beautypg.com

Allied Telesis AT-WA7501 User Manual

Page 198

background image

Chapter 6: Configuring Security

198

Enabling Secure Communications Between Access Points

When you configure a radio to use 802.1x security, you automatically
enable spanning tree security, which can be used for both wired access
points and WAPs. A secure spanning tree has two functions:

1. To require authentication of any access point attempting to join the

spanning tree.

2. To provide encryption of critical Inter-Access Point Protocol (IAPP)

frames.

There are three authentication methods that you can use to secure the
spanning tree: SWAP, TTLS, or TLS.

When the Access Point Is the Supplicant

By default, TTLS is enabled. If you want to use TTLS, you must also enter
a user name and password. This login must match an entry in the
authentication server database. When the access point is acting as a
supplicant and the authentication server offers the TTLS protocol, the
access point sends its user name and password.

You can also enable TLS as the authentication method. You must install a
server certificate on each access point that will use this method to
authenticate to the network. When the access point is acting as a
supplicant and the authentication server offers the TLS protocol, the
access point sends its certificate credentials.

If you choose to use both TTLS and TLS, you must choose which protocol
the access point offers first and the access point must have a login
configured and a server certificate.

By default, Secure Wireless Authentication Protocol (SWAP) is also
enabled. The access point tells the authenticator that it can perform
SWAP. If the authenticator allows SWAP, SWAP is used. SWAP allows
access points to authenticate using an EAP-MD5 challenge. If the
supplicant or the authenticator does not allow SWAP, the authentication
must happen at the authentication server using TTLS or TLS.

When the Access Point Is the Authenticator

If the Allow SWAP check box is cleared, the access point that is acting as
the authenticator will not perform any authentications using SWAP.
Supplicants will need to authenticate with the authentication server using
TTLS or TLS.

However, older access points do not support these authentication
methods. If the Allow SWAP check box is checked, the access point that is
acting as the authenticator will authenticate any supplicants that offer

This manual is related to the following products: