Mac authentication – Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 271
Brocade Mobility RFS Controller System Reference Guide
259
53-1003099-01
6
5. Either select an existing AAA Policy from the drop-down menu or select the Create icon to the
right of the AAA Policy parameter to display a screen where new AAA policies can be created.
Select the Edit icon to modify the configuration of the selected AAA policy.
Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling
access to the network, enforcing user authorization policies and auditing and tracking usage.
These combined processes are central for securing wireless client resources and wireless
network data flows.
6. Select the Reauthentication check box to force EAP supported clients to reauthenticate. Use
the spinner control set the number of seconds (from 30 - 86,400) that, once exceeded, forces
the EAP supported client to reauthenticate to use the resources supported by the WLAN.
7. Select OK when completed to update the WLAN’s EAP configuration. Select Reset to revert
back to the last saved configuration.
EAP, EAP-PSK and EAP MAC Deployment Considerations
802.1x EAP, EAP-PSK and EAP MAC
Before defining a 802.1x EAP, EAP-PSK or EAP MAC supported configuration on a WLAN, refer to
the following deployment guidelines to ensure the configuration is optimally effective:
•
Brocade recommends a valid certificate be issued and installed on devices providing 802.1X
EAP. The certificate should be issued from an Enterprise or public certificate authority to allow
802.1X clients to validate the identity of the authentication server prior to forwarding
credentials.
•
If using an external RADIUS server for EAP authentication, Brocade recommends the round trip
delay over the WAN does not exceed 150ms. Excessive delays over a WAN can cause
authentication and roaming issues and impact wireless client performance. If experiencing
excessive delays, consider using local RADIUS resources.
MAC Authentication
MAC is a device level authentication method used to augment other security schemes when legacy
devices are deployed using static WEP.
MAC authentication can be used for device level authentication by permitting WLAN access based
on device MAC address. MAC authentication is typically used to augment WLAN security options
that do not use authentication (such as static WEP, WPA-PSK and WPA2-PSK) MAC authentication
can also be used to assign VLAN memberships, Firewall policies and time and date restrictions.
MAC authentication can only identify devices, not users. MAC authentication only references a
client wireless interface card MAC address when authenticating the device, it does not distinguish
the device’s user credentials. MAC authentication is somewhat poor as a standalone data
protection technique, as MAC addresses can be easily spoofed by hackers who can provide a
device MAC address to mimic a trusted device within the network.
MAC authentication is enabled per WLAN profile, augmented with the use of a RADIUS server to
authenticate each device. A device’s MAC address can be authenticated against the local RADIUS
server built into the device or centrally (from a datacenter). For RADIUS server compatibility, the
format of the MAC address can be forwarded to the RADIUS server in non-delimited and or
delimited formats:
To configure MAC on a WLAN: