D-Link DWS-1008 User Manual
81
Ways a Switch Can Use EAP
Network users with 802.1X support cannot access the network unless they are authenticated. You can
configure a DWS-1008 switch to authenticate users with EAP on a group of RADIUS servers and/or in
a local user database on the switch, or to offload some authentication tasks from the server group. The
list below details these three basic authentication approaches.
Passthrough - An EAP session is established directly between the client and RADIUS
server, passing through the switch. User information resides on the server. All authentication
information and certificate exchanges pass through the switch or use client certificates
issued by a certificate authority (CA). In this case, the switch does not need a digital
certificate, although the client might.
Local - The switch performs all authentication using information in a local user database
configured on the switch, or using a client-supplied certificate. No RADIUS servers are
required. In this case, the switch needs a digital certificate. If you plan to use the EAP
with Transport Layer Security (EAP-TLS) authentication protocol, the clients also need
certificates.
Offload - The switch offloads all EAP processing from a RADIUS server by establishing
a TLS session between the switch and the client. In this case, the switch needs a digital
certificate. When you use offload, RADIUS can still be used for non-EAP authentication
and authorization. EAP-TLS cannot be used with offload.
Effects of Authentication Type on Encryption Method
Wireless users who are authenticated on an encrypted service set identifier (SSID) can have their data
traffic encrypted by the following methods:
• Wi-Fi Protected Access (WPA) encryption
• Non-WPA dynamic Wired Equivalent Privacy (WEP) encryption
• Non-WPA static WEP encryption
The authentication method you assign to a user determines the encryption available to the user. Users
configured for EAP authentication, MAC authentication, Web, or last-resort authentication can have
their traffic encrypted as follows:
EAP Authentication
MAC Authentication
Last-Resort
WebAAA
WPA encryption
Static WEP
Static WEP
Static WEP
Dynamic WEP
encryption
No encryption
(if SSID is
unencrypted)
No encryption
(if SSID is
unencrypted)
No encryption
(if SSID is
unencrypted)
Wired users are not eligible for the encryption performed on the traffic of wireless users, but they can be
authenticated by an EAP method, a MAC address, or a Web login page served by the switch.
Содержание DWS-1008
Страница 1: ......