Mac address authentication to the network – Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual

354

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

Chapter 12

Configuring Authentication Types

The client uses a one-way encryption of the user-supplied password to generate a
response to the challenge and sends that response to the RADIUS server. By
using information from its user database, the RADIUS server creates its own
response and compares that to the response from the client. When the RADIUS
server authenticates the client, the process repeats in reverse, and the client
authenticates the RADIUS server.

When mutual authentication is complete, the RADIUS server and the client
determine a WEP key that is unique to the client and provides the client with the
appropriate level of network access, thereby approximating the level of security in
a wired switched segment to an individual desktop. The client loads this key and
prepares to use it for the logon session.

During the logon session, the RADIUS server encrypts and sends the WEP key,
called a

session key, over the wired LAN to the access point. The access point

encrypts its broadcast key with the session key and sends the encrypted broadcast
key to the client, that uses the session key to decrypt it. The client and access
point activate WEP and use the session and broadcast WEP keys for all
communication during the remainder of the session.

There is more than one type of EAP authentication, but the access point behaves
the same way for each type: it relays authentication messages from the wireless
client device to the RADIUS server and from the RADIUS server to the wireless
client device.

See

Assigning Authentication Types to an SSID on page 359

for instructions on

setting up EAP on the access point.

MAC Address Authentication to the Network

The access point relays the wireless client device’s MAC address to a RADIUS
server on your network, and the server checks the address against a list of allowed
MAC addresses. Intruders can create counterfeit MAC addresses, so MAC-based
authentication is less secure than EAP authentication.

However, MAC-based authentication provides an alternate authentication
method for client devices that don’t have EAP capability.

See the

Assigning Authentication Types to an SSID on page 359

for instructions

on enabling MAC-based authentication.

IMPORTANT

If you use EAP authentication, you can choose open or shared key
authentication, but you don’t have to. EAP authentication controls
authentication both to your access point and to your network.

TIP

If you don’t have a RADIUS server on your network, you can create a list of
allowed MAC addresses on the access point’s Advanced Security: MAC Address
Authentication page. Devices with MAC addresses not on the list are not
allowed to authenticate.