3 replies to this topic

[jamessimo]

Hi All

Are the WAPs able to authenticate against 2 different methods - I.e. Internal key and Radius?


Many thanks

[sirkozz]

Exactly that’s how WPA2/CCMP enterprise works, the AP verifies the PSK between the STA and the AP (encryption), if they’re correct then it forwards the authentication frames to the authentication server. The AP acts as the authenticator for the authentication server which forwards frames back and forth to the STA until authenticated and the port goes from a closed to open state (802.1x). Depending on your budget the only truly secure WLAN utilizes either WPA/WPA2 and a PKI to ensure that a STA can mutually authenticate each other, eliminating the possibility of a rogue AP. I know that TKIP is considered vulnerable however that is true only if the PSK is a dictionary word, if you are using an 8 character pass phrase if you only used uppercase, lowercase and numbers, the key has 218,340,105,584,896 different possibilities expand that to 13 characters, it would have 200,028,539,268,669,788,905,472 combinations. For most WLAN’s they can be very secure using WPA unless the government is after you! Some of my customers are so paranoid that they utilize separate physical networks, which usually terminate into a firewall or occasionally a router prior to allowing WLAN traffic on the LAN.

[jamessimo]

Can this be done with out 802.1x. I am using a non-managed switch

[sirkozz]

The AP is acting as the authenticator not the Ethernet switch. If you deployed 802.1x on the LAN and/or for AP’s to be connected to the LAN then yes you would need an 802.1x compliant ethernet switch. Not exactly sure what model of AP you intend on using but most recent AP’s think Cisco 1230’s and up support this, as well as most enterprise class AP’s within the last 5 years, just look for 802.1x compliance and your chosen method of authentication on the spec sheet.