SMC Networks SMC2552W-G2, SMC2552W-G2-17 Authentication

System Configuration

CLI Commands for SSH – To enable the SSH server, use the ip ssh-server enable

command from the CLI Ethernet interface configuration mode. To set the SSH

server UDP port, use the ip ssh-server port command. To view the current settings,

use the show system command from the CLI Exec mode (not shown in the

following example).

Authentication

Wireless clients can be authenticated for network access by checking their MAC

address against the local database configured on the access point, or by using a

database configured on a central RADIUS server. Alternatively, authentication can

be implemented using the IEEE 802.1X network access con trol protocol.

A client’s MAC address provides relatively weak user authentication, since MAC

addresses can be easily captured and used by another station to break into the

network. Using 802.1X provides more robust user authentication using user names

and passwords or digital certificates. You can configure the access point to use both

MAC address and 802.1X authentication, with client station M AC authentication

occurring prior to IEEE 802.1X authentication. However, it is better to choose one or

the other, as appropriate.

Take note of the following points before configuring MAC address or 802.1X

authentication:

• Use MAC address authentication for a small network with a limited number of

users. MAC addresses can be manually configured on the access point itself

without the need to set up a RADIUS server, but managing a large number of MAC

addresses across many access points is very cumbersome. A RADIU S server can

be used to centrally manage a larger database of user MAC addresses.

• Use IEEE 802.1X authentication for networks with a larger number of users and

where security is the most important issue. When using 802.1X authentication, a

RADIUS server is required in the wired network to centrally manage the credentials

of the wireless clients. It also provides a mechanism for enhanced network security

using dynamic encryption key rotation or W-Fi Protected Access (WPA).

Note: If you configure RADIUS MAC authentication together with 802.1X, RADIUS MAC

address authentication is performed prior to 802.1X authentication. If RADIUS

MAC authentication succeeds, then 802.1X authentication is performed. If

RADIUS MAC authentication fails, 802.1X authentication is not performed.

• The access point can also operate in a 802.1X supplicant mode. Th is enables the

access point itself to be authenticated with a RADIUS server using a configured

MD5 user name and password. This prevents rogue access points from gaining

access to the network.

Enterprise AP(if-ethernet)#no ip telnet-server 7-17

Enterprise AP(if-ethernet)#ip ssh-server enable 7-16

Enterprise AP(if-ethernet)#ip ssh-server port 1124 7-16

Enterprise AP(if-ethernet)#exit

Enterprise AP(if-ethernet)#configure