WESM zl Management and Configuration Guide WT.01.XX and greater
1-26
Introduction
ProCurve Wireless Edge Services zl Module
3. The station and the authentication server authenticate each other (the
exact process differs, depending on the EAP method they choose).
The Wireless Edge Services zl Module receives the EAP messages from
the wireless station (via the RP) and repackages them as RADIUS mes-
sages for the RADIUS server. Conversely, the module extracts EAP mes-
sages for the wireless station from RADIUS messages from the server.
4. If the user sends the correct credentials (which may take various forms,
including a digital certificate or a username and password), the RADIUS
server sends an authentication acknowledgement.
5. If you have configured the WLAN to use encryption, the authentication
process includes generating a per-session encryption key for WEP or a
pairwise (per-user) master key (PMK) for WPA. The authentication server
passes the key to the Wireless Edge Services zl Module.
Automatically generating secure encryption keys is one of the most vital
components of 802.1X for wireless networks. For more information about
encryption, see “Encryption Options for WLANs” on page 1-32.
6. If your network implements user-based controls—configured, for exam-
ple, through ProCurve IDM—the RADIUS server sends dynamic set-
tings—such as a VLAN assignment, ACLs, and rate limits—for the station.
Note Remember: if you are using the Wireless Edge Services zl Module’s internal
RADIUS server, the module acts as both the authenticator and the authenti-
cation server.
In short, 802.1X provides robust authentication as well as dynamic key man-
agement, and, if you want, support for dynamic, user-based settings.
Web-Auth. The Wireless Edge Services zl Module can also provide Web-Auth
for stations that do not support 802.1X authentication. In this case, the module
confines unauthenticated wireless users’ access to a list of allowed IP
addresses. The module forces a user to authenticate itself by redirecting all
nonapproved traffic to a login page on a Web server.
Because the Wireless Edge Services zl Module handles all background pro-
cesses (such as forwarding requests to DHCP, RADIUS, and DNS servers), the
allow list only needs to include the IP address of the Web server that stores
the pages that guide the user through the authentication process.
You can even opt to maintain the Web pages on the Wireless Edge Services zl
Module itself to secure your organization’s Web server. In this case, the allow
list can be completely empty.