3Com Corporation WL306 Manuel D’Utilisation
3
A
CCESS
P
OINT
S
ECURITY
The advanced security features of the Access Point 8000 address the two primary
aspects of wireless networking security: network authentication and transmission
encryption. The access point provides standardized methods for authentication
and encryption, but also offers innovative technology from 3Com that extends the
standards and makes wireless networking more secure.
aspects of wireless networking security: network authentication and transmission
encryption. The access point provides standardized methods for authentication
and encryption, but also offers innovative technology from 3Com that extends the
standards and makes wireless networking more secure.
The access point can provide a complete stand-alone security solution.
Alternatively, it can be integrated into an enterprise-class security solution,
interacting with a networked RADIUS server and 802.1x-enabled wireless clients.
Alternatively, it can be integrated into an enterprise-class security solution,
interacting with a networked RADIUS server and 802.1x-enabled wireless clients.
Upper-Layer
Authentication
Authentication
The basic authentication schemes defined in the 802.11 standard are limiting
because they do not provide a way to centralize authentication information into a
central server. Upper layer authentication solves this problem. Through the use of
the Extensible Authentication Protocol (EAP), the access point supports a number
of upper layer authentication schemes, including EAP-MD5, EAP-TLS, and 3Com
Serial Authentication.
because they do not provide a way to centralize authentication information into a
central server. Upper layer authentication solves this problem. Through the use of
the Extensible Authentication Protocol (EAP), the access point supports a number
of upper layer authentication schemes, including EAP-MD5, EAP-TLS, and 3Com
Serial Authentication.
EAP-MD5
EAP-MD5 provides a simple way to centralize client network authentication
information in a RADIUS server. Under this scheme, the server does not require
certificates or other security information installed on client machines. At login, the
RADIUS server verifies the username and password provided by the user. Once the
user is authenticated, the server informs the access point of successful
authentication and data traffic from the client is allowed to pass to the wired
network. EAP-MD5 provides authentication only. It is possible to configure the
access point to use any of the 802.11 standard encryption mechanisms along with
EAP-MD5 authentication. EAP-MD5 is a one-way authentication scheme: it
authenticates the client to the server, but does not authenticate the server to the
client.
information in a RADIUS server. Under this scheme, the server does not require
certificates or other security information installed on client machines. At login, the
RADIUS server verifies the username and password provided by the user. Once the
user is authenticated, the server informs the access point of successful
authentication and data traffic from the client is allowed to pass to the wired
network. EAP-MD5 provides authentication only. It is possible to configure the
access point to use any of the 802.11 standard encryption mechanisms along with
EAP-MD5 authentication. EAP-MD5 is a one-way authentication scheme: it
authenticates the client to the server, but does not authenticate the server to the
client.
EAP-MD5 is supported by the 3Com 802.1x agent (described below) and is built
into the Windows XP operating system.
into the Windows XP operating system.
EAP-TLS
EAP-TLS provides both authentication and dynamic session key distribution.This
authentication scheme provides mutual authentication between the client and
server. A unique X.509 certificate must be generated for each network user. In
addition, the certificate must be installed on all client PCs that will be used to log
onto the network. Both a client and a server certificate are exchanged as part of
authentication.
authentication scheme provides mutual authentication between the client and
server. A unique X.509 certificate must be generated for each network user. In
addition, the certificate must be installed on all client PCs that will be used to log
onto the network. Both a client and a server certificate are exchanged as part of
authentication.
Once authenticated, the server informs the access point and data traffic from the
client is allowed to pass to the wired network. As part of authentication, the client
and TLS server derive session-specific keys based on information shared between
client is allowed to pass to the wired network. As part of authentication, the client
and TLS server derive session-specific keys based on information shared between