Table of Contents
Advertisement
Ava 500 IT Administrator's Guide
Wireless Authentication
In providing secure access to a network, authentication is a crucial piece of an overall solution. The Ava 500
works with a number of authentication types, including:
•
No authentication
– Usually referred to as an "open network", this type of network is usually only used in
testing, as it creates too great a security risk to the overall network.
•
MAC address authentication
on a factory-assigned, "burned-in" address given to each and every Ethernet device in existence. MAC
addresses can be easily cloned by malicious attackers, and are not considered a secure way of protecting a
network.
Pre-shared key (PSK)
•
infrastructure. These keys must match and are the basis used for encrypting all data between the client and
network. Creating an SSID specifically for the Ava 500 and then using a pre-shared key known only to the IT
department may be a simple and secure way of handling connectivity during a trial period, for example.
•
EAP (Extensible Authentication Protocol)
options available. EAP provides per-user or per-device authentication based on a username/password,
certificate, or other means. These credentials are typically verified by a RADIUS server on the customer's
network. This allows the enterprise environment the most control over connection to the WLAN.
The Ava 500 uses a Cisco access point configured as a workgroup bridge. In that configuration,
Cisco software is not compatible with the Microsoft Windows Server 2003 Internet Authentication
Service (IAS) acting as a RADIUS server. In order for the Ava 500 to connect to the WLAN, either
the IAS must be upgraded to Windows Server 2008 Network Policy Server (NPS) or other
RADIUS server software, or an authentication method must be used that does not require
RADIUS server verification.
A number of EAP standards are in use today. The Ava 500 has been tested and confirmed to work with the
following EAP types:
EAP-PEAP (Often referred to as MS-PEAP)
•
network using a username/password. As part of the standard, before a client will give its
username/password to an infrastructure, the client requires a certificate from the RADIUS server in order
to confirm it is who it claims to be. This prevents a client or device from being tricked into sending a
username and password to a malicious attacker, since the attacker will not be able to provide a trusted
certificate. Because the password must be configured onto the Ava 500 and cannot be easily changed,
the password should be set not to expire.
MS-PEAP allows for authentication using a certificate instead of a username/password. Using
MS-PEAP in this scenario is not supported by the Ava 500. If you wish to use a client certificate,
EAP-TLS should be used instead.
•
EAP-TLS
– The TLS method of EAP requires the use of a client certificate. In EAP-TLS, two certificates
are in play: one will be from the server confirming it can be trusted to receive credentials, and the other
will be from the client acting as its credentials. In order for this EAP type to be successful, the client must
trust the certificate from the RADIUS server, and the RADIUS server must trust the certificate provided by
the client. Therefore, two certificates must be installed on the Ava 500 access point: the client certificate
and the certificate of the CA (certificate authority) that generated the certificate being given to the client.
Version 1.2 – 012415
– Handled from the client infrastructure, MAC address authentication is based
– A pre-shared key is a phrase or password set on both the client and the wireless
– EAP currently provides the highest level of authentication
iRobot Proprietary
– PEAP provides a method to connect to a wireless
Page 21
Data Communications and Security
Advertisement
Table of Contents
