Concept Guide

ManualsBrandsDell ManualsAccess PlatformsW-Series 324/325 Access Points

141

142

143

144

145

146

147

148

149

150

146 | Authentication and User Management Dell Networking W-Series Instant 6.5.1.0-4.3.1.0 | User Guide

To use the W-IAP’s internal database for user authentication, add the usernames and passwords of the users to

be authenticated.

Dell does not recommend the use of LEAP authentication, because it does not provide any resistance to

network attacks.

Authentication Termination on W-IAP

W-IAPs support EAP termination for enterprise WLANSSIDs. The EAP termination can reduce the number of

exchange packets between the W-IAP and the authentication servers. Instant allows Extensible Authentication

Protocol (EAP) termination for Protected Extensible Authentication Protocol-Generic Token Card (PEAP-GTC)

and Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol

version 2 (PEAP-MS-CHAV2). PEAP-GTC termination allows authorization against a Lightweight Directory Access

Protocol (LDAP) server and external RADIUS server while PEAP-MS-CHAV2 allows authorization against an

external RADIUS server.

This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft

Active Directory (MAD) server with LDAP authentication.

l EAP-Generic Token Card (GTC)—This EAP method permits the transfer of unencrypted usernames and

passwords from the client to the server. The main uses for EAP-GTC are procuring one-time token cards

such as SecureID and using LDAP or RADIUS as the user authentication server. You can also enable caching

of user credentials on the W-IAP to an external authentication server for user data backup.

l EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)—This EAP method is widely

supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.

Configuring Authentication Servers

This section describes the following procedures:

l Configuring an External Server for Authentication on page 151

l Enabling RADIUS Communication over TLS on page 156

l Configuring Dynamic RADIUSProxy Parameters on page 158

Supported Authentication Servers

Based on the security requirements, you can configure internal or external authenticationservers. This section

describes the types of servers that can be configured for client authentication:

l Internal RADIUS Server on page 146

l External RADIUS Server on page 147

l Dynamic Load Balancing between Two Authentication Servers on page 151

Starting from Instant 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management

users. For more information on management users and TACACS+ server-based authentication, see Configuring

Authentication Parameters for Management Users .

Internal RADIUS Server

Each W-IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS

server option for the network, the client on the W-IAP sends a RADIUS packet to the local IP address. The

internal RADIUS server listens and replies to the RADIUS packet. Instant serves as a RADIUS server for 802.1X

authentication. However, the internal RADIUS server can also be configured as a backup RADIUS server for an

external RADIUS server.