Security; 171 - EnGenius EWS Series User Manual

Security

802.1x
The IEEE 802.1X standard authentication uses the RADIUS (Remote Authentication Dial In User Service)
protocol to validate users and provide a security standard for network access control. The user that
wishes to be authenticated is called a supplicant. The actual server doing the authentication, typically a
RADIUS server, is called the authentication server. The mediating device, such as a Switch, is called the
authenticator. Clients connected to a port on the Switch must be authenticated by the Authentication
server (RADIUS) before accessing any services offered by the Switch on the LAN. Use a RADIUS server to
authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN
(EAPOL) packets between the client and server. This establishes the requirements needed for a protocol
between the authenticator (the system that passes an authentication request to the authentication
server) and the supplicant (the system that requests authentication), as well as between the
authenticator and the authentication server.
Global Settings
When a supplicant is connected to a Switch port, the port issues an 802.1X authentication request to the
attached the 802.1X supplicant. The supplicant replies with the given username and password and an
authentication request is then passed to a configured RADIUS server. The authentication server's user
database supports Extended Authentication Protocol (EAP), which allows particular guest VLAN
memberships to be defined based on each individual user. After authorization, the port connected to the
authenticated supplicant then becomes a member of the specified guest VLAN. When the supplicant is
successfully authenticated, traffic is automatically assigned to the guest VLAN. The EAP authentication
methods supported by the Switch are: EAP-MD5, EAPTLS, EAP-TTLS, and EAP-PEAP.

171