Filter
Top Products
AT-WA7500 and AT-WA7501 Installation and User’s Guide
181
Creating a Secure Spanning Tree
When you configure a radio to use 802.1x security, you automatically
enable spanning tree security, which can be used for both wired and
wireless access points (WAPs). However, if you configure a radio to use
another security solution, you may want to still create a secure spanning
tree. A secure spanning tree has two functions:
1. To require authentication of any access point attempting to join the
spanning tree.
2. To provide encryption of critical Inter-Access Point Protocol (IAPP)
frames.
There are three authentication methods that you can use to secure the
spanning tree: Simple Wireless Authentication Protocol (SWAP), TTLS, or
TLS.
SWAP is an proprietary protocol that is based on the EAP-MD5 challenge.
Since it requires less processing power, it requires less memory and you
can use it on all access points. Also, SWAP does not require an
authentication server so it is easier to configure. With these advantages,
SWAP is sufficient for most users. TTLS and TLS are industry standard
protocols. However, they require more administrative support.
When deciding on which type of spanning tree security to use, the
supplicant access point and the authenticator will negotiate an
authentication method that can be used by both. If the Allow SWAP check
box is checked on both access points, SWAP will always be used. If the
Allow SWAP check box is cleared on one or both of the access points,
either TTLS or TLS will be used, depending on the setting of the Preferred
Protocol field of the supplicant access point.
Note these potential problems:
If you enable secure IAPP on a root access point that is running
software release 1.80 or later and other access points in your network
are running an earlier software release than 1.80, the access points
with the earlier software release will not attach to the root. The access
points with the earlier software release do not support secure IAPP. If
you want to use secure IAPP, upgrade all access points to software
release 1.80.
If you enable secure IAPP on a non-root access point and the root
access point has secure IAPP disabled, the access points will form
separate spanning trees with the same LAN ID. If you want to use
secure IAPP, enable secure IAPP on all access points.