Brocade Communications Systems RFS6000 System Reference Manual page 34

1
Software overview
Kerberos
Kerberos allows for mutual authentication and end-to-end encryption. All traffic is encrypted and
security keys are generated on a per-client basis. Keys are never shared or reused, and are
automatically distributed in a secure manner. For information on configuring Kerberos for a WLAN,
see "Configuring Kerberos" on page 117.
802.1x EAP
802.1x EAP is the most secure authentication mechanism for wireless networks and includes
EAP-TLS, EAP-TTLS and PEAP. The controller is a proxy for Radius packets. An Client does a full
802.11 authentication and association and begins transferring data frames. The controller realizes
the Client needs to authenticate with a Radius server and denies any traffic not Radius related.
Once Radius completes its authentication process, the Client is allowed to send other data traffic.
You can use either an onboard Radius server or internal Radius Server for authentication. For
information on configuring 802.1x EAP for a WLAN, see "Configuring 802.1x EAP" on page 116.
MAC ACL
The MAC ACL feature is basically a dynamic MAC ACL where Clients are allowed/denied access to
the network based on their configuration on the Radius server. The controller allows 802.11
authentication and association, then checks with the Radius server to see if the MAC address is
allowed on the network. The Radius packet uses the MAC address of the Client as both the
username and password (this configuration is also expected on the Radius server). MAC-Auth
supports all encryption types, and (in case of 802.11i) the handshake is completed before the
Radius lookup begins. For information on configuring 802.1x EAP for a WLAN, see "Configuring
MAC authentication" on page 131.
Secure beacon
Devices in a wireless network use Service Set Identifiers (SSIDs) to communicate. An SSID is a text
string up to 32 bytes long. An AP in the network announces its status by using beacons. To avoid
others from accessing the network, the most basic security measure adopted is to change the
default SSID to one not easily recognizable, and disable the broadcast of the SSID.
The SSID is a code attached to all packets on a wireless network to identify each packet as part of
that network. All wireless devices attempting to communicate with each other must share the
same SSID. Apart from identifying each packet, the SSID also serves to uniquely identify a group of
wireless network devices used in a given service set.
Client to client disallow
Use Client to Client Disalllow to restrict Client to Client communication within a WLAN. The default
is 'no', which allows Clients to exchange packets with other Clients. It does not prevent Clients on
other WLANs from sending packets to this WLAN. You would have to enable Client to Client Disallow
on the other WLAN. To define how Client to Client traffic is permitted for a WLAN, see "Editing the
WLAN configuration" on page 109.
802.1x authentication
802.1x authentication cannot be disabled (its always enabled). A factory delivered out-of-the-box
Mobility 300 supports 802.1x authentication using a default username and password. EAP-MD5 is
used for 802.1x.
20 Brocade Mobility RFS6000 and RFS7000 System Reference Guide
53-1001858-01