Security
RoamAbout Access Point 3000 Configuration Guide 4-67
Whenyouenable802.1x,youcanalsoenablethebroadcastandsessionkeyrotationintervals.
–BroadcastKeyRefreshRatesetstheintervalatwhichthebroadcastkeysarerefreshedfor
stationsusing802.1xdynamickeying.(Range:0‐1440minutes;Default:0meansdisabled)
–SessionKeyRefreshRatespecifiestheintervalatwhichtheaccesspointrefreshesunicast
sessionkeysforassociatedclients.(Range:0‐1440minutes;Default:0meansdisabled)
–802.1xSessionTimeou tsetsthetimeperiodafterwhichaconnectedclientmustbere‐
authenticated.Duringthere‐authenticationprocessofverifyingtheclient’scredentialson
theRADIUSserver,theclientremainsconnectedtothenetwork.Onlyifre‐authentication
failsisnetworkaccessblocked.Default:60minutes.
•MACAuthenticationconfigureshowtheaccesspointusesMACaddressestoauthorize
wirelessclientstoaccessthenetwork.Thisauthenticationmethodprovidesabasiclevelof
authenticationforwirelessclientsattemptingtogainaccesstothenetwork.Adatabaseof
authorizedMACaddressescanbestoredlocallyontheAccessPoint3000orremotelyona
centralRADIUSserver.(Default:LocalMAC)
–LocalMACindicatesthattheMACaddressoftheassociatingstationiscomparedagainst
thelocaldatabasestoredontheaccesspoint.LocalMACAuthenticationenablesthelocal
databasetobesetup.
–RADIUSMACspecifiesthattheMACaddressoftheassociatingstationissenttoa
configuredRADIUSserverforauthentication.
TouseaRADIUSauthenticationserverforMACaddressauthentication,theaccesspoint
mustbeconfiguredtouseaRADIUSserver,seeRADIUS(page4‐9).
–Disablespecifiesthattheaccesspointdoesnotcheckanassociatingstation’sMACaddress.
IfyouspecifyRADIUSMACforthisdefaultinterfaceorVAP,youmustspecifythefollowing
parameters:
–MACAuthenticationPasswordspecifiestheauthenticationpasswordthisradiointerfaceor
VAPsendstotheRADIUSservertoauthenticateMACaddresses.
–MACAuthenticationSessionTimeou tspecifiestheamountoftimeafterwhichyouwanta
MACauthenticationsessiontotimeoutbetweentheAPandtheRADIUSserver.
IfyouspecifyLocalMACforthisdefaultinterfaceorVAP,youmustspecifyLocalMAC
AuthenticationsettingsthatconfigurethelocalMACauthenticationdatabase.TheMAC
databaseprovidesamechanismtotakecertainactionsbasedonawirelessclient’sMAC
address.YoucanconfigureTheMAClistcanbeconfiguredtoallowordenynetworkaccessto
specificclients.
–SystemDefaultspecifiesadefaultactionforallunknownMACaddresses(thatis,thosenot
listedinthelocalMACdatabase).
‐DenyblocksaccessforallMACaddressesexceptthoselistedinthelocaldatabaseas
“Al l o w ” .
‐AllowpermitsaccessforallMACaddressesexceptthoselistedinthelocaldatabaseas
“Deny”.