Ieee 802.1x security mode, Authentication process, Ieee 802.1x security mode -23 – HP ProCurve 520wl Wireless Access Point User Manual

Other Security Configuration Settings

2-23

ieee 802.1x security mode

ieee 802.1x security mode

ieee 802.1x security mode

ieee 802.1x security mode

IEEE 802.1x is a standard that provides a means to authenticate and authorize network devices attached to a LAN port. A port

in the context of IEEE 802.1x is a point of attachment to the LAN, either a physical Ethernet connection or a wireless link to an

Access Point.
802.1x uses the Extensible Authentication Protocol (EAP) as a standards-based authentication framework, and supports

automatic key distribution for enhanced security. The EAP-based authentication framework can easily be upgraded to keep

pace with future EAP types.
Popular EAP types include:

Q

EAPoL (EAP over LAN): Transport protocol used to negotiate the WLAN user’s secure connection to the network. EAP

messages are encapsulated in 802.1X messages.

Q

EAP-Message Digest 5 (MD5): Username/Password-based authentication; does not support automatic key distribution

Q

EAP-Transport Layer Security (TLS): Certificate-based authentication (a certificate is required on the server and each client);

supports automatic key distribution

Q

EAP-Tunneled Transport Layer Security (TTLS): Certificate-based authentication (a certificate is required on the server; a

client’s username/password is tunneled to the server over a secure connection); supports automatic key distribution

Q

PEAP - Protected EAP with MS-CHAP v2: Secure username/password-based authentication; supports automatic key

distribution

Different servers support different EAP types and each EAP type provides different features. Refer to the documentation that

came with your RADIUS server to determine which EAP types it supports.

NOTE:

The WL520 supports the following EAP types when 802.1x Security Mode is set to 802.1x: EAP-TLS, PEAP, and EAP-

TTLS. When 802.1x Security Mode is set to Mixed, the WL520 supports the following EAP types: EAP-TLS, PEAP, EAP-

TLLS, and EAP-MD5 (MD5 does not support automatic key distribution; therefore, if you choose this method you need

to manually configure each client with the network’s encryption key).

authentication process

authentication process

authentication process

authentication process

There are three main components in the authentication process. The standard refers to them as:

1. supplicant (client PC)
2. authenticator (Access Point)
3. authentication server (RADIUS server)

When using 802.1x Security Mode or Mixed mode (802.1x and WEP), you need to configure your RADIUS server for

authentication purposes.
Prior to successful authentication, an unauthenticated client PC cannot send any data traffic through the WL520 device to other

systems on the LAN. The WL520 device inhibits all data traffic from a particular client PC until the client PC is authenticated.

Regardless of its authentication status, a client PC can always exchange 802.1x messages in the clear with the WL520 unit (the

client begins encrypting data after it has been authenticated).

Figure 2-22

Figure 2-22

Figure 2-22

Figure 2-22 RADIUS Authentication Illustrated

RADIUS Authentication Illustrated

RADIUS Authentication Illustrated

RADIUS Authentication Illustrated

The WL520 device acts as a pass-through device to facilitate communications between the client PC and the RADIUS server.

The WL520 unit and the client PC exchange 802.1x messages using an EAPOL (EAP Over LAN) protocol. Messages sent from

the client station are encapsulated by the WL520 device and transmitted to the RADIUS server using EAP extensions.