Dell PowerConnect W-Airwave Configuration Manual page 58

Table 10
Field
Termination EAP-Type
PEAP
Termination Inner EAP-
Type MSCHAPv2
Termination Inner EAP-
Type GTC
Token Caching
Token Caching Period
(1-240 hrs)
CA-Certificate
Server-Certificate
TLS Guest Access
TLS Guest Role
Ignore EAPOL-START
After Authentication
Handle EAPOL-Logoff
Ignore EAP ID During
Negotiation
WPA-Fast-Handover
52 | Configuration Reference
Profiles > AAA > 802.1x Auth Profile Settings (Continued)
Default Description
0 Specify EAP-PEAP termination.
802.1x authentication based on PEAP with MS-CHAPv2 provides both computer and
user authentication. If a user attempts to log in without the computer being
authenticated first, the user is placed into a more limited "guest" user role.
Windows domain credentials are used for computer authentication, and the user's
Windows login and password are used for user authentication. A single user sign-on
facilitates both authentication to the wireless network and access to the Windows
server resources.
No Enable or disable this setting. You can enable caching of user credentials on the
controller as a backup to an external authentication server. The EAP-Microsoft
Challenge Authentication Protocol version 2 (MS-CHAPv2), described in RFC 2759, is
widely supported by Microsoft clients.
No Enable or disable GTC. EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP
method permits the transfer of unencrypted usernames and passwords from client to
server. The main uses for EAP-GTC are one-time token cards such as SecureID and the
use of LDAP or RADIUS as the user authentication server.
You can also enable caching of user credentials on the controller as a backup to an
external authentication server.
Disabled Specify whether EAP token caching is enabled or disabled.
24 Specify token caching, in hours. The supported range is from 1 to 240 hours.
Type the CA certificate imported into the controller.
Specify a server certificate. The list of available certificates is taken from the computer
certificate store on which IAS is running. In this case, a self-signed certificate was
generated by the local certificate authority and installed on the IAS system. On each
wireless client device, the local certificate authority is added as a trusted certificate
authority, thus allowing this certificate to be trusted.
No Specify if TLS authentication supports guest users.
User-level authentication is performed by an external RADIUS server using PPP EAP-
TLS. In this scenario, client and server certificates are mutually authenticated during
the EAP-TLS exchange. During the authentication, the controller encapsulates EAP-TLS
messages from the client into RADIUS messages and forwards them to the server.
ap-role Specify the TLS authentication role that will support guests. This setting requires a
policy enforcement firewall license.
No Enable or disable this setting.
EAP authentication starts with a EAPOL-start frame that is sent by the wireless client to
the AP. Upon reception of such a frame, the AP responds back to the wireless client
with an EAP-Identify-Request and also does internal resource allocation. Attackers can
use this vulnerability by sending a lot of EAPOL-start frames to the Access point, either
by spoofing the MAC address or by emulating wireless clients. This forces the AP to
allocate increasing resource and eventually bringing it down. Enable this setting to
reduce the risk.
No Specify whether authentication should manage logoff activity.
No Specify whether EAP should be ignored during authentication.
No In the 802.1x Authentication profile, the WPA fast handover feature allows certain WPA
clients to use a pre-authorized PMK, significantly reducing handover interruption.
Check with the manufacturer of your handset to see if this feature is supported. This
feature is disabled by default.
Dell PowerConnect W-AirWave 7.5 | Configuration Guide