Client access authentication, Protocols and standards – H3C Technologies H3C MSR 50 User Manual
Page 44
35
header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly,
CCMP contains a dynamic key negotiation and management method, so that each wireless client
can dynamically negotiate a key suite, which can be updated periodically to further enhance the
security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit
packet number (PN) to ensure that each encrypted packet uses a different PN, improving the
security to a certain extent.
Client access authentication
1.
PSK authentication
To implement pre-shared key (PSK) authentication, the client and the authenticator must have the
same shared key configured. Otherwise, the client cannot pass the PSK authentication.
2.
802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device that is connected to an 802.1X-enabled port of a WLAN access control
device can access the resources on the WLAN only after passing authentication.
3.
MAC address authentication
MAC address authentication does not require any client software. The MAC address of a client is
compared against a predefined list of allowed MAC addresses. If a match is found, the client can
pass the authentication and access the WLAN. If no match is found, the authentication fails and
access is denied. The entire process does not require the user to enter a username or password.
This type of authentication is suited to small networks (such as families and small offices) with fixed
clients.
MAC address authentication can be done locally or through a RADIUS server.
{
Local MAC address authentication—A list of usernames and passwords (the MAC addresses of
allowed clients) is created on the wireless access device and the clients are authenticated by the
wireless access device. Only clients whose MAC addresses are included in the list can pass the
authentication and access the WLAN.
{
MAC address authentication through RADIUS server—The wireless access device serves as the
RADIUS client and sends the MAC address of each requesting client to the RADIUS server. If the
client passes the authentication on the RADIUS server, the client can access the WLAN within
the authorization assigned by the RADIUS server. In this authentication mode, if different
domains are defined, authentication information of different SSIDs are sent to different RADIUS
servers based on their domains.
For more information about access authentication, see Security Configuration Guide.
Protocols and standards
•
IEEE Standard for Information technology—Telecommunications and information exchange
between systems— Local and metropolitan area networks— Specific requirements -2004
•
WI-FI Protected Access—Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug
2004
•
Information technology—Telecommunications and information exchange between systems—Local
and metropolitan area networks—Specific requirements—802.11, 1999
•
IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control"
802.1X™- 2004