Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

331

332

333

334

335

336

337

338

339

340

About Keys and Certificates

16-2 Managing Keys and Certificates

Wireless Security through TLS

Inthecaseofwirelessorwiredauthentication802.1Xuserswhoseauthenticationisperformedby

theRoamAboutswitch,thefirststageofanyEAPtransactionisTr ansportLayerSecurity(TLS)

authenticationandencryption.RoamAboutSwitchManagerandWebViewalsorequireasession

totheRoamAboutswitchthatisauthenticatedand

encryptedbyTLS.OnceaTLSsessionis

authenticated,itisencrypted.

TLSallowstheclienttoauthenticatetheRoamAboutswitch(andoptionallyallowsthe

RoamAboutswitchtoauthenticatethe client)throughtheuseofdigitalsignatures.Digital

signaturesrequireapublic‐privatekeypair.Thesignatureiscreatedwitha

privatekeyand

verifiedwithapublic key.TLSenablessecurekeyexchange.

PEAP-MS-CHAP-V2 Security

PEAPperformsaTLSexchangeforserverauthenticationandallowsasecondarya uthenti cationto

beperformedinsidetheresultingsecurechannelforclientauthentication.Forexample,the

MicrosoftChallengeHandshakeAuthenticationProtocolversion 2(MS‐CHAP ‐V2)performs

mutualMS‐CHAP‐V2authenticationinsideanencryptedTLSchannelestablishedbyPEAP.

1. To

formtheencryptedTLSchannel,theRoamAboutswitchmusthaveadigitalcertificateand

mustsendthatcertificatetothewirelessclient.

2. InsidetheRoamAboutswitch’sdigitalcertificateistheRoamAboutswitch’spublickey,which

thewirelessclientusestoencryptapre‐mastersecretkey.

3. Thewirelessclientthensends

thekeybacktotheRoamAboutswitchsothatboththe

RoamAboutswitchandtheclientcanderiveakeyfromthispre‐mastersecretforsecure

authenticationandwirelesssessionencryption.

ClientsauthenticatedbyPEAPneedacertificateintheRoamAboutswitchonlywhentheswitch

performsPEAPlocally,

notwhenEAPprocessingtakesplaceonaRADIUSserver.(Fordetails

aboutauthenticationoptions,seeChapter 17,ConfiguringAAAforNetworkUsers.)

About Keys and Certificates

Public‐privatekeypairsanddigitalsignaturesandcertificatesallowkeystobegenerated

dynamicallysothatdatacan besecurelyencryptedanddelivered.Yougeneratethekeypairsand

certificatesontheRoamAboutswitchorinstallthemontheswitchafterenrollingwithacertificate

authority(CA).TheRoamAboutswitch

cangeneratekeypairs,self‐signedcertificates,and

CertificateSigningRequests(CSR s),andcaninstallkeypairs,servercertificates,andcertificates

generatedbyaCA.

WhentheRoamAboutswitchneedstocommunicatewithRoamAboutSwitchManager,Web

View,oran802.1XorWebAAAclient,MSSrequestsaprivat ekeyfromthe

switch’scertificateand

keystore:

•IfnoprivatekeyisavailableintheRoamAboutswitch’scertificateandkeystore,theswitch

doesnotrespondtotherequestfromMSS.Iftheswitchdoeshaveaprivatekeyinitskey

store,MSSrequestsacorrespondingcertificate.

Note: The RoamAbout switch uses separate server certificates for Admin, EAP (802.1X), and

Web AAA authentication. Where applicable, the manuals refer to these server certificates as Admin,

EAP (or 802.1X), or Web AAA certificates respectively.