Configuring 802.1x eap authentication, Configuring 802.1x eap, Authentication – Brocade Mobility 5181 Access Point Product Reference Guide (Supporting software release 4.4.0.0) User Manual

Brocade Mobility 5181 Access Point Product Reference Guide

137

53-1002516-01

Configuring 802.1x EAP authentication

6

6. Click the Apply button to return to the WLAN screen to save any changes made within the

Kerberos Configuration field of the New Security Policy screen.

7. Click the Cancel button to undo any changes made within the Kerberos Configuration field and

return to the WLAN screen. This reverts all settings for the Kerberos Configuration field to the
last saved configuration.

Configuring 802.1x EAP authentication

The IEEE 802.1x standard ties the 802.1x EAP authentication protocol to both wired and wireless
LAN applications.

The EAP process begins when an unauthenticated supplicant (client device) tries to connect with
an authenticator (in this case, the authentication server). The Mobility 5181 Access Point passes
EAP packets from the client to an authentication server on the wired side of the Mobility 5181
Access Point. All other packet types are blocked until the authentication server (typically, a RADIUS
server) verifies the Client’s identity.

To configure 802.1x EAP authentication on the Mobility 5181 Access Point:

1. Select Network Configuration -> Wireless -> Security from the Mobility 5181 Access Point

menu tree.

If security policies supporting 802.1x EAP exist, they appear within the Security Configuration
screen. These existing policies can be used as is, or their properties edited by clicking the Edit
button. To configure a new security policy supporting 802.1x EAP, continue to step 2.

2. Click the Create button to configure a new policy supporting 802.1x EAP.

The New Security Policy screen displays with no authentication or encryption options selected.

3. Select the 802.1x EAP radio button.

Realm Name

Specify a realm name that is case-sensitive, for example,
BROCADE.COM. The realm name is the name domain/realm name
of the KDC Server. A realm name functions similarly to a DNS
domain name. In theory, the realm name is arbitrary. However, in
practice a Kerberos realm is named by uppercasing the DNS
domain name that is associated with hosts in the realm.

Primary KDC

Specify a numerical (non-DNS) IP address and port for the primary
Key Distribution Center (KDC). The KDC implements an
Authentication Service and a Ticket Granting Service, whereby an
authorized user is granted a ticket encrypted with the user's
password. The KDC has a copy of every user password.

Backup KDC

Optionally, specify a numerical (non-DNS) IP address and port for a
backup KDC. Backup KDCs are referred to as slave servers. The
slave server periodically synchronizes its database with the
primary (or master) KDC.

Remote KDC

Optionally, specify a numerical (non-DNS) IP address and port for a
remote KDC. Kerberos implementations can use an administration
server allowing remote manipulation of the Kerberos database.
This administration server usually runs on the KDC.

Port

Specify the ports on which the Primary, Backup and Remote KDCs
reside. The default port number for Kerberos Key Distribution
Centers is Port 88.