hwc_vnsintro.fm
A31003-W1040-U101-1-7619, July 2006 DRAFT
HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide
113
Virtual Network Services
Authentication for a VNS
6.5.2 Authentication with AAA (802.1x) network assignment
If network assignment is AAA with 802.1x authentication, the wireless device user requesting
network access must first be authenticated. The wireless device's client utility must support
802.1x. The user's request for network access along with login identification or a user profile is
forwarded by the HiPath Wireless Controller to a RADIUS server. Controller, Access Points and
Convergence Software supports the following authentication types:
● Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) – Relies on
client-side and server-side certificates to perform authentication. Can be used to
dynamically generate a Pairwise Master Key for encryption.
● Extensible Authentication Protocol with Tunneled Transport Layer Security
(EAP-TTLS) – Relies on mutual authentication of client and server through an encrypted
tunnel. Unlike EAP-TLS, it requires only server-side certificates. The client uses PAP,
CHAP, or MS-CHAPv2 for authentication.
● Protected Extensible Authentication Protocol (PEAP) – Is an authentication protocol
similar to TTLS in its use of server side certificates for server authentication and privacy
and its support for a variety of user authentication mechanisms.
For 802.1x, the RADIUS server must support RADIUS extensions (RFC2869).
Until the access-accept is received from the RADIUS server for a specific user, the user is kept
in an unauthenticated state. 802.1x rules dictate no other packets other than EAP are allowed
to traverse between the AP and the HiPath Wireless Controller until authentication completes.
Once authentication is completed (access-accept is received), the user's client is then allowed
to proceed with IP services, which typically implies the request of an IP address via DHCP. In
addition, the definition of a specific filter ID is optional configuration. If a specific filter ID is not
defined or returned by the access-accept operation, the HiPath Wireless Controller assigns the
VNS' default filter for authenticated users.
Both Captive Portal and AAA (802.1x) authentication mechanisms in Controller, Access Points
and Convergence Software rely on a RADIUS server on the enterprise network. You can
identify and prioritize up to three RADIUS servers on the HiPath Wireless Controller—in the
event of a failover of the active RADIUS server, the HiPath Wireless Controller will poll the other
servers in the list for a response. Once an alternate RADIUS server is found, it becomes the
active RADIUS server, until it either also fails, or the administrator redefines another.
>
The HiPath Wireless Controller only assigns the device's IP after the client requests
one.
To Next Page
Loading...
