User Manual
Table Of Contents
- Contents
- Introduction
- Installation & Basic Configuration
- Status Information
- Advanced Configuration
- Configuring the AP-600 Using the HTTP Interface
- System
- Network
- Interfaces
- Management
- Filtering
- Ethernet Protocol
- Static MAC
- Static MAC Filter Examples
- Prevent Two Specific Devices from Communicating
- Prevent Multiple Wireless Devices From Communicating With a Single Wired Device
- Prevent All Wireless Devices From Communicating With a Single Wired Device
- Prevent A Wireless Device From Communicating With the Wired Network
- Prevent Messages Destined for a Specific Multicast Group from Being Forwarded to the Wireless LAN
- Static MAC Filter Examples
- Advanced
- TCP/UDP Port
- Alarms
- Bridge
- Security
- RADIUS
- Monitor Information
- Commands
- Troubleshooting
- Troubleshooting Concepts
- Symptoms and Solutions
- Recovery Procedures
- System Alarms (Traps)
- Related Applications
- Command Line Interface (CLI)
- General Notes
- Command Line Interface (CLI) Variations
- CLI Command Types
- Using Tables & User Strings
- Configuring the AP-600 using CLI commands
- Set Basic Configuration Parameters using CLI Commands
- Other Network Settings
- Configure the AP-600 as a DHCP Server
- Configure the DNS Client
- Maintain Client Connections using Link Integrity
- Change your Wireless Interface Settings
- Autochannel Select (ACS)
- [Device Name]>set wif 3 autochannel
[Device Name]>reboot 0 - Enable 2X Turbo Mode (AP-600a Only)
- [Device Name]>set wif 3 turbo
[Device Name]>reboot 0 - Enable/Disable Interference Robustness (AP-600b Only)
- Enable/Disable Closed System (AP-600b Only)
- Enable/Disable Load Balancing (AP-600b Only)
- Enable/Disable Medium Density Distribution (AP-600b Only)
- Set the Distance Between APs (AP-600b Only)
- Set the Multicast Rate (AP-600b Only)
- Set Ethernet Speed and Transmission Mode
- Set Interface Management Services
- Configure Syslog
- Configure Intra BSS
- Configure MAC Access Control
- Configure 802.1x Authentication
- Set RADIUS Parameters
- CLI Monitoring Parameters
- Parameter Tables
- ASCII Character Chart
- Specifications
- Technical Support
Advanced Configuration
61
• EAP-Transport Layer Security (TLS): Certificate-based authentication (a certificate is required on the server and
each client); supports automatic key distribution
• EAP-Tunneled Transport Layer Security (TTLS): Certificate-based authentication (a certificate is required on the
server; a client’s username/password is tunneled to the server over a secure connection); supports automatic key
distribution
• PEAP - Protected EAP with MS-CHAP v2: Secure username/password-based authentication; supports automatic
key distribution
Different servers support different EAP types and each EAP type provides different features. Refer to the
documentation that came with your RADIUS server to determine which EAP types it supports.
127(
127(127(
127(
The AP-600 supports the following EAP types when 802.1x Security Mode is set to 802.1x: EAP-TLS, PEAP,
and EAP-TTLS. When 802.1x Security Mode is set to Mixed, the AP-600 supports the following EAP types:
EAP-TLS, PEAP, EAP-TLLS, and EAP-MD5 (MD5 does not support automatic key distribution; therefore, if
you choose this method you need to manually configure each client with the network’s encryption key).
Authentication Process
There are three main components in the authentication process. The standard refers to them as:
1. supplicant (client PC)
2. authenticator (Access Point)
3. authentication server (RADIUS server)
When using 802.1x Security Mode or Mixed mode (802.1x and WEP), you need to configure your RADIUS server for
authentication purposes.
Prior to successful authentication, an unauthenticated client PC cannot send any data traffic through the AP-600
device to other systems on the LAN. The AP-600 inhibits all data traffic from a particular client PC until the client PC is
authenticated. Regardless of its authentication status, a client PC can always exchange 802.1x messages in the clear
with the AP-600 (the client begins encrypting data after it has been authenticated).
Figure 4-17 RADIUS Authentication Illustrated
The AP-600 acts as a pass-through device to facilitate communications between the client PC and the RADIUS server.
The AP-600 and the client exchange 802.1x messages using an EAPOL (EAP Over LAN) protocol. Messages sent
from the client station are encapsulated by the AP-600 and transmitted to the RADIUS server using EAP extensions.
Upon receiving a reply EAP packet from the RADIUS, the message is typically forwarded to the client, after translating
it back to the EAPOL format. Negotiations take place between the client and the RADIUS server. After the client has
been successfully authenticated, the client receives an Encryption Key from the AP-600 (if the EAP type supports
automatic key distribution). The client uses this key to encrypt data after it has been authenticated.
For 802.11a clients that communicate with an AP-600a, each client receives its own unique encryption key; this is
known as Per User Per Session Encryption Keys. (This feature is only available when using 802.1x mode; it is not
available when in Mixed mode or using WEP encryption only).
PC Client
Access Point
RADIUS Server
EAP Over Wireless
EAP Over RADIUS