beautypg.com

Allied Telesis AT-WA7500 User Manual

Page 168

background image

6 - Configuring Security

168

‰ For help configuring an external RADIUS server, see the

documentation that came with your server. You need to enter
each authenticators IP address and the shared secret key. In the
database, you need to enter the information for each end device.

Enabling Secure Communications Between Access
Points

When you configure a radio to use 802.1x security, you automatically
enable secure IAPP and secure wireless hops. Secure IAPP prevents
unauthorized AT-WA7500 access points from joining the spanning tree
and it encrypts IAPP frames. If you enable secure IAPP, when access
points communicate with each other through the radios, they will create
secure wireless hops using one of the authentication methods you have
chosen: SWAP, TTLS, TLS.

You usually use TTLS or TLS when you want to authenticate a WAP or
designated bridge to a wired access point. Use SWAP to authenticate
wired access points and older access points.

When the Access Point Is the Supplicant

By default, TTLS is enabled. If you want to use TTLS, you must also enter a
user name and password. This login must match an entry in the
authentication server database. When the access point is acting as a
supplicant and the authentication server offers the TTLS protocol, the
access point sends its user name and password.

You can also enable TLS as the authentication method. You must install
a client certificate on each access point that will use this method to
authenticate to the network. When the access point is acting as a
supplicant and the authentication server offers the TLS protocol, the
access point sends its certificate credentials.

If you choose to use both TTLS and TLS, you must choose which protocol
the access point offers first and the access point must have a login
configured and a client certificate.

By default, Secure Wireless Authentication Protocol (SWAP) is also
enabled. The access point tells the authenticator that it can perform
SWAP. If the authenticator allows SWAP, SWAP is used. SWAP allows
access points to authenticate using an EAP-MD5 challenge. If the
supplicant or the authenticator does not allow SWAP, the authentication
must happen at the authentication server using TTLS or TLS.

See also other documents in the category Allied Telesis Computer hardware: