Additional lan subnet, On-board radius server authentication, Hotspot support – Brocade Mobility 5181 Access Point Product Reference Guide (Supporting software release 4.4.0.0) User Manual
Page 29
Brocade Mobility 5181 Access Point Product Reference Guide
15
53-1002516-01
Feature overview
1
Additional LAN subnet
In a typical retail or small office environment (wherein a wireless network is available along with a
production WLAN) it is frequently necessary to segment a LAN into two subnets. Consequently, a
second LAN is necessary to “segregate” wireless traffic.
The access point has a second LAN subnet enabling administrators to segment the access point’s
LAN connection into two separate networks. The main access point LAN screen allows the user to
select either LAN1 or LAN2 as the active LAN over the access point’s Ethernet port. Both LANs can
still be active at any given time, but only one can transmit over the access point’s physical LAN
connection. Each LAN has a separate configuration screen (called LAN 1 and LAN 2 by default)
accessible under the main LAN screen. The user can rename each LAN as necessary. Additionally,
each LAN can have its own Ethernet Type Filter configuration, and subnet access (HTTP, SSH,
SNMP and telnet) configuration.
For detailed information on configuring the access point for additional LAN subnet support, see
“Configuring the LAN interface”
On-board Radius server authentication
The access point has the ability to work as a Radius Server to provide user database information
and user authentication. Several new screens have been added to the access point’s menu tree to
configure Radius server authentication and configure the local user database and access policies.
A new Radius Server screen allows an administrator to define the data source, authentication type
and associate digital certificates with the authentication scheme. The LDAP screen allows the
administrator to configure an external LDAP Server for use with the access point. A new Access
Policy screen enables the administrator to set WLAN access based on user groups defined within
the User Database screen. Each user is authorized based on the access policies applicable to that
user. Access policies allow an administrator to control access to a user groups based on the WLAN
configurations.
For detailed information on configuring the access point for AAA Radius Server support, see
“Configuring user authentication”
Hotspot support
The access point allows hotspot operators to provide user authentication and accounting without a
special client application. The access point uses a traditional Internet browser as a secure
authentication device. Rather than rely on built-in 802.11 security features to control access point
association privileges, you can configure a WLAN with no WEP (an open network). The access point
issues an IP address to the user using a DHCP server, authenticates the user and grants the user to
access the Internet.
If a tourist visits a public hotspot and wants to browse a Web page, they boot their laptop and
associate with a local Wi-Fi network by entering a valid SSID. They start a browser, and the
hotspot’s access controller forces the un-authenticated user to a Welcome page (from the hotspot
operator) that allows the user to login with a username and password. In order to send a redirected
page (a login page), a TCP termination exists locally on the access point. Once the login page
displays, the user enters their credentials. The access point connects to the Radius server and
determines the identity of the connected wireless user. Thus, allowing the user to access the
Internet once successfully authenticated.