Manualshelf

Installation guide

ManualsBrandsMotorola ManualsComputer equipmentRFS7000 Series
31323334353637383940
Overview
1-24
802.1x EAP
802.1x EAP is the most secure authentication mechanism for wireless networks and includes EAP-TLS,
EAP-TTLS and PEAP. The switch is a proxy for Radius packets. An MU does a full 802.11 authentication and
association and begins transferring data frames. The switch realizes the MU needs to authenticate with a
Radius server and denies any traffic not Radius related. Once Radius completes its authentication process, the
MU is allowed to send other data traffic. Use either an onboard Radius server or internal Radius Server for
authentication purposes. For information on configuring EAP for a target WLAN, see Configuring 802.1x EAP
on page 4-33.
MAC ACL
The MAC ACL feature is basically a dynamic MAC ACL where MUs are allowed/denied access to the network
based on their configuration on the Radius server. The switch allows 802.11 authentication and association,
then checks with the Radius server to see if the MAC address is allowed on the network. The Radius packet
uses the MAC address of the MU as both the username and password (this configuration is also expected on
the Radius server). MAC-Auth supports all encryption types, and (in case of 802.11i) the handshake is allowed
to be completed before the Radius lookup begins. For information on configuring MAC ACL for a target WLAN,
see Configuring MAC Authentication on page 4-43.
1.2.5.3 Secure Beacon
All the devices in a wireless network use Service Set Identifiers (SSIDs) to communicate. An SSID is a text
string up to 32 bytes long. An AP in the network announces its status by using beacons. To avoid others from
accessing the network, the most basic security measure adopted is to change the default SSID to one not
easily recognizable, and disable the broadcast of the SSID.
The SSID is a code attached to all packets on a wireless network to identify each packet as part of that
network. All wireless devices attempting to communicate with each other must share the same SSID. Apart
from identifying each packet, the SSID also serves to uniquely identify a group of wireless network devices
used in a given service set.
1.2.5.4 MU to MU Allow
MU to MU allow enables frames from one MU (where the destination MAC is that of another MU) to be
switched to the second MU. This feature can be disabled to restrict MUs from passing network credentials to
one another.
1.2.5.5 MU to MU Disallow
Use MU to MU Disalllow to restrict MU to MU communication within a WLAN. The default is ‘no’, which
allows MUs to exchange packets with other MUs. It does not prevent MUs on other WLANs from sending
packets to this WLAN. You would have to enable MU to MU Disallow on the other WLAN.
1.2.5.6 Switch - to - Wired
MU frames are switched out to the wired network (out of the switch). Another upstream device decides
whether the frame should be sent back to the second MU, and if so, it sends the frame back to the switch, and
it is switched out just like any other frame on the wire. This allows a drop/allow decision to be made by a
device other than the wireless switch.
1.2.5.7 802.1x Authentication
802.1x Authentication cannot be disabled (its always enabled). A factory delivered out-of-the-box
AP300 supports 802.1x authentication using a default username and password. EAP-MD5 is used for 802.1x.