Table of Contents
Advertisement
WM Access Domain Services
Authentication with AAA (802.1X) network assignment
If network assignment is AAA with 802.1X authentication, the wireless device user requesting network
access must first be authenticated. The wireless device's client utility must support 802.1X. The user's
request for network access along with login identification or a user profile is forwarded by the Summit
WM Controller to a RADIUS server. The Summit WM Controller, Access Points, and WM software
system supports the following authentication types:
Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) - Relies on client-side and
server-side certificates to perform authentication. Can be used to dynamically generate a Pairwise
Master Key for encryption.
Extensible Authentication Protocol with Tunneled Transport Layer Security (EAP-TTLS) - Relies
on mutual authentication of client and server through an encrypted tunnel. Unlike EAP-TLS, it
requires only server-side certificates. The client uses PAP, CHAP, or MS-CHAPv2 for authentication.
Protected Extensible Authentication Protocol (PEAP) - Is an authentication protocol similar to TTLS
in its use of server side certificates for server authentication and privacy and its support for a variety
of user authentication mechanisms.
For 802.1X, the RADIUS server must support RADIUS extensions (RFC2869).
Until the access-accept is received from the RADIUS server for a specific user, the user is kept in an
unauthenticated state. 802.1X rules dictate no other packets other than EAP are allowed to traverse
between the AP and the Summit WM Controller until authentication completes. Once authentication is
completed (access-accept is received), the user's client is then allowed to proceed with IP services, which
typically implies the request of an IP address via DHCP.
In addition, the definition of a specific filter ID is optional configuration. If a specific filter ID is not
defined or returned by the access-accept operation, the Summit WM Controller assigns the WM-AD'
default filter for authenticated users.
NOTE
The Summit WM Controller only assigns the device's IP after the client requests one.
Both Captive Portal and AAA (802.1X) authentication mechanisms in Controller, Access Points, and WM
software rely on a RADIUS server on the enterprise network. You can identify and prioritize up to three
RADIUS servers on the Summit WM Controller - in the event of a failover of the active RADIUS server,
the Summit WM Controller will poll the other servers in the list for a response. Once an alternate
RADIUS server is found, it becomes the active RADIUS server, until it either also fails, or the
administrator redefines another.
Filtering for a WM-AD
The WM-AD capability provides a technique to apply policy, to allow different network access to
different groups of users. This is accomplished by packet filtering.
After setting authentication, define the filtering rules for the filters that apply to your network and the
WM-AD you are setting up. Several filter types are applied by the Summit WM Controller:
Exception filter - Protect access to a system's own interfaces, including the WM-AD's own interface.
WM-AD exception filters are applied to user traffic intended for the Summit WM Controller's own
146
Summit WM User Guide, Software Version 5.3
Advertisement
Table of Contents
