Management and Configuration Guide (Includes ACM xl) 2005-12
ProCurve Secure Access 700wl Series Management and Configuration Guide 5-17
Configuring Authentication
Note: Clients, access points, and RADIUS servers must all support common EAP methods in order for
the 802.1X/WPA Authentication Service to function properly.
Note: A client connecting to the 700wl Series system is initially identified only by its MAC address. The
MAC address is contained in the RADIUS attribute “Calling-Station-ID” or the “Calling-Station-ID” value
may be contained in the User-Name attribute. If the MAC address is not present in one of these
attributes, the client’s authentication request will be rejected.
Note: Seamless roaming is not supported with the 802.1X/WPA Authentication Service. Clients
roaming from one access point to another will need to logoff and logon again.
The built-in RADIUS server runs on the primary Access Control Server in a redundant 700wl Series
system. In the case of a failover, the RADIUS server on the secondary Access Control Server takes over
handling 802.1X/WPA authentication services. Access points may continue communication attempts to
the RADIUS server on the primary Access Control Server until they re-synchronize with the network.
Clients using 802.1X/WPA Authentication Service may experience a delay until the access points re-
synchronize with the network after a failover. Access points in a redundant system should be
configured with both primary and secondary Access Control Servers’ IP addresses.
The built-in RADIUS server can be configured as the 802.1X authentication server or as a proxy server
for remote RADIUS servers.
As the 802.1X authentication server, the built-in RADIUS server supports Lightweight Extensible
Authentication Protocol (LEAP) and Protected Extensible Authentication Protocol (PEAP). Both LEAP
and PEAP use client passwords for authentication. This implementation of PEAP supports MS-
CHAPv2. The built-in RADIUS server uses the built-in database for user validation.
As the RADIUS proxy server, the built-in RADIUS server can manage multiple realms, each with
multiple remote RADIUS servers working in a failover capacity within each realm. The Extensible
Authentication Protocols supported are dependent on the RADIUS server you have implemented. The
built-in RADIUS server acting as a proxy, forwards requests to the RADIUS server specified by the
realm settings. If there is no response from the RADIUS server, the proxy server forwards the request to
the next server in the realm until a response is received. The proxy server then forwards the response to
the access point, and authentication negotiation continues until an Access-Accept or Access-Reject is
received from the RADIUS server.
Real IP Support
With 802.1X/WPA, authentication occurs before the client is assigned an IP address, allowing the
support of the following sequences for encrypted clients:
• If the Access Policy’s NAT is set to
When Necessary or Never, and L2TP/PPTP encryption is set to
Allowed but not required, then clients authenticating with 802.1X/WPA will get a Real IP address and
will not use encryption.
• If the Access Policy’s NAT is set to
Always, and LT2P/PPTP encryption is set to Allowed but not
required
, then clients authenticating with 802.1X/WPA will get a NAT’ed IP address and will use
encryption.
For more information on encryption and IP address assignment, see “IP Address Assignment for
Tunneling” on page 7-11.