Authentication Process - Proxim ORINOCO AP-600B User Manual

Orinoco ap-600 series

Hide thumbs Also See for ORINOCO AP-600B:

Configuration manual (6 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

Table of Contents

•

EAP-Transport Layer Security (TLS): Certificate-based authentication (a certificate is required on the server and

each client); supports automatic key distribution

•

EAP-Tunneled Transport Layer Security (TTLS): Certificate-based authentication (a certificate is required on the

server; a client's username/password is tunneled to the server over a secure connection); supports automatic key

distribution

•

PEAP - Protected EAP with MS-CHAP v2: Secure username/password-based authentication; supports automatic

key distribution

Different servers support different EAP types and each EAP type provides different features. Refer to the

documentation that came with your RADIUS server to determine which EAP types it supports.

1 2 7 (

The AP-600 supports the following EAP types when 802.1x Security Mode is set to 802.1x: EAP-TLS, PEAP,

and EAP-TTLS. When 802.1x Security Mode is set to Mixed, the AP-600 supports the following EAP types:

EAP-TLS, PEAP, EAP-TLLS, and EAP-MD5 (MD5 does not support automatic key distribution; therefore, if

you choose this method you need to manually configure each client with the network's encryption key).

Authentication Process

There are three main components in the authentication process. The standard refers to them as:

supplicant (client PC)

authenticator (Access Point)

authentication server (RADIUS server)

When using 802.1x Security Mode or Mixed mode (802.1x and WEP), you need to configure your RADIUS server for

authentication purposes.

Prior to successful authentication, an unauthenticated client PC cannot send any data traffic through the AP-600

device to other systems on the LAN. The AP-600 inhibits all data traffic from a particular client PC until the client PC is

authenticated. Regardless of its authentication status, a client PC can always exchange 802.1x messages in the clear

with the AP-600 (the client begins encrypting data after it has been authenticated).

EAP Over Wireless

PC Client

Figure 4-17 RADIUS Authentication Illustrated

The AP-600 acts as a pass-through device to facilitate communications between the client PC and the RADIUS server.

The AP-600 and the client exchange 802.1x messages using an EAPOL (EAP Over LAN) protocol. Messages sent

from the client station are encapsulated by the AP-600 and transmitted to the RADIUS server using EAP extensions.

Upon receiving a reply EAP packet from the RADIUS, the message is typically forwarded to the client, after translating

it back to the EAPOL format. Negotiations take place between the client and the RADIUS server. After the client has

been successfully authenticated, the client receives an Encryption Key from the AP-600 (if the EAP type supports

automatic key distribution). The client uses this key to encrypt data after it has been authenticated.

For 802.11a clients that communicate with an AP-600a, each client receives its own unique encryption key; this is

known as Per User Per Session Encryption Keys. (This feature is only available when using 802.1x mode; it is not

available when in Mixed mode or using WEP encryption only).

EAP Over RADIUS

Access Point

Advanced Configuration

RADIUS Server

Table of Contents

This manual is also suitable for:

Orinoco ap-600a

Authentication Process - Proxim ORINOCO AP-600B User Manual

Authentication Process

Related Manuals for Proxim ORINOCO AP-600B

Related Content for Proxim ORINOCO AP-600B

This manual is also suitable for:

Table of Contents