Configuring AAA for Network Users 417

Effects of Authentication Type on Encryption Method

Wireless users who are authenticated on an encrypted service set identifier (SSID) can have their data traffic encrypted by the following methods:

Wi-Fi Protected Access (WPA) encryption

Non-WPA dynamic Wired Equivalent Privacy (WEP) encryption

Non-WPA static WEP encryption

(For encryption details, see “Configuring User Encryption,” on page 191.)

The authentication method you assign to a user determines the encryption available to the user. Users configured for EAP authentication, MAC authentication, Web, or last-resort authentication can have their traffic encrypted as follows:

EAP

MAC

Last-Resort

Web-based AAA

Authentication

Authentication

Authentication

 

WPA encryption

Static WEP

Static WEP

Static WEP

Dynamic WEP

No encryption

No encryption

No encryption

encryption

(if SSID is

(if SSID is

(if SSID is

 

unencrypted)

unencrypted)

unencrypted)

Wired users are not eligible for the encryption performed on the traffic of wireless users, but they can be authenticated by an EAP method, a MAC address, a Web login page served by the WSS switch, or a last-resort username.

Configuring 802.1X Authentication

The IEEE 802.1X standard is a framework for passing EAP protocols over a wired or wireless LAN. Within this frame- work, you can use TLS, PEAP-TTLS, or EAP-MD5. Most EAP protocols can be passed through the WSS switch to the RADIUS server. Some protocols can be processed locally on the WSS switch.

The following 802.1X authentication command allows differing authentication treatments for multiple users:

set authentication dot1x {ssid ssid-namewired} user-wildcard[bonded] protocol method1 [method2] [method3] [method4]

For example, the following command authenticates wireless user Tamara, when requesting SSID wetlands, as an 802.1X user using the PEAP-MS-CHAP-V2 method through the server group shorebirds, which contains one or more RADIUS servers:

23x0# set authentication dot1x ssid wetlands Tamara peap-mschapv2 shorebirds

When a user attempts to connect through 802.1X, the following events occur:

1For each 802.1X login attempt, WSS Software examines each command in the configuration file in strict configuration order.

2The first command whose SSID and user wildcard matches the SSID and incoming username is used to process this authentication. The command determines exactly how this particular login attempt is processed by the WSS switch.

(For more information about user wildcards, see “User Wildcards” on page 39.)

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 416 Page 418
Page 417
Image 417
Nortel Networks 2300 manual Configuring 802.1X Authentication, Effects of Authentication Type on Encryption Method
Page 416 Page 418
Top Page Image Contents