Manualshelf

User's Manual

ManualsBrandsInterepoch Technology ManualsElectronicsDeskPoint
41424344454647484950
39
IEEE 802.1x, a user has to issue his or her user name and password or digital certificate to the
backend RADIUS server by EAPOL (Extensible Authentication Protocol Over LAN). The RADIUS
server can record accounting information such as when a user logs on to the wireless LAN and logs
off from the wireless LAN for monitoring or billing purposes.
The IEEE 802.1x functionality of the access point is controlled by the security mode (see Section
3.5.2.1). So far, the wireless access point supports two authentication mechanisms—EAP-MD5
(Message Digest version 5), EAP-TLS (Transport Layer Security). If EAP-MD5 is used, the user has
to give his or her user name and password for authentication. If EAP-TLS is used, the wireless client
computer automatically gives the user’s digital certificate that is stored in the computer hard disk or a
smart card for authentication. And after a successful EAP-TLS authentication, a session key is auto-
matically generated for wireless packets encryption between the wireless client computer and its asso-
ciated wireless access point. To sum up, EAP-MD5 supports only user authentication, while
EAP-TLS supports user authentication as well as dynamic encryption key distribution.
RADIUS
Server
Internet
Wireless AP
Wireless AP
User
Database
user authentication
user authentication
IEEE 802.1x-Compliant
Wireless Client
Fig. 52. IEEE 802.1x and RADIUS.
An access point supporting IEEE 802.1x can be configured to communicate with two RADIUS serv-
ers. When the primary RADIUS server fails to respond, the wireless access point will try to commu-
nicate with the secondary RADIUS server. You can specify the length of timeout and the number of
retries before communicating with the secondary RADIUS server after failing to communicate with
the primary RADIUS server.
An IEEE 802.1x-capable wireless access point and its RADIUS server(s) share a secret key so that
they can authenticate each other. In addition to its IP address, a wireless access point can identify it-
self by an NAS (Network Access Server) identifier. Each IEEE 802.1x-capable wireless access point
must have a unique NAS identifier.