Eap, Eap-Psk And Eap Mac - Motorola WiNG 5.5 Reference Manual

• MAC Authentication
• PSK / None
Secure guest access to the network is referred to as captive portal. A captive portal is guest access policy for providing
temporary and restrictive access to the access point managed wireless network. Existing captive portal policies can be applied
to a WLAN to provide secure guest access.
A captive portal policy provides secure authenticated access using a standard Web browser. A captive portal provides
authenticated access by capturing and re-directing a wireless user's Web browser session to a login page, where a user must
enter valid credentials to access the network. Once logged into the captive portal, additional Agreement, Welcome and Fail
pages provide an administrator with a number of options for the screen flow and appearance.
Refer to Captive Portal on page 6-12
MAC Registration enables returning captive portal users faster authentication and access to the captive portal service. When
the user connects to the captive portal for the first time, the MAC address of the user is recorded once the authentication is
successful. The next time the device is used to access the captive portal, MAC Registration allows the device and the user to
be authenticated faster.
Refer to MAC Registration on page 6-13
Encryption is essential for WLAN security, as it provides data privacy for traffic forwarded over a WLAN. When the 802.11
specification was introduced, Wired Equivalent Privacy (WEP) was the primary encryption mechanism. WEP has since been
interpreted as flawed in many ways, and is not considered an effective standalone scheme for securing a WLAN. WEP is
typically used with WLAN deployments supporting legacy clients. New deployments should use either WPA or WPA2
encryption.
Encryption applies a specific algorithm to alter its appearance and prevent unauthorized hacking. Decryption applies the
algorithm in reverse, to restore the data to its original form. A sender and receiver must employ the same encryption/decryption
method to interoperate. When both TKIP and CCMP are both enabled a mix of clients are allowed to associate with the WLAN.
Some use TKIP, others use CCMP. Since broadcast traffic needs to be understood by all clients, the broadcast encryption type
in this scenario is TKIP.
Refer to the following to configure a WLAN's encryption scheme:
• WPA/WPA2-TKIP
• WPA2-CCMP
• WEP 64
• WEP 128 and KeyGuard
6.1.2.1 802.1x EAP, EAP-PSK and EAP MAC
Configuring WLAN Security
The Extensible Authentication Protocol (EAP) is the de-facto standard authentication method used to provide secure
authenticated access to WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong
encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information
forwarded over wireless controller managed WLANs.
The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case,
the authentication server). An access point passes EAP packets from the client to an authentication server on the wired side
of the access point. All other packet types are blocked until the authentication server (typically, a RADIUS server) verifies the
client's identity.
802.1X EAP provides mutual authentication over the WLAN during authentication. The 802.1X EAP process uses credential
verification to apply specific policies and restrictions to WLAN users to ensure access is only provided to specific wireless
controller resources.
for information on assigning a captive portal policy to a WLAN.
for information on enabling and configuring MAC Registration.
Wireless Configuration 6 - 9