Wireless Network Login Considerations; Mac Radius; Network Security Policies For Wireless Interfaces; Policy Design - Extreme Networks Summit 300-48 Software User's Manual

Wireless Network Login Considerations

As an authentication framework, network login is equivalent to MAC RADIUS authentication and does
not directly support encryption (see "MAC RADIUS" on page 107). Since MAC spoofing is easy in
wireless networks, care is recommended when deploying web based network login.
Each wireless port must be manually configured as a tagged port for every VLAN in which it may be
necessary to connect a client. If no RADIUS VSA is present, then the traffic is assigned to the untagged
VLAN on the port.
NOTE
During authentication the RADIUS packets use the Summit 300-48 switch address as the client IP
address. The Altitude 300 address is not disclosed.

MAC RADIUS

MAC RADIUS is a mechanism for authenticating users in a legacy environment. The RADIUS server is
populated with the MAC addresses of all clients, which are used as the basis of authentication. The
Altitude 300 sends out an Access-Request packet to the RADIUS server with the user name and
password set to the MAC address of the client. If the Access-Request is successful, then the client is
placed in a forwarding state. If the Access-Request fails then the client is deauthenticated.
During the authentication process, when the Altitude 300 has sent the request to the RADIUS server
and is waiting for a response, any traffic generated by the client is blocked. This means that DHCP and
DNS packets will be dropped during this time. Since the clients are not aware of MAC RADIUS
authentication, this may possibly cause a problem for the client.
NOTE
MAC RADIUS is an authentication protocol, not a privacy protocol. Due to the ease with which MAC
addresses can be spoofed on a wireless network, MAC RADIUS should be used only for legacy clients
that do not support any other advanced authentication schemes.

Network Security Policies for Wireless Interfaces

Network security policy refers to a set of network rules that apply to user access. You can base the rules
on a variety of factors, including user identification, time and location, and method of authentication. It
is possible to design network security policies to do all of the following:
• Permit or deny network access based on location and time of day.
• Place the user into a VLAN based on identity or authentication method.
• Limit where the user is permitted to go on the network based on identity or authentication method.

Policy Design

When designing a security policy for your network, keep the following objectives in mind:
• Make each wired and wireless client as secure as possible.
• Protect company resources.
Summit 300-48 Switch Software User Guide

MAC RADIUS

107