentication
Configuring WLAN Security
MAC is a device-level authentication method used to augment other security schemes. MAC can be used open, with WEP 64
or WEP 128, KeyGuard, TKIP or CCMP.
To Next Page
Loading...
