802.1x EAP, EAP-PSK and EAP MAC

The EAP (Extensible Authentication Protocol) is the de facto standard authentication method used to provide secure authenticated access to WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over WLANs.

The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case, the authentication server). An access point passes EAP packets from the client to an authentication server on the wired side of the access point. All other packet types are blocked until the authentication server (typically, a RADIUS server) verifies the client‘s identity.

802.1X EAP provides mutual authentication over the WLAN during authentication. The 802.1X EAP process uses credential verification to apply specific policies and restrictions to WLAN users to ensure access is only provided to specific wireless controller resources.

802.1X requires an 802.1X capable RADIUS server to authenticate users and a 802.1X client installed on each devices accessing the EAP supported WLAN. An 802.1X client is included with most commercial operating systems, including Microsoft Windows, Linux, and Apple OS X.

The RADIUS server authenticating 802.1X EAP users can reside either internally or externally to a controller, service platform or access point. User account creation and maintenance can be provided centrally using ADSP or individually maintained on each device. If an external RADIUS server is used, EAP authentication requests are forwarded.

When using PSK with EAP, the controller, service platform or access point sends a packet requesting a secure link using a pre-shared key. The authenticating device must use the same authenticating algorithm and passcode during authentication. EAP-PSK is useful when transitioning from a PSK network to one that supports EAP. The only encryption types supported with this are TKIP, CCMP and TKIP-CCMP.

To configure EAP on a WLAN:

  1. Select Configuration → Wireless → Wireless LANs to display available WLANs.
  2. Click Add to create an additional WLAN, or select an existing WLAN and click Edit to modify its security properties.
  3. Select Security.
  4. Select EAP, EAP-PSK or EAP-MAC as the Authentication Type.
    Each option enables the radio buttons for various encryption mechanisms as an additional measure of WLAN security.
    Click to expand in new window
    EAP, EAP-PSK or EAP MAC Authentication Screen
  5. Select an existing AAA Policy from the drop-down menu or select the Create icon to the right of the AAA Policy parameter to display a screen where new AAA policies can be created.
    Select the Edit icon to modify the configuration of the selected AAA policy.

    AAA (authentication, authorization, and accounting) is a framework for intelligently controlling access to the network, enforcing user authorization policies and auditing and tracking usage. These combined processes are central for securing wireless client resources and wireless network data flows.

    For information on defining a new AAA policy that can be applied to a WLAN supporting EAP, EAP PSK or EAP MAC, see AAA Policy.

  6. Select the Reauthentication option to force EAP supported clients to reauthenticate.
    Use the spinner control set the number of seconds (between 30 - 86,400) that, when exceeded, forces the EAP supported client to reauthenticate to use the WLAN.
  7. Select OK when completed to update the WLAN's EAP configuration.

    Select Reset to revert to the last saved configuration.

Before defining a 802.1x EAP, EAP-PSK or EAP MAC supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:

  • A valid certificate should be issued and installed on devices providing 802.1X EAP. The certificate should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the authentication server prior to forwarding credentials.
  • If using an external RADIUS server for EAP authentication, the round trip delay over the WAN should not exceed 150ms. Excessive delays over a WAN can cause authentication and roaming issues and impact wireless client performance. If experiencing excessive delays, consider using local RADIUS resources.