Symbol Technologies Spectrum24 AP-4131 User Manual
Page 38
Introduction
28
AP-4131 Access Point Product Reference Guide
•
Authentication Service (AS)
–
Provides the authentication ticket containing information about the
client and the session key used with the KDC.
•
Ticket Granting Ticket Service (TGS)
–
Permits devices to communicate with a service (this could be any
application or service such as the AP RF services).
The default expiration time of a ticket is 12 hours (for the AP) and is not user
configurable. If the lifetime of a ticket in the KDC's security policy is different
than what is requested, the KDC selects the shortest expiration time between
the two. Each time a ticket is generated a new session and WEP encryption
key is generated.
The KDC resides on the Kerberos server (the Kerberos server can also be the
DNS server). In addition to the KDC, a Kerberos Setup Service (KSS) is
installed on the Kerberos server. The KSS runs as a client on the KDC server
when initially launched. The KSS can be used to administer Spectrum24
devices authorized on the network. For example, an AP on the Access Control
List (ACL) is lost or stolen. The KSS marks the AP (using the MAC address of
the AP) as not authorized and notifies the administrator if the missing AP
appears elsewhere on the network attempting authentication. All clients
(MUs), KDC and services (APs) participating in the Kerberos authentication
system must have their internal clocks synchronized within a specified
maximum amount of time (known as clock skew). The KSS uses Network
Time Protocol (NTP) or the system clock on the Kerberos server to provide
clock synchronization (timestamp) between the KDC and APs as part of the
authentication process. Clock synchronization is essential since the expiration
time is associated with each ticket. If the clock skew is exceeded between any
of the participating hosts, requests are rejected.
Additionally, the KSS provides a list of authorized APs and other security setup
information that the KDC uses to authenticate clients. When setting up KSS,
assign APs an ESSID as the User ID to authenticate with the KDC.