Chapter 6: Configuring Security

Enabling Secure Communications Between Access Points

When you configure a radio to use 802.1x security, you automatically enable spanning tree security, which can be used for both wired access points and WAPs. A secure spanning tree has two functions:

1.To require authentication of any access point attempting to join the spanning tree.

2.To provide encryption of critical Inter-Access Point Protocol (IAPP) frames.

There are three authentication methods that you can use to secure the spanning tree: SWAP, TTLS, or TLS.

When the Access Point Is the Supplicant

By default, TTLS is enabled. If you want to use TTLS, you must also enter a user name and password. This login must match an entry in the authentication server database. When the access point is acting as a supplicant and the authentication server offers the TTLS protocol, the access point sends its user name and password.

You can also enable TLS as the authentication method. You must install a server certificate on each access point that will use this method to authenticate to the network. When the access point is acting as a supplicant and the authentication server offers the TLS protocol, the access point sends its certificate credentials.

If you choose to use both TTLS and TLS, you must choose which protocol the access point offers first and the access point must have a login configured and a server certificate.

By default, Secure Wireless Authentication Protocol (SWAP) is also enabled. The access point tells the authenticator that it can perform SWAP. If the authenticator allows SWAP, SWAP is used. SWAP allows access points to authenticate using an EAP-MD5 challenge. If the supplicant or the authenticator does not allow SWAP, the authentication must happen at the authentication server using TTLS or TLS.

When the Access Point Is the Authenticator

If the Allow SWAP check box is cleared, the access point that is acting as the authenticator will not perform any authentications using SWAP. Supplicants will need to authenticate with the authentication server using TTLS or TLS.

However, older access points do not support these authentication methods. If the Allow SWAP check box is checked, the access point that is acting as the authenticator will authenticate any supplicants that offer

196

Page 195 Page 197
Page 196
Image 196
Allied Telesis AT-WA7500 Enabling Secure Communications Between Access Points, When the Access Point Is the Supplicant
Page 195 Page 197
Top Page Image Contents