Switch Security 6-63

TTLS and MSCHAPv2

PEAP and GTC

PEAP and MSCHAPv2

Apart from EAP authentication, the switch allows enforcement of User based policies. User based policies include dynamic VLAN assignment and access based on time of day.

The switch uses a default trustpoint. A certificate is required for EAP TTLS,PEAP and TLS Radius authentication (configured with the Radius service).

Dynamic VLAN assignment is achieved based on Radius server response. A user who associates to WLAN1 (mapped to VLAN1) can be assigned a different VLAN after authentication with the Radius server. This dynamic VLAN assignment overrides the WLAN's VLAN ID to which the User associates.

NOTE: For a Radius supported VLAN to function properly, the "Dynamic Assignment" checkbox must be enabled for the WLAN supporting the VLAN. For more information, see Editing the WLAN Configuration on page 4-22.

For 802.1x EAP authentication, the switch initiates the authentication process by sending an EAPoL message to the access port only after the wireless client joins the wireless network. The Radius client in the switch processes the EAP messages it receives. It encapsulates them to Radius access requests and sends them to the configured Radius server (in this case the switch’s local Radius server).

The Radius server validates the user’s credentials and the challenge information received in the Radius access request frames. If the user is authorized and authenticated, the wireless client is granted access by sending a Radius access accept frame. This is transmitted to the wireless client in an EAPoL frame format.

6.9.1.1User Database

The User Group names and the associated users in each group can be created in the local database. The User ID in the received access request is mapped to the associated wireless group for authentication. The switch supports the creation of 500 users and 100 groups on its local database. Each group can have a maximum of 500 users configured.

Page 287
Image 287
Motorola WS5100 manual User Database, Ttls and MSCHAPv2 Peap and GTC Peap and MSCHAPv2