Privacy Settings for WPA2 Enterprise with RADIUS

WPA2 Enterprise w/ RADIUS — Supports 802.1X authentication with a RADIUS server, using AES encryption. This level of network security can be used in conjunction with client certificate-based authentication (EAP-TLS). All 802.1X protocols are supported.

Two-stage authentication is supported offering a combination of MAC-Based (MBA) authentication and WPA2-Enterprise (802.1x/EAP). The wireless client is first authenticated using MBA and then, in stage 2, the client authenticates with WPA2-Enterprise (802.1x/EAP).The wireless client is first authenticated using MBA and then, in stage 2, the client authenticates with WPA2-Enterprise (802.1x/EAP). Wireless devices must pass both MBA and WPA2-Enterprise before they are allowed access to the network. After passing 2-staged authentication, the wireless client is fully authenticated and assigned a policy role as provisioned by the administrator. If either part of the two-staged authentication process fails, the client is disconnected from the network, and the client must attempt MBA authentication again.

Note

Captive Portal is not supported when using WPA2 Enterprise w/ RADIUS. An exception is Centralized Web Authentication (CWA). CWA captive portal supports WPA2 Enterprise w/ RADIUS.

Configure the following privacy settings:

TKIP-CCMP — Select this option to use Temporal Key Integrity Protocol (TKIP) and Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). Best Practice: TKIP encryption is considered to be a less secure means of communication. An industry best practice is to use a more secure option for network privacy.
Protected Management Frames — Management Frames are the signaling packets used in the 802.11 wireless standard to allow a device to negotiate with an AP. PMF adds an integrity check to control packets being sent between the client and the access point. Valid values are:
- Enabled. Supports PMF format but does not require it.
- Disabled. Does not address PMF format. Clients connect regardless of format.
- Required. Requires all devices use PMF format. This could result in older devices not connecting.
PMF is enabled by default.
Fast Transition — Provides faster roaming by authenticating the device before roaming occurs. This setting is enabled by default.
Mobility Domain ID — Used by 802.11r, this setting defines a network scope that supports 11r fast roaming. Master keys are shared within the Mobility Domain, allowing clients to support fast roaming.