Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-IAP155/155P

141

142

143

144

145

146

147

148

149

150

149 | Authentication and User Management DellNetworking W-Series Instant 6.4.0.2-4.1 | User Guide

Controller (the client certificate must be signed by a known CA), before the username is verified on the

authentication server.

l EAP-TTLS (MSCHAPv2)— The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-

TTLS) method uses server-side certificates to set up authentication between clients and servers. However, the

actual authentication is performed using passwords.

l EAP-PEAP (MSCHAPv2)— EAP-PEAP is an 802.1X authentication method that uses server-side public key

certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel

between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel

ensuring the user credentials are kept secure.

l LEAP— Lightweight Extensible Authentication Protocol (LEAP) uses dynamic WEP keys for authentication

between the client and authentication server.

To use the W-IAP’s internal database for user authentication, add the names and passwords of the users to be

authenticated.

Dell does not recommend the use of LEAP authentication, because it does not provide any resistance to network

attacks.

Authentication Termination on W-IAP

W-IAPs support EAP termination for enterprise WLANSSIDs. The EAP termination can reduce the number of

exchange packets between the W-IAP and the authentication servers. Instant allows Extensible Authentication

Protocol (EAP) termination for Protected Extensible Authentication Protocol (PEAP)-Generic Token Card (PEAP-

GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2

(PEAP-MSCHAV2). PEAP-GTC termination allows authorization against an Lightweight Directory Access Protocol

(LDAP) server and external RADIUS server while PEAP-MSCHAV2 allows authorization against an external

RADIUS server.

This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft Active

Directory server with LDAP authentication.

l EAP-Generic Token Card (GTC)— This EAP method permits the transfer of unencrypted usernames and

passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and

the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials

on the W-IAP to an external authentication server for user data backup.

l EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)— This EAP method is widely

supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.

Supported Authentication Servers

Based on the security requirements, you can configure internal or external authenticationservers. This section

describes the types of servers that can be configured for client authentication:

l Internal RADIUS Server on page 150

l External RADIUS Server on page 150

l Dynamic Load Balancing between Two Authentication Servers on page 154

In 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management users. For more

information, on management users and TACACS+ server based authentication, see Configuring Authentication

Parameters for Management Users .