User's Manual

ManualsBrandsSiemens Communications ManualsElectronicsHiPath Wireless AP, Altitude 450, Altitude 451

151

152

153

154

155

156

157

158

159

160

hwc_vnsintro.fm

Virtual Network Services

Authentication for a VNS

A31003-W1050-U100-2-7619,

March 2008

HiPath Wireless Controller, Access Points and Convergence Software V5 R1 , C20/C2400 User Guide 153

• Password Authentication Protocol (PAP)

• Challenge Handshake Authentication Protocol (CHAP)

• Windows-specific version of CHAP (MS CHAP)

• MS CHAP v2 (Windows-specific version of CHAP, version 2)

For Captive Portal authentication, the RADIUS server must support the

selected authentication type: PAP, CHAP (RFC2484), MS-CHAP (RFC2433),

or MS-CHAPv2 (RFC2759).

5.5.2 Authentication with AAA (802.1x) network

assignment

If network assignment is AAA with 802.1x authentication, the wireless device user

requesting network access must first be authenticated. The wireless device's

client utility must support 802.1x. The user's request for network access along

with login identification or a user profile is forwarded by the HiPath Wireless

Controller to a RADIUS server. The HiPath Wireless Controller, Access Points

and Convergence Software system supports the following authentication types:

• Extensible Authentication Protocol - Transport Layer Security (EAP-

TLS) – Relies on client-side and server-side certificates to perform

authentication. Can be used to dynamically generate a Pairwise Master Key

for encryption.

• Extensible Authentication Protocol with Tunneled Transport Layer

Security (EAP-TTLS) – Relies on mutual authentication of client and server

through an encrypted tunnel. Unlike EAP-TLS, it requires only server-side

certificates. The client uses PAP, CHAP, or MS-CHAPv2 for authentication.

• Protected Extensible Authentication Protocol (PEAP) – Is an

authentication protocol similar to TTLS in its use of server side certificates for

server authentication and privacy and its support for a variety of user

authentication mechanisms.

For 802.1x, the RADIUS server must support RADIUS extensions (RFC2869).

Until the access-accept is received from the RADIUS server for a specific user,

the user is kept in an unauthenticated state. 802.1x rules dictate no other packets

other than EAP are allowed to traverse between the AP and the HiPath Wireless

Controller until authentication completes. Once authentication is completed

(access-accept is received), the user's client is then allowed to proceed with IP

services, which typically implies the request of an IP address via DHCP.