Chapter 2: Network Setup

EAP-TTLS Secure Mesh

The MotoMesh 2.1 architecture provides a set of features designed to help network operators
secure the mesh network. These security features can help to protect the mesh network from
intruders and attackers.
It is important to distinguish between the security provided by the MotoMesh architecture
(Secure Mesh) and the security features provided for standard 802.11 clients (e.g. laptops,
mobile Wi-Fi devices, etc.). Mesh Security applies between all of the mesh-enabled devices
that form the mesh network. 802.11 client security (e.g. WEP, WPA-PSK, etc.) is completely
independent of mesh security and is detailed in the WMS Administrator’s Guide.
EAP-TTLS Secure Mesh uses Public Key Infrastructure (PKI) certificates to authenticate the
network infrastructure, a RADIUS server, and a unique user ID and password to uniquely
authenticate each mesh device. EAP mode supports MIC codes and encryption, where
available. EAP mode supports centralized control of per-device authentication credentials by
the RADIUS server, so a compromised device's credentials can be individually revoked
without having to change keys on other devices. Session keys are automatically derived
based on the EAP authentication and rolled periodically at a rate controlled by the RADIUS
server. EAP mode is recommended for medium- or large-sized networks or any network that
requires per-device authentication or centralized control over credentials. EAP mode
requires the "R0 Key Holder" (R0KH) service. The R0 Key Holder service acts as a key
cache, speeding up key generation for devices that already have a valid session key from the
RADIUS server, similar to the R0 Key Holder defined for 802.11r. The R0KH service is
included as part of the Linux environment setup.
Secure Mesh can also be configured to use PSK thus eliminating the RADIUS requirement. Please
see the WMS Administrator’s Guide for detailed steps.
Network Device Ethernet Interconnectivity
This section describes the Ethernet connectivity of the small system reference design. Please
note the specific ports used as the software configuration of the equipment assumes the
stated interconnectivity.
Figure 2-2 Ethernet connectivity between network servers and 3750 L3 Switch
Port 1 The One Point Wireless Manager server is connected to Port 1 of the L3 Switch.
Port 2 The RADIUS server is connected to Port 2 of the L3 switch.
Ports
3-4 Ports 3 and 4 on the L3 switch can be used to connect to other network devices e.g. gateway
router
Ports
5-24 Ports 5-24 will be used for connections to IAPs.
2-7