Proxim ORiNOCO AP-4000M User Manual page 140

Advanced Configuration
SSID/VLAN/Security
• MAC Access Control via RADIUS Authentication
• MAC Access Control through individual APs' MAC Access Control Lists
If you have both 802.1x and MAC Access Control authentication enabled, the 802.1x authentication takes precedence
because it is higher in the authentication protocol hierarchy. This is required in order to propagate the WEP/TKIP/AES
keys to the clients in such cases. If you disable 802.1x on the AP, you will see the effects of MAC authentication.
In addition, setting MAC Access Control status to Strict will cause both MAC ACL settings and 802.1x settings to be
applied.
For example, assume that the MAC Access Control List contains MAC addresses to block, and that WPA-PSK is
configured to allow access to clients with the appropriate PSK Passphrase.
• If the MAC ACL status is set to Enable, WPA-PSK will take precedence, and clients in the MAC ACL with the correct
PSK passphrase will be allowed. Only the WPA-PSK setting is taken into consideration.
• If the MAC ACL status is set to Strict, then clients in the MAC ACL will be blocked even if they have the correct PSK
passphrase. Clients will only be allowed if they have the correct passphrase and are NOT listed in the MAC ACL. In
this way, both MAC and WPA-PSK settings are taken into consideration.
VLANs and Security Profiles
The AP allows you to segment wireless networks into multiple sub-networks based on Network Name (SSID) and VLAN
membership. A Network Name (SSID) identifies a wireless network. Clients associate with Access Points that share an
SSID. During installation, the Setup Wizard prompts you to configure a Primary Network Name for each wireless
interface.
After initial setup and once VLAN is enabled, the AP can be configured to support up to 16 SSIDs per wireless interface
to segment wireless networks based on VLAN membership.
Each VLAN can associated to a Security Profile and RADIUS Server Profiles. A Security Profile defines the allowed
wireless clients, and authentication and encryption types. See the following sections for configuration details.
Configuring Security Profiles
Security policies can be configured and applied on the AP as a whole, or on a per VLAN basis. When VLAN is disabled
on the AP, the user can configure a security profile for each interface of the AP. When VLANs are enabled and Security
per SSID is enabled, the user can configure a security profile for each VLAN.
The user defines a security policy by specifying one or more values for the following parameters:
• Wireless STA types (WPA station, 802.11i (WPA2) station, 802.1x station, WEP station, WPA-PSK, and 802.11i-PSK)
that can associate to the AP.
• Authentication mechanisms (802.1x, RADIUS MAC authentication) that are used to authenticate clients for each type
of station.
• Cipher Suites (CCMP, TKIP, WEP, None) used for encapsulating the wireless data for each type of station.
Up to 16 security profiles can be configured per wireless interface.
NOTE: Mesh security is configured on the
1. Click Configure > SSID/VLAN/Security > Security Profile.
Mesh tab.
AP-4000/4000M/4900M User Guide
140