Manualshelf

User`s manual

ManualsBrandsD-Link ManualsComputer equipmentDWL-8220AP - AirPremier Wireless Switch Dualband Access Point
261262263264265266267268269270
256
DWS-1008 User’s Manual
D-Link Systems, Inc.
Managing Keys and Certicates
2. Inside the switch’s digital certicate is the switch’s public key, which the wireless client
uses to encrypt a pre-master secret key.
3. The wireless client then sends the key back to the switch so that both the switch and the
client can derive a key from this pre-master secret for secure authentication and wireless
session encryption.
Clients authenticated by PEAP need a certicate in the switch only when the switch performs
PEAP locally, not when EAP processing takes place on a RADIUS server.
About Keys and Certicates
Public-private key pairs and digital signatures and certicates allow keys to be generated
dynamically so that data can be securely encrypted and delivered. You generate the key pairs
and certicates on the switch or install them on the switch after enrolling with a certicate
authority (CA). The switch can generate key pairs, self-signed certicates, and Certicate
Signing Requests (CSRs), and can install key pairs, server certicates, and certicates
generated by a CA.
When the switch needs to communicate with an 802.1X client, MSS requests a private key
from the switch’s certicate and key store:
• If no private key is available in the switch’s certicate and key store, the switch does
not respond to the request from MSS. If the switch does have a private key in its key
store, MSS requests a corresponding certicate.
• If the switch has a self-signed certicate in its certicate and key store, the switch
responds to the request from MSS. If the certicate is not self-signed, the switch
looks for a CA’s certicate with which to validate the server certicate.
• If the switch has no corresponding CA certicate, the switch does not respond to
the request from MSS. If the switch does have a corresponding CA certicate, and
the server certicate is validated (date still valid, signature approved), the switch
responds.
If the switch does not respond to the request from MSS, authentication fails and access is
denied.
For EAP (802.1X) users, the public-private key pairs and digital certicates can be stored on
a RADIUS server. In this case, the switch operates as a pass-through authenticator.