Mu authentication, Secure beacon – Brocade Mobility RFS7000-GR Controller System Reference Guide (Supporting software release 4.1.0.0-040GR and later) User Manual
Page 33
Brocade Mobility RFS7000-GR Controller System Reference Guide
19
53-1001944-01
Software overview
1
MU authentication
The switch uses the following authentication schemes for MU association:
•
•
•
“Editing the WLAN configuration”
on page 100 for additional information.
Kerberos
Kerberos allows for mutual authentication and end-to-end encryption. All traffic is encrypted and
security keys are generated on a per-client basis. Keys are never shared or reused, and are
automatically distributed in a secure manner. For information on configuring Kerberos for a WLAN,
see
802.1x EAP
802.1x EAP is the most secure authentication mechanism for wireless networks and includes
EAP-TLS, EAP-TTLS and PEAP. The switch is a proxy for RADIUS packets. An MU does a full 802.11
authentication and association and begins transferring data frames. The switch realizes the MU
needs to authenticate with a RADIUS server and denies any traffic not RADIUS related. Once
RADIUS completes its authentication process, the MU is allowed to send other data traffic. You can
use either an onboard RADIUS server or internal RADIUS Server for authentication. For information
on configuring 802.1x EAP for a WLAN, see
MAC ACL
The MAC ACL feature is basically a dynamic MAC ACL where MUs are allowed/denied access to the
network based on their configuration on the RADIUS server. The switch allows 802.11
authentication and association, then checks with the RADIUS server to see if the MAC address is
allowed on the network. The RADIUS packet uses the MAC address of the MU as both the
username and password (this configuration is also expected on the RADIUS server). MAC-Auth
supports all encryption types, and (in case of 802.11i) the handshake is completed before the
RADIUS lookup begins. For information on configuring 802.1x EAP for a WLAN, see
Secure beacon
Devices in a wireless network use Service Set Identifiers (SSIDs) to communicate. An SSID is a text
string up to 32 bytes long. An AP in the network announces its status by using beacons. To avoid
others from accessing the network, the most basic security measure adopted is to change the
default SSID to one not easily recognizable, and disable the broadcast of the SSID.
The SSID is a code attached to all packets on a wireless network to identify each packet as part of
that network. All wireless devices attempting to communicate with each other must share the same
SSID. Apart from identifying each packet, the SSID also serves to uniquely identify a group of
wireless network devices used in a given service set.