Enterasys RoamAbout RBT-4102 Configuration Manual page 116

Security
The 802.1x EAP packets are also used to pass dynamic unicast session keys and static
broadcast keys to wireless clients. Session keys are unique to each client and are used to
encrypt and correlate traffic passing between a specific client and the access point. You can
also enable broadcast key rotation, so the access point provides a dynamic broadcast key and
changes it at a specified interval.
You can enable 802.1x as optionally supported or as required to enhance the security of the
wireless network.
–
–
–
When you enable 802.1x, you can also enable the broadcast and session key rotation intervals.
–
–
–
• MAC Authentication configures how the access point uses MAC addresses to authorize
wireless clients to access the network. This authentication method provides a basic level of
authentication for wireless clients attempting to gain access to the network. A database of
authorized MAC addresses can be stored locally on the RBT‐4102 or remotely on a central
RADIUS server. (Default: Local MAC)
–
–
–
4-80 Advanced Configuration
Disable indicates that the access point does not support 802.1x authentication for any
wireless client. After successful wireless association with the access point, each client is
allowed to access the network.
Supported indicates that the access point supports 802.1x authentication only for clients
initiating the 802.1x authentication process (that is, the access point does not initiate
802.1x authentication). For clients initiating 802.1x, only those successfully authenticated
are allowed to access the network. For those clients not initiating 802.1x, access to the
network is allowed after successful wireless association with the access point.
Required indicates that the access point enforces 802.1x authentication for all associated
wireless clients. If 802.1x authentication is not initiated by a client, the access point will
initiate authentication. Only those clients successfully authenticated with 802.1x are
allowed to access the network.
Broadcast Key Refresh Rate sets the interval at which the broadcast keys are refreshed for
stations using 802.1x dynamic keying. (Range: 0‐1440 minutes; Default: 0 means disabled)
Session Key Refresh Rate specifies the interval at which the access point refreshes unicast
session keys for associated clients. (Range: 0‐1440 minutes; Default: 0 means disabled)
802.1x Session Timeout sets the time period after which a connected client must be re‐
authenticated. During the re‐authentication process of verifying the client's credentials on
the RADIUS server, the client remains connected to the network. Only if re‐authentication
fails is network access blocked. Default: 60 minutes.
Local MAC indicates that the MAC address of the associating station is compared against
the local database stored on the access point. Local MAC Authentication enables the local
database to be set up.
RADIUS MAC specifies that the MAC address of the associating station is sent to a
configured RADIUS server for authentication.
To use a RADIUS authentication server for MAC address authentication, the access point
must be configured to use a RADIUS server, see RADIUS (page 4‐10).
Disable specifies that the access point does not check an associating station's MAC address.