108 © 2001-2008 D-Link Corporation. All Rights Reserved.
D-Link Unified Access Point Administrator’s Guide
Using an External Authentication Server
The 802.1X and WPA Enterprise security modes require an external authentication server.
Network security configurations including Public Key Infrastructures (PKI), Remote
Authentication Dial-in User Server (RADIUS) servers, and Certificate Authority (CA) can
vary a great deal from one organization to the next in terms of how they provide
Authentication, Authorization, and Accounting (AAA). Ultimately, your network
infrastructure determines how clients should configure security to access the wireless network.
This appendix provides general guidelines about each type of client configuration supported
by the Unified Access Point and does not attempt to describe every network configuration or
scenario.
This appendix assumes that you know how to configure client security options appropriate to
your security infrastructure beyond the fundamental suggestions given here. Topics covered
here that particularly relate to client security configuration in a RADIUS - PKI environment
are:
•
IEEE 802.1X Client Using EAP/TLS Certificate
•
WPA/WPA2 Enterprise (RADIUS) Client Using EAP-TLS Certificate
•
Configuring the RADIUS Server for Authentication
•
Obtaining a TLS-EAP Certificate for a Client
This appendix does not describe how to configure an EAP-PEAP client with a RADIUS
server.
Configuring IEEE 802.1X Security on a Client
IEEE 802.1X is the standard defining port-based authentication and infrastructure for doing
key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE
802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL).
IEEE 802.1X provides dynamically-generated keys that are periodically refreshed. An RC4
stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of
each 802.11 frame.
IEEE 802.1X Client Using EAP/TLS Certificate
Extensible Authentication Protocol (EAP) Transport Layer Security (TLS), or EAP-TLS, is an
authentication protocol that supports the use of smart cards and certificates. You have the
option of using EAP-TLS with both WPA/WPA2 Enterprise (RADIUS) and IEEE 802.1X
modes if you have an external RADIUS server on the network to support it.
To use IEEE 802.1X mode with EAP-TLS certificates for authentication and authorization of
clients, you must have an external RADIUS server and a Public Key Authority Infrastructure
(PKI), including a Certificate Authority (CA), server configured on your network. It is beyond
the scope of this document to describe these configuration of the RADIUS server, PKI, and
CA server. Consult the documentation for those products.
For more information about Microsoft Windows PKI software, see the Microsoft Web site:
http://support.microsoft.com
.