Allied Telesis AT-TQ2403 152

152	AT-TQ2403 - Management Software - User's Guide

Network Infrastructure and Choosing Between Built-in or External Authentication Server

Network security configurations including Public Key Infrastructures (PKI), Remote Authentication Dial-in User Server (RADIUS) servers, and Certificate Authority (CA) can vary a great deal from one organization to the next in terms of how they provide Authentication, Authorization, and Accounting (AAA). Ultimately, the particulars of your infrastructure will determine how clients should configure security to access the wireless network. Rather than try to predict and address the details of every possible scenario, this document provides general guidelines about each type of client configuration supported by the AT-TQ2403 Management Software.

I Want to Use the Built-in Authentication Server (EAP-PEAP)

If you do not have a RADIUS server or PKI infrastructure in place and/or are unfamiliar with many of these concepts, we strongly recommend setting up the AT-TQ2403 Management Software with security that uses the Built-in Authentication Server on the AP. This will mean setting up the AP to use either IEEE 802.1x or WPA/WPA2 Enterprise (RADIUS) security mode. (The built-in authentication server uses EAP-PEAP authentication protocol.)

∙If the AT-TQ2403 Wireless Access Point is set up to use IEEE 802.1x mode and the Built-in Authentication Server, then configure wireless clients as described in “IEEE 802.1x Client Using EAP/PEAP”.

∙If the AT-TQ2403 Wireless Access Point is configured to use WPA/WPA2 Enterprise (RADIUS) mode and the Built-in Authentication Server, configure wireless clients as described in “WPA/WPA2 Enterprise (RADIUS) Client Using EAP/PEAP”.

I Want to Use an External RADIUS Server with EAP-TLS Certificates or EAP-PEAP

We make the assumption that if you have an external RADIUS server and PKI/CA setup, you will know how to configure client security options appropriate to your security infrastructure beyond the fundamental suggestions given here. Topics covered here that particularly relate to client security configuration in a RADIUS - PKI environment are:

∙“IEEE 802.1x Client Using EAP/TLS Certificate”.

∙“WPA/WPA2 Enterprise (RADIUS) Client Using EAP-TLS Certificate”.

∙“Configuring an External RADIUS Server to Recognize the AT-TQ2403 Wireless Access Point”.

∙“Obtaining a TLS-EAP Certificate for a Client”.

Details on how to configure an EAP-PEAP client with an external RADIUS server are not covered in this document.

Make Sure the Wireless Client Software is Up-to-Date

Before starting out, please keep in mind that service packs, patches, and new releases of drivers and other supporting technologies for wireless clients are being generated at a fast pace. A common problem encountered in client security setup is not having the right driver or updates to it on the client. For example; if you are setting up WPA on the client, make sure you have a driver installed that supports WPA, which is a relatively new technology. Even many client cards currently available do not ship from the factory with the latest drivers.