3 securing the wlan, 16 snmp configuration, Securing the wlan – AASTRA SIP-DECT (Release 3.0)- OM System Manual - Installation, Administration and Maintenance EN User Manual

SIP–DECT OM System Manual Release 3.0

9 Configuration und Administration Aspects

Aastra

depl-1624/1.0

Page: 200 (241)

9.15.3

Securing the WLAN

In order to ensure that communication in the WLAN network is secure, several measures
need to be taken. Firstly, data packets transmitted via the openly visible radio interface must
be encrypted, and secondly, all WLAN components that provide services should have to
authenticate themselves.

There are different encryption methods available which you configure within the WLAN
profile (see chapter 7.8.1). However, only the recent WiFi protected access (WPA)
encryption offers sufficient security against possible intruders. You should not use the (older)
WEP encryption for your company LAN.

Especially with larger WLAN installations, the single shared secret offered by WPA-personal
may not be sufficient for your security requirements, because any person that connects to
the WLAN needs to know the same shared secret. For this reason, you should also setup
RADIUS authentication that is supported by all RFP (L) 42 WLAN and RFP (L) 43 WLAN
devices.

A Radius Server (Remote Authentication Dial In User Service) handles 802.1x
Authentication, thus authorize different WLAN clients with an individual username / password
combination to log in. We recommend to use a Radius Server with EAP-TLS (e.g.
FreeRadius or MS Windows 2003 IAS Server) and a Certificate Authority (CA).

The RADIUS authentication takes place between the RADIUS server and the RADIUS client,
with the WLAN RFP to pass-through this communication. You should refer to the
documentation that comes with your RADIUS product for details on how to setup, maintain
and operate the RADIUS system.

9.16

SNMP Configuration

To manage a larger RFP network, an SNMP agent is provided for each RFP. This will give
alarm information and allow an SNMP management system (such as HP Open View) to
manage this network. The SNMP agents can be configured in the SNMP menu of the OM
Web service, see chapter 7.4.5.

All SNMP agents are configured by the OMM. Additional parameters, that are valid for the
individual RFP (e.g. “sysLocation” and “sysName”) are generated. The “sysLocation”
parameter corresponds to the location configured via the OMM web interface. The
“sysName” parameter is generated using the MAC address and the RFP device type (e.g.
RFP (L) 43 WLAN). The RFP uptime can be requested by reading the “sysUpTime”
parameter. This value indicates how long the RFP application software is running. It does not
indicate the uptime of the operating system which does not correspond to the operational
RFP state.

The SNMP agent responds to SNMPv1-read and SNMPv2c-reads requests for the standard
MIB-II objects. The Management Information Base (MIB-II) contains 11 object groups. The
agent receives both SNMPv1 and SNMPv2c traps. It sends a “coldStart” trap when it first
starts up. It also sends an enterprise-specific trap “nsNotifyShutdown” when it stops. When
the SNMP agent receives an SNMP request using an unknown community name, it sends an
“authenticationFailure” trap. The SNMP agent also generates an enterprise-specific trap
“nsNotifyRestart” (rather than the standard “coldStart” or “warmStart” traps) after being re-
configured.