External Radius Server; Authentication Terminated On Iap - Dell PowerConnect W-IAP175P User Manual

Controller (the client certificate must be signed by a known CA) before the user name is checked on the
authentication server.
EAP-TTLS (MSCHAPv2)—The Extensible Authentication Protocol-Tunneled Transport Layer Security

(EAP-TTLS) method uses server-side certificates to set up authentication between clients and servers.
However, the actual authentication is performed using passwords.
EAP-PEAP (MSCHAPv2)—Protected Extensible Authentication Protocol (PEAP) is an 802.1X

authentication method that uses server-side public key certificates to authenticate clients with server. The
PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server.
Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.
LEAP—Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys for authentication

between the client and authentication server.
NOTE: Dell Instant does not ship with any 802.1x server certificate. EAP-TTLS and EAP-PEAP support is not available until the
administrator uploads a valid 802.1x server certificate to the Dell Instant network. By default, the 802.1x authentication is limited to
LEAP only.
NOTE: It is not recommended the use of LEAP authentication method because it does not provide any resistance to network
attacks.

External RADIUS Server

In the external RADIUS server, IP address of the Virtual Controller is configured as the NAS IP address. Instant
RADIUS is implemented on the Virtual Controller. This feature eliminates the need to configure multiple NAS
clients for every IAP on the RADIUS server for client authentication.
Instant RADIUS dynamically forwards authentication requests from a NAS to a remote RADIUS server. The
RADIUS server responds to the authentication request with an Access-Accept or Access-Reject message. Users
are allowed or denied access to the network depending on the response from the RADIUS server.
When you enable the Internal RADIUS server option for the network, the authenticator on the IAP sends a
RADIUS packet to the local IP address. The Internal RADIUS server listens and replies to the RADIUS packet.
The following authentication methods are supported in Dell Instant network:

Authentication Terminated on IAP

Dell Instant allows EAP termination for EAP-GTC and will be able to authorize its against an LDAP server. This
will allow users to run EAP-GTC termination with their own certificates to a local Microsoft Active Directory
server with LDAP authentication.
The following EAP-Type methods are described below:
EAP-Generic Token Card (GTC): This EAP method permits the transfer of unencrypted usernames and
passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the
use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the
IAP as a backup to an external authentication server.
EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2): This EAP method is widely
supported by Microsoft clients.A RADIUS server must be used as the backend authentication server.
If you are using the IAP's internal database for user authentication, you need to add the names and passwords of
the users to be authenticated. If you are using an LDAP server for user authentication, you need to configure the
LDAP server on the Virtual Controller, and configure user IDs and passwords. If you are using a RADIUS server
for user authentication, you need to configure the RADIUS server on the Virtual Controller.
78 | Authentication Dell PowerConnect W-Series Instant Access Point 6.1.2.3-2.0.0.0 | User Guide