Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Page 341

Brocade Mobility RFS Controller CLI Reference Guide

325

53-1003098-01

Parameters

Example

rfs7000-37FABE(config-wlan-test)#authentication-type eap

rfs7000-37FABE(config-wlan-test)#show context

wlan test

ssid test

bridging-mode tunnel

encryption-type none

authentication-type eap

authentication-type

Configures a WLAN’s authentication type
The authentication types are: EAP, EAP-MAC, EAP-PSK, Kerberos, MAC, and none.

eap

Configures EAP authentication (802.1X)
EAP is the de-facto standard authentication method used to provide secure authenticated access to controller
managed WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and
strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect
user information forwarded over controller managed WLANs.
The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an
authenticator (in this case, the authentication server). An access point passes EAP packets from the client to
an authentication server on the wired side of the access point. All other packet types are blocked until the
authentication server (typically, a RADIUS server) verifies the client’s identity.

eap-mac

Configures EAP or MAC authentication depending on client. (This setting is valid only with the None encryption
type.
EAP-MAC is useful when in a hotspot environment, as some clients support EAP and an administrator may
want to authenticate based on just the MAC address of the device.

eap-psk

Configures EAP authentication or pre-shared keys depending on client (This setting is only valid with Temporal
Key Integrity Protocol (TKIP) or Counter Mode with Cipher Block Chaining Message Authentication Code
Protocol (CCMP) encryption types).
When using PSK with EAP, the controller sends a packet requesting a secure link using a pre-shared key. The
controller and authenticating device must use the same authenticating algorithm and passcode during
authentication. EAP-PSK is useful when transitioning from a PSK network to one that supports EAP.

kerberos

Configures Kerberos authentication (encryption will change to WEP128 if it’s not already WEP128 or
Keyguard)
Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using
secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an
insecure network connection.
Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure
privacy and data integrity. Kerberos can only be used on the Access Point with Brocade 802.11b clients.
Kerberos uses Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC)
server(s).

mac

Configures MAC authentication (RADIUS lookup of MAC address)
MAC is a device level authentication method used to augment other security schemes when legacy devices
are deployed using static WEP.
MAC authentication can be used for device level authentication by permitting WLAN access based on device
MAC address. MAC authentication is typically used to augment WLAN security options that do not use
authentication (such as static WEP, WPA-PSK and WPA2-PSK) MAC authentication can also be used to assign
VLAN memberships, Firewall policies and time and date restrictions.
MAC authentication can only identify devices, not users.

none

No authentication is used or the client uses pre-shared keys