Table of Contents
Advertisement
enter valid credentials to access the network. Once logged into the captive portal, additional Agreement, Welcome and Fail
pages provide an administrator with a number of options for the screen flow and appearance.
Refer to
Captive Portal on page 6-12
MAC Registration enables returning captive portal users faster authentication and access to the captive portal service. When
the user connects to the captive portal for the first time, the MAC address of the user is recorded once the authentication is
successful. The next time the device is used to access the captive portal, MAC Registration allows the device and the user to
be authenticated faster.
Refer to
MAC Registration on page 6-12
Encryption is essential for WLAN security, as it provides data privacy for traffic forwarded over a WLAN. When the 802.11
specification was introduced, Wired Equivalent Privacy (WEP) was the primary encryption mechanism. WEP has since been
interpreted as flawed in many ways, and is not considered an effective standalone scheme for securing a WLAN. WEP is
typically used with WLAN deployments supporting legacy clients. New deployments should use either WPA or WPA2
encryption.
Encryption applies a specific algorithm to alter its appearance and prevent unauthorized hacking. Decryption applies the
algorithm in reverse, to restore the data to its original form. A sender and receiver must employ the same encryption/decryption
method to interoperate. When both TKIP and CCMP are both enabled a mix of clients are allowed to associate with the WLAN.
Some use TKIP, others use CCMP. Since broadcast traffic needs to be understood by all clients, the broadcast encryption type
in this scenario is TKIP.
Refer to the following to configure a WLAN's encryption scheme:
•
WPA/WPA2-TKIP
•
WPA2-CCMP
•
WEP 64
•
WEP 128 and KeyGuard
6.1.2.1 802.1x EAP, EAP PSK and EAP MAC
Configuring WLAN Security
The Extensible Authentication Protocol (EAP) is the de-facto standard authentication method used to provide secure
authenticated access to WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong
encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information
forwarded over wireless controller managed WLANs.
The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case,
the authentication server). An access point passes EAP packets from the client to an authentication server on the wired side
of the access point. All other packet types are blocked until the authentication server (typically, a RADIUS server) verifies the
client's identity.
802.1X EAP provides mutual authentication over the WLAN during authentication. The 802.1X EAP process uses credential
verification to apply specific policies and restrictions to WLAN users to ensure access is only provided to specific wireless
controller resources.
802.1X requires a 802.1X capable RADIUS server to authenticate users and a 802.1X client installed on each devices accessing
the EAP supported WLAN. An 802.1X client is included with most commercial operating systems, including Microsoft
Windows, Linux and Apple OS X.
The RADIUS server authenticating 802.1X EAP users resides externally to the access point. User account creation and
maintenance can be provided centrally using RFMS or individually maintained on each device. If an external RADIUS server is
used, EAP authentication requests are forwarded.
for information on assigning a captive portal policy to a WLAN.
for information on enabling and configuring MAC Registration.
6 - 9
Hide quick links:
Advertisement
Table of Contents
