1x eap, eap-psk and eap mac – Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

258

Brocade Mobility RFS Controller System Reference Guide

53-1003099-01

6

802.1x EAP, EAP-PSK and EAP MAC

Configuring WLAN Security

The Extensible Authentication Protocol (EAP) is the de-facto standard authentication method used
to provide secure authenticated access to WLANs. EAP provides mutual authentication, secured
credential exchange, dynamic keying and strong encryption. 802.1X EAP can be deployed with
WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over WLANs.

The EAP process begins when an unauthenticated supplicant (client device) tries to connect with
an authenticator (in this case, the authentication server). An Access Point passes EAP packets from
the client to an authentication server on the wired side of the Access Point. All other packet types
are blocked until the authentication server (typically, a RADIUS server) verifies the client’s identity.

802.1X EAP provides mutual authentication over the WLAN during authentication. The 802.1X EAP
process uses credential verification to apply specific policies and restrictions to WLAN users to
ensure access is only provided to specific wireless controller resources.

802.1X requires a 802.1X capable RADIUS server to authenticate users and a 802.1X client
installed on each devices accessing the EAP supported WLAN. An 802.1X client is included with
most commercial operating systems, including Microsoft Windows, Linux and Apple OS X.

The RADIUS server authenticating 802.1X EAP users can reside either internally or externally to a
controller, service platform or Access Point. User account creation and maintenance can be
provided centrally using ADSP or individually maintained on each device. If an external RADIUS
server is used, EAP authentication requests are forwarded.

When using PSK with EAP, the controller, service platform or Access Point sends a packet
requesting a secure link using a pre-shared key. The authenticating device must use the same
authenticating algorithm and passcode during authentication. EAP-PSK is useful when
transitioning from a PSK network to one that supports EAP. The only encryption types supported
with this are TKIP, CCMP and TKIP-CCMP.

To configure EAP on a WLAN:

1. Select Configuration > Wireless > Wireless LAN Policy to display available WLANs.

2. Select the Add button to create an additional WLAN, or select and existing WLAN and Edit to

modify the security properties of an existing WLAN.

3. Select Security.

4. Select EAP, EAP-PSK or EAP-MAC as the authentication type.

Either option enables the radio buttons for various encryption mechanisms as an additional
measure of security with the WLAN.

FIGURE 5

EAP, EAP-PSK or EAP MAC Authentication screen