WFS709TP ProSafe Smart Wireless Switch Software Administration Manual
1-14 Overview of the WFS709TP
v1.0, June 2007
The client determines which AP is best for connecting to the WLAN and attempts to associate with
it. During the association exchange, the client and WFS709TP negotiate the data rate,
authentication method, and other options.
Authentication
Authentication provides a way to identify a user and provide appropriate access to the network for
that user. One or more authentication methods may be used, ranging from secure authentication
methods such as 802.1x and captive portal to less secure methods such as MAC address
authentication.
802.1x Authentication
802.1x is an IEEE standard used for authenticating clients on any IEEE 802 network. It is an open
authentication framework, allowing multiple authentication protocols to operate within the
framework. 802.1x operates as a Layer 2 protocol. Successful 802.1x authentication must
complete before any higher-layer communication with the network, such as a DHCP exchange to
obtain an IP address, is allowed.
802.1x is key-generating, which means that the output of the authentication process can be used to
assign dynamic per-user encryption keys. While the configuration of 802.1x authentication on the
WFS709TP is fairly simple, 802.1x can require significant work in configuring an external
authentication server and wireless client devices.
Captive Portal
Captive Portal allows a wireless client to authenticate using a web-based portal. Captive portals
are typically used in public access wireless hotspots or for hotel in-room Internet access. After a
user associates to the wireless network, their device is assigned an IP address. The user must start
a web browser and pass an authentication check before access to the network is granted.
Captive portal authentication is the simplest form of authentication to use and requires no software
installation or configuration on the client. The username/password exchange is encrypted using
standard SSL encryption. However, portal authentication does not provide any form of encryption
Note: Because an AP connected to a WFS709TP is a Thin AP, all wireless traffic it
receives is immediately sent through a GRE tunnel to the WFS709TP. The
WFS709TP responds to client requests and communicates with an authentication
server on behalf of the client. Therefore, the client authentication and association
processes occur between the wireless client and the WFS709TP.