Enterasys Networks 9033900-04

Security

RoamAbout Access Point 3000 Configuration Guide 4-67

Whenyouenable802.1x,youcanalsoenablethebroadcastandsessionkeyrotationintervals.

–BroadcastKeyRefreshRatesetstheintervalatwhichthebroadcastkeysarerefreshedfor

stationsusing802.1xdynamickeying.(Range:0‐1440minutes;Default:0meansdisabled)

–SessionKeyRefreshRatespecifiestheintervalatwhichtheaccesspointrefreshesunicast

sessionkeysforassociatedclients.(Range:0‐1440minutes;Default:0meansdisabled)

–802.1xSessionTimeou tsetsthetimeperiodafterwhichaconnectedclientmustbere‐

authenticated.Duringthere‐authenticationprocessofverifyingtheclient’scredentialson

theRADIUSserver,theclientremainsconnectedtothenetwork.Onlyifre‐authentication

failsisnetworkaccessblocked.Default:60minutes.

•MACAuthenticationconfigureshowtheaccesspointusesMACaddressestoauthorize

wirelessclientstoaccessthenetwork.Thisauthenticationmethodprovidesabasiclevelof

authenticationforwirelessclientsattemptingtogainaccesstothenetwork.Adatabaseof

authorizedMACaddressescanbestoredlocallyontheAccessPoint3000orremotelyona

centralRADIUSserver.(Default:LocalMAC)

–LocalMACindicatesthattheMACaddressoftheassociatingstationiscomparedagainst

thelocaldatabasestoredontheaccesspoint.LocalMACAuthenticationenablesthelocal

databasetobesetup.

–RADIUSMACspecifiesthattheMACaddressoftheassociatingstationissenttoa

configuredRADIUSserverforauthentication.

TouseaRADIUSauthenticationserverforMACaddressauthentication,theaccesspoint

mustbeconfiguredtouseaRADIUSserver,seeRADIUS(page4‐9).

–Disablespecifiesthattheaccesspointdoesnotcheckanassociatingstation’sMACaddress.

IfyouspecifyRADIUSMACforthisdefaultinterfaceorVAP,youmustspecifythefollowing

parameters:

–MACAuthenticationPasswordspecifiestheauthenticationpasswordthisradiointerfaceor

VAPsendstotheRADIUSservertoauthenticateMACaddresses.

–MACAuthenticationSessionTimeou tspecifiestheamountoftimeafterwhichyouwanta

MACauthenticationsessiontotimeoutbetweentheAPandtheRADIUSserver.

IfyouspecifyLocalMACforthisdefaultinterfaceorVAP,youmustspecifyLocalMAC

AuthenticationsettingsthatconfigurethelocalMACauthenticationdatabase.TheMAC

databaseprovidesamechanismtotakecertainactionsbasedonawirelessclient’sMAC

address.YoucanconfigureTheMAClistcanbeconfiguredtoallowordenynetworkaccessto

specificclients.

–SystemDefaultspecifiesadefaultactionforallunknownMACaddresses(thatis,thosenot

listedinthelocalMACdatabase).

‐DenyblocksaccessforallMACaddressesexceptthoselistedinthelocaldatabaseas

“Al l o w ” .

‐AllowpermitsaccessforallMACaddressesexceptthoselistedinthelocaldatabaseas

“Deny”.