Manualshelf

User's Manual

ManualsBrandsStrix Systems ManualsElectronicsAccess/One Network Transmitter
61626364656667686970
Table Of Contents
USER GUIDE
AUTHENTICATION
The authentication process begins with one of two local authentication procedures and may
optionally include a remote authentication for additional security. A pre-authentication MAC
address filter (Access Control List) can be used to prevent devices from authentication attempts,
but is difficult to manage scale and MAC address substitution is supported on almost all wireless
network interface cards (NICs).
Local authentication choices are open or shared key. Open system implies that any device may
successfully authenticate after exchanging some basic information. Shared key requires that the
device know the same static encryption keys as the Access Point. When the AP receives an
authentication request from the device, it sends an unencrypted data message as a challenge. The
device is required to encrypt the message with the known (shared) key and send it to the Access
Point. If the AP is able to correctly decipher the encrypted message, the device is considered to
have passed the local authentication process. Since an eavesdropper could intercept both the
unencrypted and encrypted message and derive the pseudorandom key stream, this
authentication method is considered less secure than open system because an open system with
encryption enabled will not perform the key exchange and will deny communication to the
devices that don’t know the correct key (can’t decipher the data).
Remote authentication provides additional network security by allowing credentials-based
checks (username/password, certificate, smart card, etc.) to validate a device or user beyond a
shared key.
Remote Authentication Protocol
Device EAP Access Point RADIUS (EAP encapsulation) RADIUS or AAA server
The remote authentication process begins after the device has locally authenticated and
associated to the AP. The 5 typical EAP types are (in order of growing strength) MD5, LEAP,
TLS, TTLS and PEAP. EAP exchange occurs unencrypted but not unprotected and the Access
Point should only allow EAP traffic between the device and the network during this process. If
remote authentication fails five times, the Access Point disassociates the device to prevent
prolonged attacks (the device can associate again later). Authentications where a username/password is
exchanged are more secure because the user and not the device is authenticated (device could be stolen).
The Access Point translates some information contained in the EAP packet and generates a
RADIUS packet (with EAP encapsulation type) to the RADIUS server. Credential information
over the wire between the RADIUS server and the AP is protected by the RADIUS secret,
which hashes the info in the RADIUS exchange. The RADIUS server must have an entry for
client (access point) and device (user) or it will fail the request.
59