User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout 3000

Configuration

2-8 Planning and Managing Your Wireless Network

Foreachserviceyouwanttoprovide,youconfigurethefollowingitemsinaserviceprofile:

•TheSSIDname

•SSIDadvertisement(whethertheSSIDnameisbeaconed)

•WhethertheSSIDnameisencryptedorclear(notencrypted)

•Webpage(ifusingWebAAA)

•Multipleencryptionchoices(Dynamic/staticWEP,WPA,WEP+WPA,802.11i)

Theencryption

youusedependsonthetypeofservicesyouareoffering.Employeeaccessis

typicallyencrypted,guestaccessistypicallyclear(noencryption),andmulti‐hostor“multiple

virtualizedservices”servicecanbeencrypted,witheachSSIDbeingmatchedwithitsownservice

profile.Ifservicesarebeingusedfor

customercorporateentities(e.g.differentairlinesonan

airportwirelessnet),thentheywouldprobablyuse802.1Xandstrongencryptionwithwebguest

accessfortheirairportclubguests.Iftheservicesarebeingusedtoadvertisemultiplewireless

serviceproviders(WISP),suchasT‐Mobile

,Wayport®, andBoingoWireless

,thenthese

serviceswouldprobablybecompletelyopen.However,theywouldlikelybeassignedtotheir

owndedicatedsubnetcontainingtheirproxyserver/billinggateway.

AAA Security Configuration

Anadministratorcancontrolthewayinwhichusersaccessthenetwork.Foreachserviceyou

provide,youcanconfigureuniqueauthentication,authorization,andaccounting(AAA)security

features,creatinganentirelyvirtualizedwirelessservice.Foreachservice,youconfigurethe

followingitems:

•Multipleauthenticationchoices(802.1X,Web,AAA,MACauthentication,Bonded

Auth,

open)

•AAAmethods(uptofourRADIUSservergroups,oralocaldatabaseontheRoamAbout

switch)

Authentication

Authenticationisthemethodofdeterminingwhetherauserisallowedaccesstoyournetwork.

UserscanbeauthenticatedbyaRADIUSserver(pass‐through)orbytheRoamAboutswitchlocal

database(local).TheRoamAboutswi tch canalsoassisttheRADIUSserverbyperformingthe

ExtensibleAuthenticationProtocol(EAP)p rocessingfor

theserver(offload).

Toauthenticateusers,youwillneedtoconfigureuserseitherinthelocaldatabaseoronRADIUS

servers.Eachuserwillhaveausername,password,andRADIUSand/orvendor‐specificattributes

(VSAs).Youwillalsoneedtoconfigureauthenticationrules(802.1X,MAC,last‐resort,orweb

authentication).

Figure 2‐

4onpage 2‐9showsaflowchartrepresentingtheauthenticationprocess.Generally,

802.1Xauthenticationisattemptedfirst.Iftheuserfails,thenMACauthenticationisattempted.If

thisfails,thenlastresortandwebauthenticationisused.Foraserviceprofile,youspecifyeither

webauthentication,last‐resort,ornonein

theauth‐fall‐thrubox.Youcanonlyselectone.

Note: You also must configure AAA security configuration items for each service. For more

information, see “AAA Security Configuration” on page 2-8.