User Access Security
Summit 300-48 Switch Software User Guide 85
then extends or denies access as instructed, and passes along configuration information such as VLAN
and priority.
802.1x supports several EAP-class advanced authentication protocols, which differ in the specific
identification types and encryption methods for the authentication:
•EAP-TLS (Transport Layer Security) — Performs mutual authentication using security certificates.
Good for wired and wireless networks
•EAP-TTLS (Tunneled TLS) — Extends TLS flexibility and is compatible with a wide range of
authentication algorithms. Good for wired and wireless networks
•PEAP (protected EAP) — Is compatible with a wide range of authentication algorithms. Good for
wired and wireless networks
802.1x security is compatible with legacy 802.1x and with newer clients that support WPA based 802.1x.
It is possible to configure both versions (legacy and WPA) on the same Summit 300-48 switch port.
When a client associates to the Summit 300-48 switch po rt, it indica tes 802.11 open authent ication. Th en
if 802.1x is enabled on the port, the client is able to associate, and further authentication is performed. If
the authentication is successful, the backend RADIUS server optionally specifies a VLAN tag using
Vendor Specific Attributes in the Access Accept message.
Location Based Authentication
Location-based authentication restricts access to users in specific buildings. The Summit 300-48 switch
sends the user’s location information to the RADIUS server, which then determines whether or not to
permit user access. When you configure a location field, the information is sent out in RADIUS Access
Request packets as a VSA and can be used to enforce location-based policies.
Time-Based Authentication
Time-based authentication restricts access to users to certain dates or times. The Radius server can
determine policies based on the time of day when the Authentication request is received from the
Summit 300-48 switch.
PrivacyPrivacy refers to the protection of user data sent over the network. It is a major concern in wireless
network, since physical security is not possible for data sent over wireless links. While encryption is the
major component of a privacy solution, an effective approach also requires management of encryption
keys, integrity checks to protect against packet tampering, and ability to scale as the network grows.
To isolate all traffic using WEP and help improve the security of the overall network, the Summit 300-48
switch classifies all traffic using shared authentication into a separate WEP VLAN. This VLAN is
configured using a security profile.
Cipher SuitesTable28 lists several cipher suites that standards organizations have iden tified to group security
capabilities under a common umbrella. The Extreme Unified Security Architecture supports or will