Motorola Solutions AP-6511 Access Point System Reference Guide
6-8
Refer to Captive Portal on page 6-11 for information on assigning a captive portal policy to a WLAN. A captive
portal is a guest access configuration policy that can applied to a WLAN to provide strategic access to the
WLAN.
Encryption is central for WLAN security, as it provides data privacy for traffic forwarded over a WLAN. When
the 802.11 specification was introduced, Wired Equivalent Privacy (WEP) was the primary encryption
mechanism. WEP has since been interpreted as flawed in many ways, and is not considered an effective
standalone encryption scheme for securing a WLAN. WEP is typically used WLAN deployments designed to
support legacy clients. New device deployments should use either WPA or WPA2 encryption.
Encryption applies a specific algorithm to alter its appearance and prevent unauthorized hacking. Decryption
applies the algorithm in reverse, to restore the data to its original form. A sender and receiver must employ
the same encryption/decryption method to interoperate. When both TKIP and CCMP are both enabled a mix
of clients are allowed to associate with the WLAN. Some use TKIP, others use CCMP. Since broadcast traffic
needs to be understood by all clients, the broadcast encryption type in this scenario is TKIP.
Refer to the following to configure an encryption scheme for a WLAN:
• WPA/WPA2-TKIP
• WPA2-CCMP
• WEP 64
• WEP 128
6.1.2.1 802.1x EAP, EAP PSK and EAP MAC

Configuring WLAN Security
The Extensible Authentication Protocol (EAP) is the de-facto standard authentication method used to provide
secure authenticated access to WLANs. EAP provides mutual authentication, secured credential exchange,
dynamic keying and strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption
schemes to further protect user information forwarded over wireless controller managed WLANs.
The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an
authenticator (in this case, the authentication server). An Access Point passes EAP packets from the client
to an authentication server on the wired side of the access point. All other packet types are blocked until the
authentication server (typically, a RADIUS server) verifies the client’s identity.
802.1X EAP provides mutual authentication over the WLAN during authentication. The 802.1X EAP process
uses credential verification to apply specific policies and restrictions to WLAN users to ensure access is only
provided to specific wireless controller resources.
802.1X requires a 802.1X capable RADIUS server to authenticate users and a 802.1X client installed on each
devices accessing the EAP supported WLAN. An 802.1X client is included with most commercial operating
systems, including Microsoft Windows, Linux and Apple OS X.
The RADIUS server authenticating 802.1X EAP users resides externally to the AP-6511. User account creation
and maintenance can be provided centrally using RFMS or individually maintained on each device. If an
external RADIUS server is used, EAP authentication requests are forwarded.
When using PSK with EAP, packets are sent requesting a secure link using a pre-shared key. The AP-6511
and authenticating device must use the same authenticating algorithm and passcode during authentication.
EAP-PSK is useful when transitioning from a PSK network to one that supports EAP. The only encryption types
supported with this are TKIP, CCMP and TKIP-CCMP. EAP-MAC is useful when in a hotspot environment, as
some clients support EAP and an administrator may want to authenticate based on just the MAC address of
the device. The only encryption type supported with this is None.
To Next Page
Loading...
Need help?
General
