Extreme Networks Altitude 4700 Series Product Reference Manual page 28

Introduction
traffic and intercept passwords. The use of strong authentication methods that do not disclose
passwords is necessary. The Access Point uses the Kerberos authentication service protocol (specified in
RFC 1510) to authenticate users/clients in a wireless network environment and to securely distribute
the encryption keys used for both encrypting and decrypting.
A basic understanding of RFC 1510 Kerberos Network Authentication Service (V5) is helpful in
understanding how Kerberos works. By default, WLAN devices operate in an open system network where
any wireless device can associate with an AP without authorization. Kerberos requires device
authentication before access to the wired network is permitted.
For detailed information on Kerberos configurations, see
page 202.
EAP Authentication
The Extensible Authentication Protocol (EAP) feature provides Access Points and their associated MUs an
additional measure of security for data transmitted over the wireless network. Using EAP,
authentication between devices is achieved through the exchange and verification of certificates.
EAP is a mutual authentication method whereby both the MU and AP are required to prove their
identities. Like Kerberos, the user loses device authentication if the server cannot provide proof of
device identification.
Using EAP, a user requests connection to a WLAN through the Access Point. The Access Point then
requests the identity of the user and transmits that identity to an authentication server. The server
prompts the AP for proof of identity (supplied to the Access Point by the user) and then transmits the
user data back to the server to complete the authentication process.
An MU is not able to access the network if not authenticated. When configured for EAP support, the
Access Point displays the MU as an EAP station.
EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4)
and Windows Mobile 2003. Refer to the system administrator for information on configuring a RADIUS
Server for EAP (802.1x) support.
For detailed information on EAP configurations, see
page 204.
WEP Encryption
All WLAN devices face possible information theft. Theft occurs when an unauthorized user eavesdrops
to obtain information illegally. The absence of a physical connection makes wireless links particularly
vulnerable to this form of theft. Most forms of WLAN security rely on encryption to various extents.
Encryption entails scrambling and coding information, typically with mathematical formulas called
algorithms, before the information is transmitted. An algorithm is a set of instructions or formula for
scrambling the data. A key is the specific code used by the algorithm to encrypt or decrypt the data.
Decryption is the decoding and unscrambling of received encrypted data.
The same device, host computer or front-end processor, usually performs both encryption and
decryption. The transmit or receive direction determines whether the encryption or decryption function
is performed. The device takes plain text, encrypts or scrambles the text typically by mathematically
combining the key with the plain text as instructed by the algorithm, then transmits the data over the
network. At the receiving end, another device takes the encrypted text and decrypts, or unscrambles,
the text revealing the original message. An unauthorized user can know the algorithm, but cannot
28
"Configuring Kerberos Authentication" on
"Configuring 802.1x EAP Authentication" on
Altitude 4700 Series Access Point Product Reference Guide