Security
The 802.1x EAP packets are also used to pass dynamic unicast session keys and static broadcast keys to wireless clients. Session keys are unique to each client and are used to encrypt and correlate traffic passing between a specific client and the access point. You can also enable broadcast key rotation, so the access point provides a dynamic broadcast key and changes it at a specified interval.
You can enable 802.1x as optionally supported or as required to enhance the security of the wireless network.
–Disable indicates that the access point does not support 802.1x authentication for any wireless client. After successful wireless association with the access point, each client is allowed to access the network.
–Supported indicates that the access point supports 802.1x authentication only for clients initiating the 802.1x authentication process (that is, the access point does not initiate 802.1x authentication). For clients initiating 802.1x, only those successfully authenticated are allowed to access the network. For those clients not initiating 802.1x, access to the network is allowed after successful wireless association with the access point.
–Required indicates that the access point enforces 802.1x authentication for all associated wireless clients. If 802.1x authentication is not initiated by a client, the access point will initiate authentication. Only those clients successfully authenticated with 802.1x are allowed to access the network.
When you enable 802.1x, you can also enable the broadcast and session key rotation intervals.
–Broadcast Key Refresh Rate sets the interval at which the broadcast keys are refreshed for stations using 802.1x dynamic keying. (Range: 0‐1440 minutes; Default: 0 means disabled)
–Session Key Refresh Rate specifies the interval at which the access point refreshes unicast session keys for associated clients. (Range: 0‐1440 minutes; Default: 0 means disabled)
–802.1x Session Timeout sets the time period after which a connected client must be re‐ authenticated. During the re‐authentication process of verifying the client’s credentials on the RADIUS server, the client remains connected to the network. Only if re‐authentication fails is network access blocked. Default: 60 minutes.
•MAC Authentication configures how the access point uses MAC addresses to authorize wireless clients to access the network. This authentication method provides a basic level of authentication for wireless clients attempting to gain access to the network. A database of authorized MAC addresses can be stored locally on the RBT‐4102 or remotely on a central RADIUS server. (Default: Local MAC)
–Local MAC indicates that the MAC address of the associating station is compared against the local database stored on the access point. Local MAC Authentication enables the local database to be set up.
–RADIUS MAC specifies that the MAC address of the associating station is sent to a configured RADIUS server for authentication.
To use a RADIUS authentication server for MAC address authentication, the access point must be configured to use a RADIUS server, see RADIUS (page 4‐11).
–Disable specifies that the access point does not check an associating station’s MAC address.
