Manualshelf

User guide

ManualsBrandsExtreme Networks ManualsSwitchSummit WM Series
81828384858687888990
WM Access Domain Services (WM-AD)
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
90
Extensible Authentication Protocol with Tunneled Transport Layer Security (EAP-TTLS) – Relies
on mutual authentication of client and server through an encrypted tunnel. Unlike EAP-TLS, it
requires only server-side certificates. The client uses PAP, CHAP, or MS-CHAPv2 for authentication.
Protected Extensible Authentication Protocol (PEAP) – Is an authentication protocol similar to TTLS
in its use of server side certificates for server authentication and privacy and its support for a variety
of user authentication mechanisms.
For 802.1x, the RADIUS server must support RADIUS extensions (RFC2869).
Until the access-accept is received from the RADIUS server for a specific user, the user is kept in an
unauthenticated state. 802.1x rules dictate no other packets other than EAP are allowed to traverse
between the AP and the Summit WM series switch until authentication completes. Once authentication
is completed (access-accept is received), the user's client is then allowed to proceed with IP services,
which typically implies the request of an IP address via DHCP. In addition, the definition of a specific
filter ID is optional configuration. If a specific filter ID is not defined or returned by the access-accept
operation, the Summit WM series switch assigns the WM-AD' default filter for authenticated users.
NOTE
The Summit WM series switch only assigns the device's IP after the client requests one.
Both Captive Portal and AAA (802.1x) authentication mechanisms in Summit WM series switch, access
points, and WLAN switch software rely on a RADIUS server on the enterprise network. You can
identify and prioritize up to three RADIUS servers on the Summit WM series switch—in the event of a
failover of the active RADIUS server, the Summit WM series switch will poll the other servers in the list
for a response. Once an alternate RADIUS server is found, it becomes the active RADIUS server, until it
either also fails, or the administrator redefines another.
Filtering for a WM-AD
The WM-AD capability provides a technique to apply policy, to allow different network access to
different groups of users. This is accomplished by packet filtering.
After setting authentication, define the filtering rules for the filters that apply to your network and the
WM-AD you are setting up. Several filter types are applied by the Summit WM series switch:
Exception filter – Protect access to a system's own interfaces, including the WM-AD's own interface.
WM-AD exception filters are applied to user traffic intended for the Summit WM series switch's own
interface point on the WM-AD. These filters are applied after the user's specific WM-AD state
assigned filters.
Non-authenticated filter with filtering rules that apply before authentication – Controls network
access and to direct users to a Captive Portal Web page for login.
Group filters, by filter ID, for designated user groups – Controls access to certain areas of the
network, with values that match the values defined for the RADIUS filter ID attribute.
Default filter Controls access if there is no matching filter ID for a user.