About configuring 802.1x wireless access points on a LAN Enforcer appliance

Article:HOWTO81744  |  Created: 2012-10-25  |  Updated: 2014-09-21  |  Article URL http://www.symantec.com/docs/HOWTO81744
Article Type
How To


About configuring 802.1x wireless access points on a LAN Enforcer appliance

The LAN Enforcer appliance supports a number of wireless protocols, which includes WEP 56, WEP 128, and WPA/WPA2 with 802.1x.

You can configure a LAN Enforcer to protect the wireless access point (AP) as much as it protects a switch if the following conditions are met:

  • The network includes a wireless LAN Enforcer appliance with 802.1x.

  • Wireless clients run a supplicant that supports one of these protocols.

  • The wireless AP supports one of these protocols.

For wireless connections, the authenticator is the logical LAN port on the wireless AP.

You configure a wireless AP for 802.1x and for switches in the same way. You include wireless APs to the LAN Enforcer settings as part of a switch profile. Wherever an instruction or part of the user interface refers to a switch, use the comparable wireless AP terminology. For example, if you are instructed to select a switch model, select the wireless AP model. If the vendor of the wireless AP is listed, select it for the model. If the vendor is not listed, choose Others.

The configuration for wireless AP for 802.1x and for switches include the following differences:

  • Only basic configuration is supported.

    The transparent mode is not supported.

  • There can also be differences in support for VLANs, depending on the wireless AP.

    Some dynamic VLAN switches may require you to configure the AP with multiple service set identifiers (SSIDs). Each SSID is associated with a VLAN.

    See the documentation that comes with the dynamic VLAN switch.

Based on the wireless AP model that you use, you may want to use one of the following access control options instead of a VLAN:

Access control lists (ACLs)

Some wireless APs support ACLs that enable the network administrator to define policies for network traffic management. You can use the generic option on the LAN Enforcer by selecting the vendor name of the wireless AP. As an alternative, you can select Others for the 802.1x-aware switch model (if it is not listed).

The generic option sends a generic attribute tag with the VLAN ID or name in it to the access point. You can then customize the access point. Now the access point can read the generic attribute tag for the VLAN ID and match it with the WAP's ACL ID. You can use the Switch Action table as an ACL Action table.

Additional configuration on the wireless AP or AP controller may be required. For example, you may need to map the RADIUS tag that is sent to the wireless AP on the AP controller.

See the wireless AP documentation for details.

MAC level 802.1x

You can plug the wireless AP into a switch that supports MAC level 802.1x. For this implementation, you must disable 802.1x on the wireless AP. You can only use it on the switch. The switch then authenticates the wireless clients by recognizing the new MAC addresses. After it authenticates a MAC address, it puts that MAC address on the specified VLAN instead of the whole port. Every new MAC address has to be authenticated. This option is not as secure. However, this option enables you to use the VLAN switching capability.

See Changing LAN Enforcer configuration settings in Symantec Endpoint Protection Manager.

Legacy ID


Article URL http://www.symantec.com/docs/HOWTO81744

Terms of use for this information are found in Legal Notices