User guide

ManualsBrandsAtrust ManualsComputer equipmentM320

111

112

113

114

115

116

117

118

119

120

Odyssey Access Client User Guide

100  802.1X Authentication

When preconfigured WEP keys are used, it is the wireless client PC that is

authenticated to the network. With 802.1X, it is the user who is authenticated to the

network with the user credentials, which might be a password, a certificate, SIM

(Subscriber Identity Module) card, or a token card. Moreover, the keys used for data

encryption are generated dynamically. The authentication is not performed by the

access point, but rather by a central server. If this server uses the RADIUS protocol,

it is called a RADIUS server.

With 802.1X, a user can log in to the network from any PC and many access points

can share a single RADIUS server to perform the authentication. This makes it

much easier for the network administrator to control access to the network.

Extensible Authentication Protocol

802.1X uses the Extensible Authentication Protocol (EAP) to perform

authentication. EAP is not an authentication mechanism but rather a common

framework for transporting actual authentication protocols. The advantage of EAP is

that the basic EAP mechanism does not have to be altered as new authentication

protocols are developed.

OAC supports a number of EAP protocols, enabling a network administrator to

choose the protocols that work best for a particular network.

The newer EAP protocols have an additional advantage. They can dynamically

generate the WEP, TKIP, or AES keys that are used to encrypt data between the

client and the access point. Dynamically created keys have an advantage over

preconfigured keys because their lifetimes are much shorter. Known cryptographic

attacks against WEP can be thwarted by reducing the length of time that an

encryption key remains in use. Furthermore, encryption keys generated using EAP

protocols are generated on a per-user and per-session basis. The keys are not

shared among users, as they must be with preconfigured keys or preshared

passphrases.

OAC offers a number of EAP authentication methods, including the following:

 EAP-TTLS (tunneled transport layer security)

 EAP-PEAP (protected EAP)

 EAP-TLS (transport layer security)

 EAP-FAST (flexible authentication via secure tunneling)

 EAP-JUAC (an inner EAP protocol for connecting to an Infranet Controller)

 EAP-POTP (protected one-time password)

 EAP-SIM and EAP-AKA (authentication and key agreement)

 EAP-LEAP (lightweight EAP)