Home » Netgear Manuals » Wireless » Netgear WFS709TP » Manual Viewer

Netgear WFS709TP WFS709TP Setup Manual - Page 128

Configuring 802.1x Authentication, EAP-Generic Token Card GTC: Described in RFC 2284

UPC - 606449052336

Add to My Manuals
Save this manual to your list of manuals

Page 128 highlights

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual In this scenario, the supplicant must be configured for Protected EAP (PEAP), as the WFS709TP only supports PEAP. PEAP uses Transport Layer Security (TLS) to create an encrypted tunnel. Within the tunnel, one of the following EAP methods is used: • EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of an LDAP or RADIUS server as the user authentication server. You can also enable caching of user credentials on the WFS709TP as a backup to an external authentication server. • EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2): Described in RFC 2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the backend authentication server. Note: You must install a server certificate in the WFS709TP for AAA FastConnect, as described in "Installing a Server Certificate" on page 13-19. If you are using the WFS709TP's internal database for user authentication, you need to add the names and passwords of the users to be authenticated. If you are using an LDAP server for user authentication, you need to configure the LDAP server on the WFS709TP, and configure user IDs and passwords. If you are using a RADIUS server for user authentication, you need to configure the RADIUS server on the WFS709TP. Configuring 802.1x Authentication On the WFS709TP, use the following steps to configure a wireless network that uses 802.1x authentication: 1. Configure the 802.1x RADIUS authentication server. Note: If you are using EAP-GTC within a PEAP tunnel, you can configure either an LDAP or a RADIUS server as the authentication server. If you are using AAA FastConnect, you can use a non-802.1x server or the WFS709TP's internal database. See Chapter 6, "Configuring AAA Servers". 2. Configure 802.1x authentication. See "802.1x Authentication Page" on page 7-5. 3. Configure the VLANs to which the authenticated users will be assigned. See Chapter 3, "Configuring Network Parameters". 7-4 Configuring 802.1x Authentication v1.0, June 2007

Section	Page
WFS709TP ProSafe Smart Wireless Switch Software Administration Manual	1
Contents	7
About This Manual	13
Conventions, Formats, and Scope	13
How to Use This Manual	14
How to Print this Manual	14
Revision History	15
Chapter 1 Overview of the WFS709TP	17
WFS709TP System Components	17
NETGEAR ProSafe Access Points	17
WFS709TP ProSafe Switches	21
WFS709TP Software	23
Basic WLAN Configuration	24
Authentication	24
Encryption	26
VLAN	27
Wireless Client Access to the WLAN	29
Association	29
Authentication	30
Client Mobility and AP Association	31
Configuring and Managing the WFS709TP	32
Tools	34
Chapter 2 Deploying a Basic WFS709TP System	37
Configuration Overview	37
Deployment Scenario #1	37
Deployment Scenario #2	38
Deployment Scenario #3	40
Configuring the WFS709TP	41
Run the Initial Setup	42
Configure the Switch for the Access Points	44
Configure a VLAN for Network Connection	46
Connect the WFS709TP to the Network	48
Configure the Loopback for the WFS709TP	49
Deploying APs	50
Enable APs to Connect to the WFS709TP	51
Install APs	54
Provision APs	54
Additional Configuration	56
Chapter 3 Configuring Network Parameters	57
Configuring VLANs	57
Assigning a Static Address to a VLAN	58
Configuring a VLAN to Receive a Dynamic Address	59
Configuring Static Routes	61
Configuring the Loopback IP Address	62
Chapter 4 RF Plan	65
RF Plan Overview	65
Before You Begin	66
Task Overview	66
Planning Requirements	66
Using RF Plan	67
Building List Page	68
Building Specification Overview Page	68
Building Dimension Page	69
AP Modeling Parameters Page	71
AM Modeling Parameters Page	73
Planning Floors Page	74
AP Planning Page	81
AM Planning Page	83
Exporting and Importing Files	84
Locate	85
RF Plan Example	86
Sample Building	86
Create a Building	87
Model the Access Points	88
Model the Air Monitors	89
Add and Edit a Floor	89
Defining Areas	90
Running the AP Plan	93
Running the AM Plan	94
Chapter 5 Configuring WLANS	97
Before You Begin	97
Determine the Authentication Method	98
Determine the Default VLAN	100
Basic WLAN Configuration in the Browser Interface	100
Example Configuration	103
Advanced WLAN Configuration in the Browser Interface	105
Configuring Global Parameters	105
Configuring Location-Specific Parameters	106
Add or Modify SSIDs	106
Configure AP Information	108
Configuring Radio Settings	110
Example Configuration	113
IntelliFi RF Management	115
Channel Setting	115
Power Setting	115
Advantages of Using IRM	115
Configuring IRM	116
Chapter 6 Configuring AAA Servers	119
Configuring an External RADIUS Server	119
Adding Users to the Internal Database	121
Configuring Authentication Timers	122
Chapter 7 Configuring 802.1x Authentication	125
802.1x Authentication	125
Authentication with a RADIUS Server	126
Authentication Terminated on WFS709TP	127
Configuring 802.1x Authentication	128
802.1x Authentication Page	129
Advanced Configuration Options for 802.1x	130
Chapter 8 Configuring the Captive Portal	133
Overview of Captive Portal Functions	133
Configuring Captive Portal	134
Configuring Advanced Captive Portal Options	135
Configuring the AAA Server for Captive Portal	137
Changing the Protocol to HTTP	137
Personalizing the Captive Portal Page	138
Chapter 9 Configuring MAC-Based Authentication	141
Configuring the WFS709TP	141
Configuring Users	142
Chapter 10 Adding Local WFS709TPs	145
Moving to a Multi-Switch Environment	145
Configuring Local WFS709TPs	146
Configuring the Local WFS709TP	146
Configuring L2/L3 Settings	146
Configuring Trusted Ports	147
Configuring APs	147
Rebooting APs	148
Chapter 11 Configuring Redundancy	149
Virtual Router Redundancy Protocol	149
Redundancy Configuration	149
Configuring Local WFS709TP Redundancy	150
Master WFS709TP Redundancy	152
Master-Local WFS709TP Redundancy	153
Chapter 12 Configuring Wireless Intrusion Protection	157
Rogue/Interfering AP Detection	157
Enabling AP Learning	158
Classifying APs	158
Configuring Rogue AP Detection	160
Misconfigured AP Detection	161
Configuring Misconfigured AP Protection	161
Chapter 13 Configuring Management Utilities	163
Configuring Management Users	163
Configuring SNMP	164
SNMP for the WFS709TP	164
SNMP for Access Points	166
SNMP Traps	171
Configuring Logging	174
Creating Guest Accounts	176
Managing Files on the WFS709TP	178
Managing Image Files	179
Backing Up and Restoring the Flash File System	179
Copying Log Files	180
Copying Other Files	180
Installing a Server Certificate	181
Chapter 14 Configuring WFS709TP for Voice	183
Voice over IP Proxy ARP	183
Battery Boost	184
Limiting the Number of Active Voice Calls	185
WPA Fast Handover	186
Appendix A Configuring DHCP with Vendor-Specific Options	187
Overview	187
Windows-Based DHCP Servers	188
Configuring Option 60	188
Configuring Option 43	189
Linux DHCP Servers	190
Appendix B Windows Client Example Configuration for 802.1x	193
Window XP Wireless Client Example Configuration	193
Appendix C Internal Captive Portal	201
Creating a New Internal Web Page	201
Basic HTML Example	203
Installing a New Captive Portal Page	204
Displaying Authentication Error Message	204
Language Customization	206
Customizing the Welcome Page	212
Customizing the Pop-Up Box	214
Customizing the Logged Out Box	215
Appendix D Related Documents	217

Match case Limit results 1 per page

WFS709TP ProSafe Smart Wireless Switch Software Administration Manual

7-4

Configuring 802.1x Authentication

v1.0, June 2007

In this scenario, the supplicant must be configured for Protected EAP (PEAP), as the WFS709TP

only supports PEAP. PEAP uses Transport Layer Security (TLS) to create an encrypted tunnel.

Within the tunnel, one of the following EAP methods is used:

•

EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the

transfer of unencrypted usernames and passwords from client to server. The main uses for

EAP-GTC are one-time token cards such as SecureID and the use of an LDAP or RADIUS

server as the user authentication server. You can also enable caching of user credentials on the

WFS709TP as a backup to an external authentication server.

•

EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2): Described in

RFC 2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must

be used as the backend authentication server.

If you are using the WFS709TP’s internal database for user authentication, you need to add the

names and passwords of the users to be authenticated. If you are using an LDAP server for user

authentication, you need to configure the LDAP server on the WFS709TP, and configure user IDs

and passwords. If you are using a RADIUS server for user authentication, you need to configure

the RADIUS server on the WFS709TP.

Configuring 802.1x Authentication

On the WFS709TP, use the following steps to configure a wireless network that uses 802.1x

authentication:

Configure the 802.1x RADIUS authentication server.

Configure 802.1x authentication. See

“802.1x Authentication Page” on page 7-5

Configure the VLANs to which the authenticated users will be assigned. See

Chapter 3,

“Configuring Network Parameters”

Note:

You must install a server certificate in the WFS709TP for AAA FastConnect,

as described in

“Installing a Server Certificate” on page 13-19

Note:

If you are using EAP-GTC within a PEAP tunnel, you can configure either an

LDAP or a RADIUS server as the authentication server. If you are using AAA

FastConnect, you can use a non-802.1x server or the WFS709TP’s internal

database. See

Chapter 6, “Configuring AAA Servers”