Security
4-84 Advanced Configuration
The802.1xEAPpacketsarealsousedtopassdynamicunicastsessionkeysandstatic
broadcastkeystowirelessclients.Sessionkeysareuniquetoeachclientandareusedto
encryptandcorrelatetrafficpassingbetweenaspecificclientandtheaccesspoint.Youcan
alsoenablebroadcastkeyrotation,
sotheaccesspointprovidesadynamicbroadcastkeyand
changesitataspecifiedinterval.
Youcanenable802.1xasoptionallysupportedorasrequiredtoenhancethesecurityofthe
wirelessnetwork.
– Disableindicatesthattheaccesspointdoesnotsupport802.1xauthenticati onforany
wirelessclient.After
successfulwirelessassociationwiththeaccesspoint,eachclientis
allowedtoaccessthenetwork.
– Supportedindicatesthattheaccesspointsupports802.1xauthenticationonlyforclients
initiatingthe802.1xauthenticationprocess(thatis,theaccesspointdoesnotinitiate
802.1xauthenticati on).Forclientsinitiating802.1x,onlythosesuccessfullyauthenticated
are
allowedtoaccessthenetwork.Forthoseclientsnotinitia ting802.1x,accesstothe
networkisallowedaftersuccessfulwirelessassociationwiththeaccesspoint.
– Requiredindicatesthattheaccesspointenforces802.1xauthenticationforallassociated
wirelessclients.If802.1xauthenticationisnotinitiatedbyaclient,theaccess
pointwill
initiateauthentication.Onlythoseclientssuccessfullyauthenticatedwith802.1xare
allowedtoaccessthenetwork.
Whenyouenable802.1x,youcanalsoenablethebroadcastandsessionkeyrotationintervals.
– BroadcastKeyRefreshRatesetstheintervalatwhichthebroadcastkeysarerefreshedfor
stationsusing802.1xdynamic
keying.(Range:0‐1440minutes;Default:0meansdisabled)
– SessionKeyRefreshRatespecifiestheintervalatwhichtheaccesspointrefreshesunicast
sessionkeysforassociatedclients.(Range:0‐1440minutes;Default:0meansdisabled)
– 802.1xSessionTimeoutsetsthetimeperiodafterwhichaconnectedclientmustbere
‐
authenticated.Duringthere‐authenticationprocessofverifyingtheclient’scredentialson
theRADIUSserver,theclientremainsconnectedtothenetwork.Onlyifre‐authentication
failsisnetworkaccessblocked.Default:60minutes.
• MACAuthenticationconfigureshowtheaccesspointusesMACaddressestoauthorize
wirelessclientstoaccess
thenetwork.Thisauthenticationmethodprovidesabasiclevelof
authenticationforwirelessclientsattemptingtogainaccesstothenetwork.A databaseof
authorizedMACaddressescanbestoredlocal ly ontheRBT‐4102orremotelyonacentral
RADIUSserver.(Default:LocalMAC)
– LocalMACindicatesthattheMAC
addressoftheassociatingstationiscomparedagainst
thelocaldatabasestoredontheaccesspoint.LocalMACAuthenticationenablesthelocal
databasetobesetup.
– RADIUSMACspecifiesthattheMA Caddressoftheassociatingstationissenttoa
configuredRADIUSserverforauthentication.
Tousea
RADIUSauthenticationserverforMACaddressauthentication,theaccesspoint
mustbeconfiguredtouseaRADIUSserver,seeRADIUS(page4‐11).
– Disablespecifiesthattheaccesspointdoesnotcheckanassociatingstation’sMACaddress.
Comments to this Manuals