Company Products/Technology Services News/Events Support Spacer Contact Partners Customers
English    日本語
Products Photo

Product Documentation for Enterprise-Managed AP

Documentation Home for Self-Managed and Enterprise-Managed APs | Evaluation Guide

Evaluation GuidePreviousNextIndex

 


Set up IEEE 802.1x Security and Test Client Logins

Standard Security Features (WEP, WPA-PSK)

Instant802 AP offers advanced WLAN security. Browse to Advanced >Security tab to explore the WEP and WPA-PSK settings with which you are familiar.

Note

One of the value-adds of the Devicescape Enterprise-Managed AP firmware solution is that it ships with a menu of security choices that include the most powerful and up-to-date, standards-based wireless security available. In the next section, we'll explore how to use one of the advanced security options; IEEE 802.1x security mode.

Advanced Security Features (user/password local authentication)

The Devicescape Enterprise-Managed AP goes beyond the commonly found MAC address-based authentication to offer more secure and scalable user-based authentication. We have a local authentication server that resides on the AP and supports the PEAP/MSChapV2 password authentication operating over the standard IEEE 802.1x EAP protocol.

In order to evaluate this new feature, you will need to set up the following:

  1. Use the Microsoft Windows native client for out-of-box experience. Disable any third-party IEEE 802.1x client software. (You can test these later.)
  2. Navigate to Cluster > User Management on the AP Administration Web pages and add new user(s) to be recognized by access point.

  3. On the Advanced > Security tab on the AP, set up the access point to use the built-in Authentication Server (RADIUS server) for user-based authentication

    4. (Note that the guest network is hard-wired to "plaintext" augmented by guest portal infrastructure. The security settings we are configuring here are for the internal network.)



  4. Set up the Windows XP wireless client for IEEE 802.1x security mode with username/password challenge to match the security mode on the AP.

    5. If you configured the Devicescape Enterprise-Managed AP to use IEEE 802.1x security mode . . .

    . . . then configure IEEE 802.1x security with PEAP authentication on your client as shown below. (Refer to the picture sequence labeled 1-4 and the associated steps below.)





  5. Configure the following settings on the Association tab on the Network Properties dialog.
    Association Tab
    Network Authentication
    Open
    Data Encryption
    WEP
    Note: An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each IEEE 802.11 frame. This is the same encryption algorithm as is used for Static WEP; therefore, the data encryption method configured on the client for this mode is WEP.
    This key is provided for me automatically
    Enable (click to check) this option.
  6. Configure this setting on the Authentication tab.
    Authentication Tab
    EAP Type
    Choose "Protected EAP (PEAP)".
  7. Click Properties to bring up the Protected EAP Properties dialog and configure the following settings.
    Protected EAP Properties Dialog
    Validate Server Certificate
    Disable this option (click to uncheck the box).
    Note: This example assumes you are using the Built-in Authentication server on the AP. If you are setting up EAP/PEAP on a client of an AP that is using an external RADIUS server, you might certificate validation and choose a certificate, depending on your infrastructure.
    Select Authentication Method
    Choose "Secured password (EAP-MSCHAP v2)".
  8. Click Configure to bring up the EAP MSCHAP v2 Properties dialog.

    9. On this dialog, disable (click to uncheck) the option to "Automatically use my Windows login name . . . " etc.

    Click OK on all dialogs (starting with the EAP MSCHAP v2 Properties dialog) to close and save your changes.

Testing Wireless Client Login and Evaluating User-Based Local Authentication

IEEE 802.1x PEAP clients should now be able to associate with the access point. Client users will be prompted for a user name and password to authenticate with the network.

  1. Connect to the network.

    2. If you have not already done so, enable a wireless connection through the "Add a Network Connection" desktop option, then bring up the Wireless Network Connection dialog by hovering the cursor over the wireless network icon in the system tray, right mouse click to get the popup menu, and choose View Available Wireless Networks.You will should see your network in the list of available networks. Select it and click Connect.

    At this point, your Windows XP wireless client will try to associate and authenticate to the Instant802 access point using the "Instant802 Networks (Internal)" as the network of interest.

    This is where the handshake between the wireless client and the access point begins. The access point challenges the client to present "credentials" (in this case, a username and password).

  2. Log on.

    3. On the taskbar, a pop-up window is displayed which asks for user credentials. Click on the popup to get the user/password dialog. Enter user/password and click OK. (Leave "Login domain" blank.)

    At this point the client submits its username/password "credentials" to the AP authentication server and waits for validation. If the credentials are deemed valid by the server (username/password are listed in User Management), then the client is authenticated and given access to the network.

    If you want to watch the authentication process in action, open the Network Connections window (for example, Start > My Network Places, then click on View Network Connections).+

    At this point, your wireless client has successfully authenticated through the built-in authentication server and IEEE 802.1x. Your Internal network on the other side of the AP is now accessible to the client user for mail, Internal Web sites, and so forth.

  3. In the "Administrator" role, verify client connection on the AP Administration UI.

    4. You can log in to the AP ("network") Administration Web pages by using the IP address for the AP in a URL. (If you are using the static IP address, http://192.168.10.1. For more about IP addresses, see Determine IP Address of AP and Access Administration Web Pages)

    Click on the Cluster > Sessions Tab to see statistics on clients that are currently logged into the network. You should see your wireless client in the list by username.

Next Steps and Other Security-Related AP Features

If you evaluation focus on other areas aside from security, you may want to consider using "plaintext" as your security policy for the "internal" company network. Otherwise make sure you have configured the username/password on the AP and your client machine is set up accordingly.

Other features related to Security are:

  • Guest Network
  • Neighboring AP Detection
  • MAC Address Filtering
  • User Management (for use with IEEE 802.1x and WPA with RADIUS security modes when built-in authentication server is used)

Where to Find Out More

  • For detailed information on setting up Security modes on the AP see Configuring Security in the Administrators Guide.
  • For more information on setting up security on wireless clients, see Appendix A. Configuring Security on Wireless Clients in the Administrators Guide.
  • Watch the viewlet demo on Security available from the Evaluation Kit home page. (The demo takes you through essentially the same process of setting up security on the AP, setting up a wireless client, and testing client login to the network.)
Evaluation GuidePreviousNextIndex