Allied Telesis AT-WA7500, AT-WA7501 manual Implementing an 802.1x Security Solution

Chapter 6: Configuring Security

Implementing an

802.1x Security

Solution

You can implement 802.1x security in your network. The IEEE 802.1x standard provides an authentication protocol for 802.11 LANs. 802.1x provides strong authentication, access control, and key management, and lets wireless networks scale by allowing centralized authentication of wireless end devices.

The 802.1x authentication process uses a RADIUS server, which is the authentication server, and access points, which are the authenticators, to manage the wireless end device authentication and wireless connection attributes. Extensible Authentication protocol (EAP) authentication types provide devices with secure connections to the network. They protect credentials and data privacy. Examples of EAP authentication types include Transport Layer Security (EAP-TLS) and Tunneled Transport Layer Security (EAP-TTLS).

To implement 802.1x security, you must have the following:

ˆAn authentication server (RADIUS server), which is software that is installed on a PC or server on your network or an EAS. The authentication server accepts or rejects requests from end devices that want to communicate with the 802.1x-enabled network. For help, see Chapter 7, “Configuring the Embedded Authentication Server (EAS)” on page 204.

ˆAn authenticator, which is an access point on your network. The authenticator receives requests from end devices that want to communicate with the network and forwards these requests to the authentication server. The authenticator also distributes the WEP keys to end devices that are communicating with it.

ˆEnd devices that are 802.1x-enabled. These end devices have an 802.11b or an 802.11a radio and a supplicant (EAP-TLS, EAP-TTLS or PEAP) loaded on them. Supplicants request communication with the authenticator using a specific EAP authentication type. For more information on the availability of 802.1x-enabled end devices, contact your local Allied Telesyn representative.

ˆA trusted certificate authority (CA), which issues digital authentication certificates. Allied Telesyn and others can provide the service of acting as a CA and can issue certificates. For more information, contact your local Allied Telesyn representative.

ˆThe authentication server and end devices with supplicants need certificates. A CA certificate is the root certificate or public key. A server certificate (sometimes referred to as the client certificate) is the private key. For more details, see“About Certificates” on page 206.

ˆThe authentication server must have both a CA certificate and a server certificate installed on it.

ˆAn end device with an EAP-TTLS supplicant or a child access point using secure IAPP-TTLS needs only the CA certificate.