Manualshelf

WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
41424344454647484950
1-24
Introduction
ProCurve Wireless Edge Services zl Module
A Wireless Edge Services zl Module supports three types of authentication:
802.1X authentication
Web-Auth
RADIUS MAC authentication
Alternatively, the Wireless Edge Services zl Module can allow stations to connect
to a WLAN without authenticating formally. In this case, an encryption key usually
acts as a password.
The authentication types are implemented as part of a WLAN’s settings. You can
enable different types of authentication on different WLANs, but each WLAN can
use only one of the three types of authentication.
However, you can also create MAC filters (MAC standard ACLs), which function
as local MAC authentication. You configure these filters globally and then apply them
to a WLAN. The filter is applied in addition to any other authentication you configure
on that WLAN.
802.1X Authentication. 802.1X, an IEEE standard specifically developed to pro-
vide identity-based authentication for users, requires an authenticator to manage the
exchange between a wireless station and an authentication server. The Wireless Edge
Services zl Module acts as this authenticator. When a wireless user attempts to
associate with a WLAN, the module blocks all traffic from the user’s wireless station
until the user authenticates itself to an authentication server (a RADIUS server).
With its internal RADIUS server, the Wireless Edge Services zl Module can also act
as the authentication server.
802.1X relies on Extensible Authentication Protocol (EAP), which comes in several
varieties designed by various product developers. Although the actual process
varies according to the specific method, the basic process is outlined below:
1. A wireless station associates to the WLAN.
2. The Wireless Edge Services zl Module receives the station’s traffic from the RP.
As soon as the association becomes active, the module places the station in a
shutdown status. The module issues an EAP challenge and refuses all traffic
except EAP messages from the station.
3. The station and the authentication server authenticate each other (the exact
process differs, depending on the EAP method they choose).
The Wireless Edge Services zl Module receives the EAP messages from the
wireless station (via the RP) and repackages them as RADIUS messages for the
RADIUS server. Conversely, the module extracts EAP messages for the wireless
station from RADIUS messages from the server.