The IEEE 802.1x functionality of the advanced AP is controlled by the security mode (see Section 3.4.2). The advanced AP supports two authentication mechanisms—EAP-MD5 (Message Digest version 5) and EAP-TLS (Transport Layer Security). If EAP-MD5 is used, the user has to give his or her user name and password for authentication. If EAP-TLS is used, the wireless client computer automatically gives the user’s digital certificate that is stored in the computer hard disk or a smart card for authentication. And after a successful EAP-TLS authentication, a session key is automatically generated for wireless packets encryption between the wireless client computer and its associated advanced wireless access point. To sum up, EAP-MD5 supports user authentication, while EAP-TLS supports user authentication as well as dynamic encryption key distribution.
Fig. 17. IEEE 802.1x and RADIUS.
An advanced AP supporting IEEE 802.1x can be configured to communicate with two RADIUS servers. When the primary RADIUS server fails to respond, the advanced wireless access point will try to communicate with the secondary RADIUS server. The user can specify the length of timeout and the number of retries before communicating with the secondary RADIUS server after failing to communicate with the primary RADIUS server.
An IEEE 802.1x-capable advanced wireless access point and its RADIUS server(s) share a secret key so that they can authenticate each other. In addition to its IP address, an advanced wireless access point can identify itself by an NAS (Network Access Server) identifier. Each IEEE 802.1x-capable advanced wireless access point must have a unique NAS identifier.
Fig. 18. IEEE 802.1x/RADIUS settings.
100-408-01 | Copyright © 2002 Madge Networks. All rights reserved. | Page 15 |