Symbol Technologies WS 2000 manual 802.1x with Shared Key Authentication, Kerberos Authentication

Page 16

802.1x with Shared Key Authentication

The pair-wise master keys (PMK) generated by this negotiation are used to generate keys used in MAC encryption. In the absence of a RADIUS server, 802.1x is used in a pre- shared key configuration. Administrators configure the master key statically through the configuration or the key is obtained through negotiation from an external RADIUS server in compliance with 802.1x.

The WS 2000 Wireless Switch uses the Remote Authentication Dial-In User Service (RADIUS) to authenticate 802.1x-enabled MUs.

802.1x with Shared Key Authentication

Shared key authentication, part of the Wired Equivalency Privacy (WEP) algorithm, provides a basic means of data encryption to improve data security for a Wireless LAN (WLAN). The shared key algorithm performs data encryption and decryption. A wireless device with a valid shared key is allowed to associate with the WS 2000 Wireless Switch and access services on the wired LAN.

Using shared key authentication, an administrator configures mobile units (MUs) and the WS 2000 Wireless Switch to share the same key. The MU authenticates by presenting the key to a WS 2000 Wireless Switch. The switch examines the key, and uses it to perform a checksum, or error-checking operation, by comparing the key to one on the switch. The MU accesses network services only when the key passes the checksum process.

The WS 2000 Wireless Switch uses shared key authentication when there is no RADIUS server on the wired LAN.

Kerberos Authentication

The Kerberos authentication service protocol (specified in RFC 1510) provides a secure means for authenticating users/clients in a wireless network environment.

With Kerberos, a client (generally either a user, a service, or a user requesting any number of network services) within the Kerberos Realm sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the Ticket Granting Server’s (TGS) secret key, and sends the encrypted TGT back to the client. In addition to the TGT, the KDC simultaneously sends a session key (SK1) encrypted with the client’s password to the client. The client then attempts to decrypt the session key using its password. If the client successfully decrypts the session key (i.e., if the client gave the correct password), it keeps the decrypted session key, which indicates proof of the client’s identity. The TGT permits the client to obtain additional tickets (TK-TS) which give permission for specific network services (any application or service) for the allotted time identified in the TK-TS. The requesting and granting of these additional tickets is user-transparent. Once the session tickets expire, the client must re- authenticate to continue using network services.

The KDC operates in a Master or a Slave capacity. The Master KDC maintains the master database file that contains all of the user authentication information. This information includes the user’s name, password, and authorization level. This authorization level determines what network services the user has access to.

The Slave KDC acts in a backup capacity to the Master KDC. Database information propagates from the Master KDC to the Slave at regular intervals. If the Master KDC fails, the Slave KDC resumes ticket granting services until the problem causing the Master KDC to fail is resolved. The Slave KDC has no database administration privileges, which are reserved for the Master KDC.

Copyright © 2004 Symbol Technologies, Inc. All Rights Reserved

16

WS 2000 Wireless Switch: 1.0 Date of last Revision: March 2004

 

Page 15 Page 17
Image 16
Page 15 Page 17
Contents System Reference WS 2000 Wireless Switch Version72E-67701-01 Rev a March Copyright PatentsTable of Contents Chapter Advanced Configuration Chapter Field Office Example 111 About this Document WS 2000 Wireless Switch System Reference GuideDocument Conventions Management of Access Ports Wireless LAN Wlan SecuritySystem Overview Firewall SecurityPhysical Specifications Technical SpecificationsHardware Overview Operating System OS Services Cell Controller ServicesPower Specifications Environmental SpecificationsGateway Services 802.11a Support 802.11b SupportAccess Ports WS 2000 Wireless Switch Firewall Gateway ServicesNetwork Address Translation NAT Layer 3 Routing Snmp Management SupportDhcp Client and Server OverviewWEP 64 40-bit key 802.1x with Radius AuthenticationWEP 128 104-bit Key 802.1x with Shared Key Authentication Kerberos AuthenticationWireless Protected Access WPA KeyGuard-MCM SupportSet up Communication to the Switch Installing the SwitchGetting Started Overview Getting Started Overview Changing the Administrator Password Configure the LAN Interface Configuring the SwitchDefining the Subnets Field DescriptionConfigure Subnets InterfacesDhcp Configuration Advanced Dhcp Settings Configure the WAN Interface Communicating with the Outside WorldSetting Up Point-to-Point over Ethernet PPPoE Communication Enable Wireless LANs WLANs ChapWireless Summary Area Configure WLANs Access Port AdoptionField Description Name Configure Wlan SecuritySubnet Setting the Authentication Method 802.1x EAP AuthenticationKerberos Authentication Setting the Encryption MethodConfiguring WEP Encryption Configuring WPA-TKIP Configure Wlan Security KeyGuard-MCM No EncryptionConfigure Access Ports Mobile Unit Access Control List ACLConfigure Access Ports Configure Subnet Access NameAccess Overview Table Access Exception AreaColor Access Type Description Green YellowProtocol Transport Description Port Used HttpTransport Description ALLAdvanced Configuration WLAN-How to Configure Advanced SettingsWLAN-Setting Default Access Port Settings WLAN-Setting Default Access Port Settings Beacon Interval Dtim PeriodPrimary Wlan WLAN-Advanced Access Port SettingsSecurity Beacon WLAN-Advanced Access Port Settings Beacon is a packet broadcast by the adopted access ports to Gateway-How to Configure Network Address Translation NAT Gateway-How to Configure Network Address Translation NAT Gateway-How to Configure the WS 2000 Firewall Always On Firewall FiltersConfigurable Firewall Filters Gateway-How to Configure Static Routes Mime Flood Attack CheckSetting the RIP Configuration Defining RoutesNo RIP RIPSecurity-How to Configure 802.1x EAP Authentication RIP v2Compat NoneSecurity-How to Configure 802.1x EAP Authentication Security-How to Configure 802.1x EAP Authentication Security-How to Configure Kerberos Authentication Security-How to Specify a Network Time Protocol NTP Server Switch Settings WS 2000 Wireless Switch LED FunctionsOverview Location DescriptionChanging the Name of the Switch Change the Location and Country Settings of the WS Location fieldHow to Restart the WS 2000 Wireless Switch Updating the WS 2000 Wireless Switch’s FirmwareChecking for and Downloading Firmware updates Performing the Firmware UpdateSystem Configuration Exporting and Importing Wireless Switch SettingsTo Import Settings to a Local File To Import or Export Settings to an FTP SiteTo Export Settings to a Local File How to Restore Default Configuration Settings Property Value Remote Administration How to Configure Snmp TrapsSetting the Snmp Version Configuration Setting Up Snmp v1/v2c Community DefinitionsSetting Up Snmp v3 Community Definitions NoAuthAuthNoPriv AuthPrivSetting Up the Access Control List Setting the Trap ConfigurationAuthentication ConfigurationTrap Trap Name Generates a Trap when… Category Cold StartSetting the Trap Configuration for Snmp v1/v2c Configure Administrator Access Setting the Trap Configuration for SnmpConfigure Management Access Access Port DescriptionAccess Port Statistics Setup AirBEAM Software AccessChanging the Administrator and Manager Passwords Statistics and LogsGeneral Access Port Information Received and Transmitted Tables Associated Mobile UnitsSubnet Statistics Received Field Description Transmitted Description FieldWAN Statistics InterfacesReceived Field Description Setting Up and Viewing the System Log Viewing the Log on the SwitchSetting Up a Log Server Retail Use Cases BackgroundPlan Configuring the System Settings Contacting the Wireless SwitchEntering the Basic System Settings Setting Access Control IP Address Plan Configuring the SubnetsSubnet IP Address Range Configuring POS Subnet For each subnetConfiguring the Printer Subnet Retail Use Cases Configuring the Cafe Subnet Retail Use Cases Configuring the WAN Interface Configuring Network Address Translation NAT Retail Use Cases Configuring the Access Ports Setting Access Port DefaultsSwitch Port Connected to Inspecting the FirewallNaming the POS Access Port Configuring the Printer Access Port Configuring the Cafe Access Port Associating the Access Ports to the WLANs Configuring the WLANs Configuring the Cafe WlanConfiguring the Printer Wlan Name PrinterConfiguring the POS Wlan For the POS WLAN, she makes the following choicesSetting Subnet Access Retail Use Cases Testing Connections Configuring the ClientsWireless Authentication Encryption Channel Client IP Address Subnet Mask Gateway PortField Office Example Plan Configuring the System Settings Entering the Basic System Settings Setting Access Control Field Office Example Configuring the LAN Configuring the Engineering LANField Office Example Field Office Example Configuring the Sales Subnet Configuring the WAN Field Office Example Setting Up Network Address Translation Field Office Example Confirm Firewall Configuration Adopting Access PortsMAC Address Location Adoption List LabelField Office Example Configuring the WLANs Security Field Office Example Wlan Field Office Example Field Office Example Field Office Example Access Port Channel Configuring Subnet Access Installing the Access Ports and Testing Appendix A. Sample Configuration File NTP menu Wlan 1 configuration set mode 1 enable Wlan 3 configuration set mode 3 disable Default 802.11 a radio configuration set reg a in/out 149 Access Port configuration LAN Dhcp configuration network Firewall configuration set syn enable Outbound 1-To-Many NAT configuration set outb map s1 Page Index FTP Snmp 802.1x EAP authentication
Top Page Image Contents