Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRBT-4102

111

112

113

114

115

116

117

118

119

120

Security

4-84 Advanced Configuration

The802.1xEAPpacketsarealsousedtopassdynamicunicastsessionkeysandstatic

broadcastkeystowirelessclients.Sessionkeysareuniquetoeachclientandareusedto

encryptandcorrelatetrafficpassingbetweenaspecificclientandtheaccesspoint.Youcan

alsoenablebroadcastkeyrotation,

sotheaccesspointprovidesadynamicbroadcastkeyand

changesitataspecifiedinterval.

Youcanenable802.1xasoptionallysupportedorasrequiredtoenhancethesecurityofthe

wirelessnetwork.

– Disableindicatesthattheaccesspointdoesnotsupport802.1xauthenticati onforany

wirelessclient.After

successfulwirelessassociationwiththeaccesspoint,eachclientis

allowedtoaccessthenetwork.

– Supportedindicatesthattheaccesspointsupports802.1xauthenticationonlyforclients

initiatingthe802.1xauthenticationprocess(thatis,theaccesspointdoesnotinitiate

802.1xauthenticati on).Forclientsinitiating802.1x,onlythosesuccessfullyauthenticated

are

allowedtoaccessthenetwork.Forthoseclientsnotinitia ting802.1x,accesstothe

networkisallowedaftersuccessfulwirelessassociationwiththeaccesspoint.

– Requiredindicatesthattheaccesspointenforces802.1xauthenticationforallassociated

wirelessclients.If802.1xauthenticationisnotinitiatedbyaclient,theaccess

pointwill

initiateauthentication.Onlythoseclientssuccessfullyauthenticatedwith802.1xare

allowedtoaccessthenetwork.

Whenyouenable802.1x,youcanalsoenablethebroadcastandsessionkeyrotationintervals.

– BroadcastKeyRefreshRatesetstheintervalatwhichthebroadcastkeysarerefreshedfor

stationsusing802.1xdynamic

keying.(Range:0‐1440minutes;Default:0meansdisabled)

– SessionKeyRefreshRatespecifiestheintervalatwhichtheaccesspointrefreshesunicast

sessionkeysforassociatedclients.(Range:0‐1440minutes;Default:0meansdisabled)

– 802.1xSessionTimeoutsetsthetimeperiodafterwhichaconnectedclientmustbere

‐

authenticated.Duringthere‐authenticationprocessofverifyingtheclient’scredentialson

theRADIUSserver,theclientremainsconnectedtothenetwork.Onlyifre‐authentication

failsisnetworkaccessblocked.Default:60minutes.

• MACAuthenticationconfigureshowtheaccesspointusesMACaddressestoauthorize

wirelessclientstoaccess

thenetwork.Thisauthenticationmethodprovidesabasiclevelof

authenticationforwirelessclientsattemptingtogainaccesstothenetwork.A databaseof

authorizedMACaddressescanbestoredlocal ly ontheRBT‐4102orremotelyonacentral

RADIUSserver.(Default:LocalMAC)

– LocalMACindicatesthattheMAC

addressoftheassociatingstationiscomparedagainst

thelocaldatabasestoredontheaccesspoint.LocalMACAuthenticationenablesthelocal

databasetobesetup.

– RADIUSMACspecifiesthattheMA Caddressoftheassociatingstationissenttoa

configuredRADIUSserverforauthentication. 

Tousea

RADIUSauthenticationserverforMACaddressauthentication,theaccesspoint

mustbeconfiguredtouseaRADIUSserver,seeRADIUS(page4‐11).

– Disablespecifiesthattheaccesspointdoesnotcheckanassociatingstation’sMACaddress.