Eap authentication, Wpa2-ccmp (802.11i) encryption, Firewall security – Brocade Mobility 7131N-FGR Access Point Product Reference Guide (Supporting software release 4.0.0.0-35GRN and later) User Manual
Page 22
10
Brocade Mobility 7131N-FGR Product Reference Guide
53-1001947-01
Feature overview
1
EAP Authentication
The Extensible Authentication Protocol (EAP) feature provides access points and their associated
MUs an additional measure of security for data transmitted over the wireless network. Using EAP,
authentication between devices is achieved through the exchange and verification of certificates.
EAP is a mutual authentication method whereby both the MU and AP are required to prove their
identities. Using EAP, the user loses device authentication if the server cannot provide proof of
device identification.
Using EAP, a user requests connection to a WLAN through the access point. The access point then
requests the identity of the user and transmits that identity to an authentication server. The server
prompts the AP for proof of identity (supplied to the by the user) and then transmits the user data
back to the server to complete the authentication process.
An MU is not able to access the network if not authenticated. When configured for EAP support, the
access point displays the MU as an EAP station.
EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack
#4) and Windows Mobile 2003. Refer to the system administrator for information on configuring a
Radius Server for EAP (802.1x) support.
For detailed information on EAP configurations, see
“Configuring 802.1x EAP settings”
WPA2-CCMP (802.11i) encryption
WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi
Protected Access (WPA) and WEP. Counter-mode/CBC-MAC Protocol (CCMP) is the security
standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP
does for WPA-TKIP. CCMP computes a Message Integrity Check (MIC) using the proven Cipher
Block Message Authentication Code (CBC-MAC) technique. Changing just one bit in a message
produces a totally different result.
WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a
hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator
provides are used to derive other keys. Messages are encrypted using a 256-bit secret key and a
256-bit block of data. The end result is an encryption scheme as secure as any the access point
provides.
For detailed information on WPA2-CCMP, see
“Configuring WPA2-CCMP (802.11i)”
Firewall security
A firewall keeps personal data in and hackers out. The access point’s firewall prevents suspicious
Internet traffic from proliferating the access point managed network. The access point performs
Network Address Translation (NAT) on packets passing to and from the WAN port. This combination
provides enhanced security by monitoring communication with the wired network.
For detailed information on configuring the access point’s firewall, see