Eap, eap-psk and eap mac deployment considerations – Brocade Mobility Access Point System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 410
400
Brocade Mobility Access Point System Reference Guide
53-1003100-01
6
The EAP process begins when an unauthenticated supplicant (client device) tries to connect with
an authenticator (in this case, the authentication server). An access point passes EAP packets from
the client to an authentication server on the wired side of the access point. All other packet types
are blocked until the authentication server (typically, a RADIUS server) verifies the client’s identity.
802.1X EAP provides mutual authentication over the WLAN during authentication. The 802.1X EAP
process uses credential verification to apply specific policies and restrictions to WLAN users to
ensure access is only provided to specific wireless controller resources.
802.1X requires a 802.1X capable RADIUS server to authenticate users and a 802.1X client
installed on each devices accessing the EAP supported WLAN. An 802.1X client is included with
most commercial operating systems, including Microsoft Windows, Linux and Apple OS X.
The RADIUS server authenticating 802.1X EAP users resides externally to the access point. User
account creation and maintenance can be provided centrally using RFMS or individually
maintained on each device. If an external RADIUS server is used, EAP authentication requests are
forwarded.
When using PSK with EAP, packets are sent requesting a secure link using a pre-shared key. The
access point and authenticating device must use the same authenticating algorithm and
passcode. EAP-PSK is useful when transitioning from a PSK network to one that supports EAP. The
only encryption types supported with this are TKIP, CCMP and TKIP-CCMP.
To configure EAP on a WLAN:
1. Select the Configuration tab from the Web UI.
Select Wireless.
Select Wireless LANs to display a high level display of existing WLANs.
2. Select the Add button to create an additional WLAN, or select an existing WLAN and Edit to
modify its security properties.
3. Select Security.
4. Select EAP, EAP-PSK or EAP MAC as the Authentication Type.
Either authentication type enables the radio buttons for various encryption options as an additional
measure of security with the WLAN that can be used with EAP.
Either select an existing AAA Policy from the drop-down menu, select the Create icon to the right of
the AAA Policy parameter to create a new AAA policy, or select the Edit icon to modify the selected
AAA policy’s configuration.
Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling
access to the network, enforcing user authorization policies and auditing and tracking usage.
These combined processes are central for securing wireless client resources and wireless network
data flows. For information on defining a new AAA policy, see AAA Policy on page 7-500.
5. Select the Reauthentication radio button to force EAP supported clients to reauthenticate. Use
the spinner control set the number of seconds (from 30 - 86,400) that, once exceeded, forces
the EAP supported client to reauthenticate to use the resources supported by the WLAN.
6. Select OK to update the WLAN’s EAP configuration. Select Reset to revert back to the last
saved configuration.
EAP, EAP-PSK and EAP MAC Deployment Considerations