Table of Contents
Advertisement
802.1X Authentication
IEEE 802.1X authentication allows logins based on user name, password, user certificates,
and other methods that may be mutually supported by the authentication server and the
clients. Only clients that support 802.1X can participate in a wireless network that uses this
type of authentication.
IEEE 802.1X authentication also imposes more requirements on the RADIUS server. For
MAC address authentication, a RADIUS server only needs to handle RADIUS. For
802.1X, the server must also handle EAP (Extensible Authentication Protocol) and one or
more protocols, such as MD5 (Message Digest 5) or TLS (Transport Layer Security).
Microsoft Windows 2000 Advanced Server is one example of a product that supports all of
the protocols needed for 802.1X.
Some login methods associated with IEEE 802.1X provide a way by which an AP can
securely distribute radio keys. When all of the clients on a wireless LAN use such login
methods, it becomes practical to use Rapid Rekeying. Rapid Rekeying enhances security
by frequently changing radio encryption keys, reducing the time to decode and use an
encryption key.
Hybrid Authentication
Hybrid authentication is a special authentication mode for sites undergoing a transition to
IEEE 802.1X. The AP uses both MAC address and 802.1X authentication. 802.1X takes
precedence, but in the absence of 802.1X replies from a client, the AP grants access based
on the MAC address. This allows you to introduce IEEE 802.1X clients without disrupting
non-802.1X clients' access to the LAN. However, this prohibits the use of the Rapid
Rekeying feature.
Rapid Rekeying is not available in this authentication mode. The MAC address clients
would not be able to keep up with the radio key changes, and would lose connectivity to
the LAN.
Security
2-15
Advertisement
Table of Contents
