Authentication and User Management
14.3 Supported EAP Authentication Frameworks
SCALANCE W1750D UI
Configuration Manual, 02/2018 , C79000-G8976-C451-02
205
Supported EAP Authentication Frameworks
The following EAP authentication frameworks are supported in the SCALANCE W network:
● EAP-TLS—The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
method supports the termination of EAP-TLS security using the internal RADIUS server .
The EAP-TLS requires both server and certification authority (CA) certificates installed on
the AP. The client certificate is verified on the VC (the client certificate must be signed by
a known CA) before the username is verified on the authentication server.
● EAP-TTLS (MS-CHAPv2)—The Extensible Authentication Protocol-Tunneled Transport
Layer Security (EAP- TTLS) method uses server-side certificates to set up authentication
between clients and servers. However, the actual authentication is performed using
passwords.
● EAP-PEAP (MS-CHAPv2)—EAP-PEAP is an 802.1X authentication method that uses
server-side public key certificates to authenticate clients with server. The PEAP
authentication creates an encrypted SSL/TLS tunnel between the client and the
authentication server. Exchange of information is encrypted and stored in the tunnel
ensuring the user credentials are kept secure.
● LEAP—Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys
for authentication between the client and authentication server.
To use the AP’s internal database for user authentication, add the usernames and
passwords of the users to be authenticated.
Note
Siemens does not recommend the use of LEAP authentication, because it does not provide
any resistance to network attacks.
Authentication Termination on AP
APs support EAP termination for enterprise WLAN SSIDs. The EAP termination can reduce
the number of exchange packets between the AP and the authentication servers.
SCALANCE W allows Extensible Authentication Protocol (EAP) termination for Protected
Extensible Authentication Protocol-Generic Token Card (PEAP-GTC) and Protected
Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol
version 2 (PEAP-MS-CHAV2). PEAP-GTC termination allows authorization against a
Lightweight Directory Access Protocol (LDAP) server and external RADIUS server while
PEAP-MS-CHAV2 allows authorization against an external RADIUS server.
This allows the users to run PEAP-GTC termination with their username and password to a
local Microsoft Active Directory (MAD) server with LDAP authentication.
● EAP-Generic Token Card (GTC)—This EAP method permits the transfer of unencrypted
usernames and passwords from the client to the server. The main uses for EAP-GTC are
procuring one-time token cards such as SecureID and using LDAP or RADIUS as the
user authentication server. You can also enable caching of user credentials on the AP to
an external authentication server for user data backup.
● EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)—This EAP
method is widely supported by Microsoft clients. A RADIUS server must be used as the
back-end authentication server
To Next Page
Loading...
Need help?
General
