Configuring 802.1X Client Authentication - Foundry Networks IronPoint 200 User Manual

Foundry IronPoint 200 User Guide
• Disable: No checks are performed on an associating station's MAC address.
• Local MAC: The MAC address of the associating station is compared against the local database
stored on the access point. The Local MAC Authentication section enables the local database to
be set up. If this option is selected, all access points in the wireless network service area must be
configured with the same MAC address database.
• Radius MAC: The MAC address of the associating station is sent to a configured RADIUS server
for authentication. When using a RADIUS authentication server for MAC address authentication,
the server must first be configured in the RADIUS Web page (See "RADIUS Client Settings" on
page 15-1.). If this option is selected, the database of MAC addresses and filtering policy must
be defined in the RADIUS server.
MAC Authentication Session Timeout – sets the interval at which associated clients will be re-
authenticated with the RADIUS server. (Range: 0-1440 minutes; Default: 0, disabled)
Local MAC Authentication – Configures the local MAC authentication database. The MAC
database provides a mechanism to take certain actions based on a wireless client's MAC address.
The MAC list can be configured to allow or deny network access to specific clients.
• System Default: Specifies a default action for all unknown MAC addresses (that is, those not
listed in the local MAC database).
• Deny: Blocks access for all MAC addresses except those listed in the local database as
"allowed."
• Allow: Permits access for all MAC addresses except those listed in the local database as
"denied."
• MAC Authentication Settings: Enters specified MAC addresses and permissions into the local
MAC database.
• MAC Address: Physical address of a client. Enter six pairs of hexadecimal digits separated
by hyphens; for example, 00-90-D1-12-AB-89.
• Permission: Select Allow to permit access or Deny to block access. If Delete is selected, the
specified MAC address entry is removed from the database.
• Update: Enters the specified MAC address and permission setting into the local database.
• MAC Authentication Table: Displays current entries in the local MAC database.

Configuring 802.1x Client Authentication

The 802.1x standard provides a framework for network access control that uses a central RADIUS
server for user authentication. This control feature prevents unauthorized access to the network by
requiring an 802.1x client application to submit user credentials for authentication. The 802.1x
standard uses the Extensible Authentication Protocol (EAP) to pass user credentials (either digital
certificates, user names and passwords, or other) from the client to the RADIUS server. Client
authentication is then verified on the RADIUS server before the access point grants client access to
the network.
The 802.1x EAP packets are also used to pass dynamic unicast session keys and static broadcast
keys to wireless clients. Session keys are unique to each client and are used to encrypt and
correlate traffic passing between a specific client and the access point. You can also enable
18-6 © 2006 Foundry Networks, Inc. November 2006