Manualshelf

Concept Guide

ManualsBrandsDell ManualsAccess PlatformsW-Series 207 Access Points
151152153154155156157158159160
159 | Authentication and User Management Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide
Authentication Termination on W-IAP
W-IAPs support EAP termination for enterprise WLANSSIDs. The EAP termination can reduce the number of
exchange packets between the W-IAP and the authentication servers. Instant allows Extensible Authentication
Protocol (EAP) termination for Protected Extensible Authentication Protocol (PEAP)-Generic Token Card (PEAP-
GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2
(PEAP-MSCHAV2). PEAP-GTC termination allows authorization against an Lightweight Directory Access Protocol
(LDAP) server and external RADIUS server while PEAP-MSCHAV2 allows authorization against an external
RADIUS server.
This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft
Active Directory server with LDAP authentication.
l EAP-Generic Token Card (GTC)— This EAP method permits the transfer of unencrypted usernames and
passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and
the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user
credentials on the W-IAP to an external authentication server for user data backup.
l EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2) This EAP method is widely
supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.
Configuring Authentication Servers
This section describes the following procedures:
l Configuring an External Server for Authentication on page 164
l Enabling RADIUS Communication over TLS on page 169
l Configuring Dynamic RADIUSProxy Parameters on page 171
Supported Authentication Servers
Based on the security requirements, you can configure internal or external authenticationservers. This section
describes the types of servers that can be configured for client authentication:
l Internal RADIUS Server on page 159
l External RADIUS Server on page 160
l Dynamic Load Balancing between Two Authentication Servers on page 164
In 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management users. For more
information, on management users and TACACS+ server based authentication, see Configuring Authentication
Parameters for Management Users .
Internal RADIUS Server
Each W-IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS
server option for the network, the client on the W-IAP sends a RADIUS packet to the local IP address. The
internal RADIUS server listens and replies to the RADIUS packet. Instant serves as a RADIUS server for 802.1X
authentication. However, the internal RADIUS server can also be configured as a backup RADIUS server for an
external RADIUS server.