Professional Documents
Culture Documents
-1-
Users Manual
-2-
Users Manual
/Revision Information/ WAS2K-MA-2008-ENG-0131 /Version/ Firmware version 1.2.17 /Copyright / Copyright 2008 Elastic Networks, Inc. All rights Reserved. Elastic Networks reserves the copyright of this documentation. No part of this documentation may be reproduced or transmitted in any form or by any means (such as electronically, mechanically or acoustically) without the prior written permission of Elastic Networks. Elastic Networks may make improvements or modifications in the device(s) and/or the program(s) described in this document at any time without obligation to provide notification of such revision or modify. This documentation may contain technical or editorial errors due to the upgraded device(s), and will be corrected in a later version.
/Trademarks / WAS-2000 WiMax Edition is registered trademarks of Elastic Networks, Inc. Windows XP/2000/NT4.0/98SE is the trademark of Microsoft Corp. All other company and device names may be trademarks of the respective companies with which they are associated. Please contact Elastic Networks regarding any questions about this guide.
-3-
Users Manual
-4-
Users Manual
Table of Contents
TABLE OF CONTENTS .......................................................................................................................................5 OVERVIEW OF WAS-2000 .................................................................................................................................8 1 2 3 KEY FEATURES ............................................................................................................................................9 AUTHENTICATION SERVER SPECIFICATIONS ..............................................................................................9 NETWORK CONFIGURATION .......................................................................................................................9 Network Configuration with a Single Authentication Server ......................................................................10 High Availability Configuration....................................................................................................................10 WAS-2000 CONFIGURATION WITH WMU....................................................................................................13 1 LOGIN TO AUTHENTICATION SERVER .......................................................................................................14 1.1 2 System Summary ...............................................................................................................................15
USER...........................................................................................................................................................17 2.1 2.2 2.3 2.4 User Registration ...............................................................................................................................17 User Registration with CSV file ........................................................................................................22 User Information Modification.........................................................................................................25 User Information Deletion ................................................................................................................25
AUTHENTICATOR .......................................................................................................................................26 3.1 3.2 3.3 3.4 Authenticator Registration ................................................................................................................27 Authenticator Registration(CSV file)................................................................................................30 Authenticator Modification...............................................................................................................31 Authenticator Deletion ......................................................................................................................32
EACP(ENHANCED ACCESS CONTROL POLICY).......................................................................................33 4.1 4.2 4.3 EACP Registration ............................................................................................................................33 EACP Modification ...........................................................................................................................35 EACP Deletion...................................................................................................................................35
ENAP(ENHANCED NETWORK AUTHORIZATION POLICY) .......................................................................37 5.1 5.2 5.3 ENAP Registration/Modification......................................................................................................37 ENAP Modification ...........................................................................................................................40 ENAP Deletion ..................................................................................................................................40
-5-
Users Manual
7.2 7.3 8
ACCOUNTING .............................................................................................................................................45 8.1 8.2 8.3 Accounting Server Registration ........................................................................................................45 Accounting Server Modification .......................................................................................................47 Accounting Server Deletion ..............................................................................................................47
9.2 9.3
10 10.1
10.1.1 10.1.2 10.1.2.1 10.1.2.2 10.1.2.3 10.1.2.4 10.1.2.5 10.1.2.6 10.1.2.7 10.1.2.8 10.1.2.9 10.1.3 10.1.3.1
-6-
Users Manual
License Update .....................................................................................................................................66 Sys Account ...............................................................................................................................................67 Administrator Account Management.................................................................................................68 Authentication Method Identifier.......................................................................................................68 Accounting.................................................................................................................................................69
10.2
PKI .....................................................................................................................................................70
Use Internal CA Server ............................................................................................................................70 Root Certificate Issue ..........................................................................................................................71 Server Certificate Issue .......................................................................................................................73 Server Certificate Issue(PKCS #12 Type) ..........................................................................................74 Client Certificate Issue ........................................................................................................................76 Use External CA Server ...........................................................................................................................78
10.3 11 11.1
DICTIONARY ..........................................................................................................................................85 RADIUS Attribute List ......................................................................................................................85 Dictionary Policy List ........................................................................................................................86 STATISTICS .............................................................................................................................................87 Event Log...........................................................................................................................................87 Statistics .............................................................................................................................................89 RESET .....................................................................................................................................................90 RESTART ................................................................................................................................................92 LOG-OFF ................................................................................................................................................93
WAS-2000 SPECIFICATION ..........................................................................................................................95 AUTHENTICATION ALGORITHMS ......................................................................................................................95 PHYSICAL SPECIFICATIONS ...............................................................................................................................95 GLOSSARY .........................................................................................................................................................97 TECHNICAL SUPPORT CONTACT ..............................................................................................................101
-7-
Users Manual
Overview of WAS-2000
-8-
Users Manual
This Chapter explains the overview, technical features and the configuration of the Elastic Wired/Wireless LAN Authentication Server, WAS-2000. 1 Key Features The WAS-2000 of the Elastic Networks, Inc. as a full-featured wired/wireless LAN Authentication Server appliance has the following features:
Fully compliant IEEE 802.1X & WPA(WiFi Protected Access) authentication service The embedded RADIUS server on the security hardened hardware platform Supports various authentication algorithms including EAP-MD5, EAP-TLS, EAP-TTLS, Cisco version of PEAP(v1 & v2) and Microsoft version of PEAP(v0) with future algorithm extension Easy to use User Interface; WMU (Web-based Management Utility) and CLI (Command Line Interface) Supports RADIUS proxy and Tunneled proxy functions Accounting Server Proxy functions Accessibility to the LDAP and Active Directory based Back-End Server Databases Public key certificates are supported either by built-in or external certificate registration authority Built-in Secure Database Supports Network Failover Port
Authentication Server Specifications The WAS-2000 supports the standard specifications as follows:
IEEE 802.1X
IETF RFC2865 Remote Access Dial-In User Service (RADIUS) IETF RFC2869 RADIUS Extensions IETF RFC2284 PPP Extensible Authentication Protocol (EAP) IETF RFC2484 PPP LCP Internationalization Configuration Option IETF RFC2716 PPP EAP TLS Authentication Protocol IETF Draft EAP Tunneled TLS Authentication Protocol IETF Draft Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE) EAP Tunneled TLS Authentication Protocol (EAP-TTLS) Draft 2 (November, 2002) Protected EAP Protocol (PEAP) Draft 5 (September, 2002)
Network Configuration
-9-
Users Manual
Network Configuration with a Single Authentication Server The User Management feature of the WAS-2000 Authentication Server enables to register the Wired/Wireless LAN users of a small to medium sized enterprise without a designating User Management Server. The Authentication Server of the Elastic Networks can import the CA Certificates in case of using EAP-TLS authentication methods and also creates its own certificates. In selecting the EAP-TTLS or PEAP authentication method, the User is able to get authorized with User ID and Password only. Furthermore, by applying the Dynamic WEP Key on the Server, the Data Security is tighter than ever.
High Availability Configuration Network authentication service by WAS-2000 is one of most primitive service among enterprise networking services. Therefore, to meet the highest reliability is the most important. It is recommended to configure WAS-2000 servers with HA (High Availability) enabled by duplication of servers as below Figure 2. In a case that either one server or the network connected to the server has been down, authentication service can be uninterruptedly operating.
- 10 -
Users Manual
- 11 -
Users Manual
- 12 -
Users Manual
- 13 -
Users Manual
Login to Authentication Server Type the IP Address of the Authentication Server in the address field of the Web Browser. If you enter the IP Address of the Authentication Server, the following Security Alert dialog box will be displayed.
This warning message is displayed because the TLS certificate authority which is used in WAS-2000 is not registered in the Windows. Click continue. Then, the following Login page will appear. in the Security Alert dialog box to
- 14 -
Users Manual
To login as an administrator, type the User ID and Password. The default administrators ID and password are admin and adminme accordingly.
Click
1.1 System Summary Network Interface Configurations: Two LAN ports configurations which are embedded in the Authentication Server
User & Authenticator Summary: Currently registered number of the Users and Authenticators
- 15 -
Users Manual
System Software Image: WAS-2000 Firmware Version and WMU Version, Free Disk Size and Free Memory Size are displayed
- 16 -
Users Manual
User
This chapter explains the User List and Registration. Click User > List, the User List page appears. This page contains the currently registered user list, the Register, Delete, Search buttons and CSV file. to load the several users at once with
The WAS-2000 has the capacity up to 300 users who can be registered in its embedded database. The network administrator must back up the users registered data files regularly. Even though the user is not registered in the WAS-2000, if the AAA server is connected to the Domain (RADIUS or Tunnel), the WAS-2000 enables the Authentication in the AAA server which is configured in the Domain by the proxy function or it enables the Authentication by itself from the External DB(Database) server which has the user information. Please refer to 7. Proxy or 9. External DBMS chapters for the details. 2.1 User Registration In order for the PC or Notebook to access to the network through a Switch or an AP which is connected to the WAS-2000, the Authentication Server, the User must be registered. To register the user is either to click the on the User List page or to click the Registration on the
- 17 -
Users Manual
In the User Registration page, please refer to the following table to enter the each user fields. The User Registration has three categories, Basic Information, Advanced Information and IP Address Configuration.
Basic Information
- 18 -
Users Manual
Field User ID
Field Information User ID to get the Authentication certificate. Since same User ID is used in both WMU and 802.1X Authentication, please be careful not to use a duplicated ID.
Basic
Name of the user 6 or more characters to get authorized () Confirming the password () Description of the user Table 4. Basic Information
Advanced Information
Field Automatic Re-Authentication Maximum Concurrent Sessions Advanced Information Idle Timeout Session Timeout
Field Information Enable : enter ID and Password just once Disable : enter ID and Password for the every access Maximum number of the sessions. Maximum : 2147483647 concurrent user
0 (Infinite users)
Time left till the Re-authentication (0 ~ 2147483647) After the timeout, the Re-authentication begins If user is not operating during the timeout period, the system automatically disconnect the user(At least 1) Default is set not to check the MAC address. MAC address is set, then checked for Authentication To use Network Authorization Policy, choose from the registered ENAP
900
900
00-00-00-00-00-00
ENAP
No Policy
- 19 -
Users Manual
Field
Field Information
Select the one of the followings. EAP: EAP-MD5 EAP-TLS EAP-TTLS: EAP-TTLS (EAP-MD5) EAP-TTLS(EAP-ELASTIC-PAP) MSPEAP: MSPEAP (EAP-MS-CHAP-V2) MSPEAP (EAP- ELASTIC-PAP) PEAP: PEAP (EAP-MD5) PEAP (EAP-ELASTIC-PAP) EAP-ELASTIC: EAP-ELASTIC(EAP-MD5) EAP-ELASTIC (EAP-ELASTIC-PAP) PAP: PAP
Default value
Authentication Method
EAP_MD5
Advanced Information
EACP
Configuring the group access by date or hours. (See ENAP configuration) Terms in days to change the user password. If you check Change Password on Next login, and then after the user registration, the password change is required during the initial login. This feature is only available in cases of MSPEAP(EAP-MSCHAPV2), EAP-TTLS (EAP-ELASTIC-CHAP-V1). Set the limits on users Transmitting rate and Receiving rate in Mbps. Enable or disable the users Data Flow control.
None
Speed Limit
Flow control
Disable
IP Address Configuration
- 20 -
Users Manual
Field Information Users IP address is assigned with Relay IP Address which must be configured in ENIP > Registration. User is assigned with a Static IP. Consult with the Network Administrator.
Default value
Click
button to register then IP Policy Configuration window will appears. Choose IP POOL
first from the combo box and type in a static IP within the selected IP POOL range. Click and close the window. Note: In order to do the IP Address Configuration, the IP POOL must have been registered in the ENIP registration and prior to register the ENIP, IP POOL Name must have been registered in the DHCP Registration.
- 21 -
Users Manual
Type in the each field values correctly and click the , then the newly registered User ID appears in the User List page. The fields with (*) are mandatory and the rest will remain as default. The User IDs will be listed alphabetically. If the duplicated User ID is entered, the following message will appear.
Reminder
In case of using EAP-MD5, it does not support the dynamic WEP key, so it is weak in its security. In case of using EAP-TLS, The Root and Client Certificates are mandatory in the Client PC. (For EAP-TTLS and EAP-PEAP, the Certificates are optional.) The Certificate can be obtained or issued by the Authentication Server.
2.2 User Registration with CSV file The previous User Registration showed the individual user registration, but it is not efficient for numerous numbers of users. To accomplish that, CSV (comma separated value) file is used.
- 22 -
Users Manual
When the administrator selects the Do Not Overwrite During uploading the User CSV file, if there is any duplicated User ID, the system interrupts the uploading and requests to go back to its previous page. The administrator needs to make the corrections on the User CSV file and then try to upload the CSV file again. When the Overwrite is selected, then the new User Data overwrites the existing User Data. Unless specified, every undefined field will be set same as default. The fields such as Confirm Password, Speed Limit, Flow Control and IP Address Configuration can not be configured by User CSV Upload. They can be configured by User Modification case by case later . While uploading the CSV file, the registered fields are the followings.
Field
Field Information User ID, no duplication is allowed. Users real Name Users password Description on User 0: Termination 1: Automatic Re-authentication The maximum number of the concurrent user accessing the Authentication Server Number in seconds. Number in seconds. The MAC address of the user. Enter in xx-xx-xx-xx-xx-xx form. Otherwise the default (00-00-00-00-00-00) is used.
User ID
User name Password Description Automatic Re-Authentication Maximum Sessions Session Timeout Idle Timeout User MAC address Concurrent
- 23 -
Users Manual
ENAP
Policy
To configure the authentication method, type one of the followings in the field of the CSV. eap-md5 eap-tls eap-ttls:eap-md5 eap-ttlsp:eap-expap eap-ttls:eap-exchap mspeap:eap-mschapv2 mspeapp:eap-expap peap:eap-md5 peapp:eap-expap eap-Elastic:eap-md5 eap-exresp:eap-expap pap Configuring the group access policy by dates or hours. (See ENAP configuration) Terms in days to change the user password on 0 : Check to change the password on next Login 1 : Check not to change the password on next Login
Authentication Method
Next Login
Table 6. User CSV File Information (For the details, see Table 5)
The following example is the case of the User Registration using the CSV file. The uploading filename is StaffList.csv. The default delimiter is ,. (You can use your own delimiter.) The data starts from the 2nd line. If you checked the Overwrite, then in case of the duplicated User ID, it is able to overwrite it. The header is used and the headers are in the 1st line. If you checked the Overwrite, then in case of the duplicated User ID, it is able to overwrite it.
- 24 -
Users Manual
the User CSV Upload (Up to 300 users) page, select the proper field values by clicking the arrow tab and click to save the user list.
2.3 User Information Modification In order to modify the user information, click the user ID to be modified in User List page, the User Registration page appears. Modify the field values of the User and click . Then the modified User Information will be saved. 2.4 User Information Deletion
In order to delete the user information, check the page and click confirm the deletion.
- 25 -
Users Manual
Reminder
In the WAS-2000 Authentication Server, the default System Account names for the user ID are the followings. When the System Account is not modified, do not use the following user ID since the names are reserved for the authentication algorithms. - eapttls, mspeap, peap, eapelastic, eapttlspap, mspeappap, peappap,eapalasticpap
Authenticator The Authenticator List, Registration, Modification and Deletion are available under the Authenticator menu. In order to do the Wired/Wireless Authentication/Security, the Authenticator which supports the IEEE 802.1X standard must be implemented and the Switch or Access Point must be configured by the Authenticator Registration features.
- 26 -
Users Manual
3.1 Authenticator Registration For the Authenticator Registration, click in the Authenticator List page or click the
Authenticator > Registration in the main menu. Then the following page will appear.
The Authenticator Registration offers several options according to the kinds of the Authentication Methods for the Wired/Wireless LAN Users and the Databases to save the Users Information. These options must be chosen carefully according to the environment and the policies of the locations or enterprise. The detailed descriptions of the Authenticator are the following.
- 27 -
Users Manual
Field IP Address NAME/ESSID MAC Address Password (Shared Secret) Type Vendor Encryption Validate ESSID By Installed Location Description Tunnel Tag RADIUS Proxy Tunneled Proxy External DBMS External CA Accounting Server (Accounting) Password
Field Information IP address of the Authenticator The name of the Wired/Wireless Network part of your Network. Its case-sensitive. MAC Address of the Authenticator, if MAC Address is configured, then it is checked. If the default is used, its not checked. The Encrypted Key to share with the Authenticator.. Same key as the Authentication Server, Its case-sensitive. Access Point : AP Ethernet Switch : Switch Select among Cisco, Enterasys, Foundry, Other Select between Dynamic WEP and No Encryption Select Local Value or Supplied by the Authenticator Enter the location of the Authenticator Description regarding the Authenticator Set the Switch as 1 and the AP as 0. Configuring RADIUS Domain, RADIUS preceded the Tunnel Domain. Configuring Tunnel Domain, RADIUS Domain is in use, this is ignored. Back-End Database Server configuration Back-End Certificate Server configuration. Apply when the TLS Authentication is in use. This is activated when the External CA Server is selected in the external DB Server Registration. When the Accounting Server is in use, then you can select the proper Accounting Server. The Encryption Key to share with the Account Server.
Table 7. Authenticator Registration Information 0 None None None
Default
00-00-00-00-00-00
None
None
The MAC Address of the Authenticator is set to 00-00-00-00-00-00 as the default. If the MAC address value is changed and then the Authentication Server becomes to check the MAC Address. If the Authenticator Registration page appears, you must type in the filed values correctly.
- 28 -
Users Manual
Authenticator IP ESSID Password Type MAC Address RADIUS Proxy Tunneled Proxy Accounting Password Accounting Server DB Server Location Description
192.168.2.20 test_ap 123456 (Displays only ) AP 00-00-00-00-00-00 (Default) None (See Proxy) Dept Group (See Proxy) acctest (Displays only )
TESTACC (See Accounting) None (Not in use) Technical Support Model. PROXIM MP.16
In the RADIUS Proxy Configuration, if it is not configured, then its set to None which is default. In the case that the RADIUS Proxy is set to None, the RADIUS Proxy is not activated. Please refer to 7. Proxy chapters for the details. Once, all the field value are entered properly and click appears and the Authenticator Registration is completed. , and then the following page
- 29 -
Users Manual
Registration in the main menu and add the new Switch or AP in the same manner. 3.2 Authenticator Registration(CSV file) In order to register the several Switches or APs, the CSV file must be created prior to be uploaded.
When the administrator selects the Do Not Overwrite During uploading the Authenticator CSV file, if there is any duplicated Switch or AP, the system interrupts the uploading and requests to go back to its previous page. The administrator needs to make the corrections on the Authenticator CSV file and then try to upload the CSV file again. When the Overwrite is selected, then the new Authenticator Data overwrites the existing Authenticator Data.
While the CVS file uploading, the following field values are registered.
Field
Field Information IP Address of the Authenticator in xxx.xxx.xxx.xxx format The ID of the wireless LAN used in wireless Network. Its case-sensitive.
IP Address
NAME/ESSID
- 30 -
Users Manual
MAC Address Password (Shared Key) Type Vendor Encryption Confirm Name/ESSID Installed Location Description Tunnel Tag Radius Proxy Tunnel Proxy BE(Back-End) Server BE Cert Server Account Server Account password
Authenticators MAC Address in xx-xx-xx-xx-xx-xx format. If not altered, its set to default as 00-00-00-00-00-00. The password to share with the Authenticator. Same as Authenticators Its case-sensitive. Choose either WiMax BS(802.16 Base AP(Access Point) or Switch (Ethernet Switch) Type Other : 0, Cisco : 1, Enterasys : 2, Foundry : 3 Type Dynamic WEP : 0, Without Encryption: 1 Use the registered value : 0, Supplied from the Authenticator:1 The description of the installed Authenticators location written in text. The special remark on the Authenticator written in text. AP:0, Switch:1 RADIUS Proxy Configuration. RADIUS Proxy precedes the Tunnel Proxy. Tunnel Proxy Configuration. This is not activated if the RADIUS Proxy is configured. Enter the configured Proxy Name. External DB Server. Type the configured external DB Server Name. External CA Server. Type the configured external CA Server Name Type the Accounting Server. The Encrypted Key to share with the Account Server.
Table 8. Authenticator CSV file field Information
station),
In order to locate the CVS file to upload, you type in the filename or click
to select
the file. The next step is to set the default delimiter to , or to use your own delimiter. Then configure the Data starting line number and check the Overwrite, and finally check the header as in Use (The headers are usually held in the 1st line). Now, click Upload configuration page appears. In CVS Upload configuration, if you configure each filed value and click configuration will be stored. 3.3 Authenticator Modification In order to modify the Authenticator Information, click the IP Address of the Authenticator to be modified in the Authenticator List page. Then the Authenticator Modification page appears. Modify the field information and click to save in the disk. , then the and then the Authenticators CVS
- 31 -
Users Manual
In the Authenticator Modification page, the IP Address is not permitted to modify. 3.4 Authenticator Deletion
In order to delete the registered Authenticator, check Authenticator List page and click to confirm the deletion.
- 32 -
Users Manual
EACP(Enhanced Access Control Policy) The Configuration of the Access Policy makes possible for the server to limit the access of a
certain user or group by hours or dates. In other words, for the each registered group, the server is able to limit the date and the hours of a day. Therefore, during that limited time, even the registered user can not access the network. In order to access the network, the user must be registered properly by the administrator in the User Registration page.
To set up the EACP on the users, click EACP > Registration in the main menu, or click The EACP Registration page appears. 4.1 EACP Registration
The EACP Registration is set according to the currently allowed Authenticator by date or hours. Since the above can be done by the group bases, the administrator can easily maintain the server without registering the user one by one bases.
- 33 -
Users Manual
Limits the User who belongs to certain group to have access to only allowed authenticators. The available authenticators display their IP Addresses next to the checkbox.
authenticators only
Allowed Access Time Enable time constraints Disable time constraints Selection Legend Allow All Disallow All Allow by Hours Everyday Allow by Days Allow Individual Hour Always allow to access Do not allow to access at all Allows certain hours everyday Only allow certain days to access Only allow certain hours to access
Table 9. EACP configuration
The example of the EACP Registration page is the followings. The Policy Name is PartTime, and they are only allowed to access the AP with the IP Address 192.168.2.20 everyday from 8am to 7pm. (Check the Allow by Hours Everyday)
- 34 -
Users Manual
4.2 EACP Modification In order to modify in the EACP of a certain group, click the Policy ID in the EACP List page, then the EACP Modification page appears. The field information of the group policy can be modified except the Policy ID and click 4.3 EACP Deletion to save them.
is being shared by other users, the Users EACP must be changed to another EACP or to None, only after that, the EACP can be deleted. If you attempt to delete the EACP shared by other users, the message Deleting EACP has not been successful since it is shared by other users. Please deselect the users EACP option and try again will be displayed.
- 35 -
Users Manual
- 36 -
Users Manual
ENAP(Enhanced Network Authorization Policy) In the ENAP Page, you can register new ENAP, modify the existing ENAP and delete the ENAP. In order to register the new ENAP, you need to type in different fields values according to the vendors. The ENAP List page is as following.
the main menu, then the ENAP Registration page will appear as the followings. In ENAP registration page as the [Figure 28], you can specify a Success or Failure Notification Message to be displayed when the Authentication is successful. Otherwise, the Success/Failure Notification Message which are defined in the System will be displayed.
- 37 -
Users Manual
Figure 28. ENAP Registration/Modification Page The following table is the detailed explanations on the ENAP Registration. Basic Configuration
Field ENAP ID Vendors Success Notification Message Failure Notification Message Secumetry Name Message to be displayed when the authentication is failed.. Select a Secumetry Sever null None Message to be displayed when the authentication is succeeded. null Field Information Name a network authorization policy Choose your vendor Cisco / Enterasys / Foundry/ Other null N/A Default
Configuration Details
- 38 -
Users Manual
Field Information Configure an IP Address of a specific Authenticator Vendor name of the Authenticator ESSID of the Authenticator Same name as registered in the Authenticator Same ID as registered in the Authenticator
Table10. ENAP Configuration
When the ENAP Registration page appears, you select or type in each field precisely. For example,
Vendor ENAP ID VLAN name VLAN ID Secumetry : Cisco : vlan10 : br10 (as configured in Authenticator) : 10 (as configured in Authenticator) : none
The VLAN Name and ID must be same as defined in the Authenticator. After the Basic configurations are typed in correctly, click for the Configuration Details. Then the following page will be displayed. A static IP Address can be forced for a certain ENAP ID.
- 39 -
Users Manual
and
According to the Authenticator Vendor, the field requirements may vary. 5.2 ENAP Modification To modify the ENAP, click the Policy ID from the ENAP List, and then the ENAP Modification page will appears. After you modify the fields and click modification of the ENAP Policy Group Name is not allowed. 5.3 ENAP Deletion to apply the modifications. The
In order to delete an ENAP from the ENAP List, check Then the window of confirming the deletion appears. Click to the No Policy.
If the ENAP to be deleted is registered in the User List, the Users ENAP field value will be changed
- 40 -
Users Manual
To view the Network IP Policy List, click the NIP > List on the main menu. The ENIP List Page will be displayed as the following.
Figure 31. IP Policy List page 6.1 IP Policy Registration In order to register IP Policy, the IP POOL Names must be registered in the DHCP Registration. If the IP POOL Name has been registered, then they will show up under the Currently Available POOL Names. Check either Use All POOLS or one of the POOL Name to be used to create a Relay IP.
- 41 -
Users Manual
Proxy
This chapter, the RADIUS Server explains the configuring the Proxy Servers to access the Back-End AAA Server (See the Glossary) in the Distributed Authentication Server Network Environment.
If the RADIUS Proxy Server is registered, the Authentication Process for the user is done in the Back-End AAA Server. The RADIUS Proxy Server is chosen according to the enterprises environment and policy. If the RADIUS Proxy Server is registered, the Server Name appears in RADIUS Proxy of the Authenticator Registration page There are RADIUS Proxy and Tunnel Proxy, and the details are the followings. RADIUS Proxy When the user is unknown to the local system, the user is allowed to
access the Back-End AAA server with tunneling the wired/wireless network. And the authentication on the user is processed in the Back-End Server. Tunnel Proxy When the user in unknown to the local system, the user is only allowed to
access the authenticator with Tunneling. And the User authentication is done in the BACK-END AAA server by the MD5 Authentication Method. 7.1 RADIUS Proxy Server Registration The Proxy Server must be registered to get authorized by the Back-End Server via the authenticator to which the user is accessing. The RADIUS Proxy and the Tunnel Proxy are supported.
- 42 -
Users Manual
The above page is the RADIUS Proxy Servers Registration and the fields information is the following.
Field Information Proxy Server Name to be registered Choose between RADIUS proxy / Tunneled proxy
Common
AAA Server
Port number (1812 suggested) The password to share with the Back-End AAA Server (16 characters or more are recommended)
The RADIUS Proxy Server can configure the Primary and Secondary Server and the Secondary Server is optional. After configuring the Proxy Servers, click 7.2 RADIUS Proxy Server Modification In order to modify the RADIUS Proxy Server Information, click the Server Name in the RAIUS Proxy Server List, and then the RADIUS Proxy Server Modification Page will appears. In the RADIUS Proxy Server Modification page, all the field values except the Server Name can be modified. Click to save new information on the RADIUS Proxy Server. to save.
- 43 -
Users Manual
In order to delete the registered RADIUS Proxy Server, check deleted and click the confirm the deletion.
- 44 -
Users Manual
Accounting By monitoring the status of each User and collecting the data of the Users accessing data, the Accounting Server is able to bill the User according to the collected data and to manage the user account. For the Accounting Server Management, from the connection establishment to the disconnection, the Accounting Server collects all the data related to the User and processes them. WAS-2000 supports to collect all RADIUS-ACCOUNTING data from each authenticator and deliver to the main accounting server. Therefore, WAS-2000 acts as an Accounting Proxy Server. The registered Accounting Server shows up under the Accounting Information while the Authenticator Registration.
8.1 Accounting Server Registration In order to register the Accounting Server, click the Accounting > Registration in main menu or click appears. In the Accounting Server Registration, you can configure two servers, the Primary and Secondary Servers. The Secondary Server is optional. Servers, click the in order to save. After configuring the Accounting in the Accounting Server List page. Then the Accounting Server Registration page
- 45 -
Users Manual
Field Information Accounting Server Name to register IP Address of the Accounting Server port number (1813 suggested) The secret password to share with the Accounting Server (16 characters or more )
Confirm Secret
Shared
Reminder
- When an Accounting Server is registered, you are required to select the Authenticators Accounting Server in the Authenticators List. - The Authenticator can be configured to act as an Accounting Server.
Notes
WAS-2000 Authentication Server is able to act as an Accounting Server. In case of using the embedded Accounting functions, the Accounting Server Registration is not required in the Authentication Server. Instead, in the AP configuration of the Authenticator Registration, the Accounting Password must be the same as the Accounting Shared Secret and the Accounting server IP must be the same as the Authentication Server IP.
- 46 -
Users Manual
8.2 Accounting Server Modification In order to modify the registered Accounting Server Information, click the Accounting Server Name in the Accounting Server List page and then the Accounting Server Registration page appears. In the Accounting Server Modification page, all the filed values except the Server Name can be modified. Click to save new information on the Accounting Server.
In order to delete an Accounting Server, check window of confirming the deletion appears. Click
. Then the
- 47 -
Users Manual
External DB(Data Base Back-End) Management System The Back-End Server Management System is configured when the User Information needs to be retrieved not from the WAS-2000 Authentication Server but from the External DB. The WAS-2000 Authentication Server can be geared with the various database servers such as external CA Server (LDAP), Active Directory Server and NT Domain Server. This chapter is about how to configure to support these Database Servers.
After registration of the External DB Server, how to access the External DB Server is done in the AP Registration of the Authenticator Registration. The configuration from where the Users data for the User Authentication is going to be retrieved can be set in the External DB Configuration. After registering the External DB Server, click 9.1 External DB Server Registration to apply the new configuration.
External DBMS> Registration in the main menu, and then the External DB Server Registration
In order to connect the User Registrations database, you need to consult with the Database Administrator and then you need to find out the IP Address of the External DB Server, Port Number, Login Name, Password, Database Name and the Database table. In order to register the External DB Server, first of all, name the External DB Server and configure the proper setting for the External DB Server.
- 48 -
Users Manual
The User Template Configuration is very similar to the User Registration configuration (page48). Therefore, please refer to the configuration of the User Registration. The registered External DB Server must be applied by clicking 9.1.1 .
This configuration is to authorize the User to access the External CA Server for the EAP-TLS Authentication.
Field IP Address Port LDAP Login ID LDAP Password Directory Information Authentication Method ENAP
Field Information IP Address of the LDAP Server Port number of LDAP Server Login ID of the LDAP Server Password of the LDAP Server Directory information of the LDAP Server Set to the EAP- TLS Choose when the Policy is in use.
Table 13 . External CA(LADP) Server Registration
- 49 -
Users Manual
Since the External CA Server is applied only in the EAP-TLS Authentication Method, therefore the Authentication method in the User Template configuration must be the EAP-TLS.
9.1.2
This configuration is to authorize the User of the Active Directory by accessing the External Active Directory Server.
Active Directory/LDAP Server Registration only requires the IP Address of the Server.
Field Information The IP Address of the Active Directory Server Set to the MSPEAP-ELASTIC-PAP or PEAP-ELASTIC-PAP
ENAP
9.1.3
This configuration is to authorize the User of the External NT Domain Servers Database Server by accessing the External NT Domain.
- 50 -
Users Manual
In order to access the User Database of the NT Domain Server, you need to register the IP address of the NT Domain Server.
Field Information
NAP
Back-End Server Modification page will appear. After the modification, click change. Click to apply the modification.
In order to delete the Back-End Server, check window of confirming the deletion appears. Click
. Then the
- 51 -
Users Manual
- 52 -
Users Manual
DHCP Server Since the WAS-2000 Authentication Server has the embedded DHCP (Dynamic Host Configuration Protocol) functions, so it can allocate the IP automatically to the computers which access through the Wired/Wireless LAN environment. If the DHCP Server is clicked, then the DHCP Server menu is extended. From the extended menu, click DHCP Server > List and then the DHCP Server List is displayed.
9.4 DHCP Server Configuration In order to use the DHCP function, Select the Enable in the Local DHCP Server category and choose from where to receive the Users MAC Address.
In case of using the DHCP IP Pool or the User Static IP, then select the Local Value from the Use Mac Address From. 9.4.1 IP Pool Configuration
In the DHCP Pool Configuration, there are Pool Name, Begin IP Address, End IP Address,
- 53 -
Users Manual
Subnet Mask, Default Gateway, Primary DNS Server, and Secondary DNS Server. In the DHCP Pool, the first one in the DHCP Pool List is applied initially. But if you want to use another DHCP Pool, then you may check the box next to the new Pool Name and move it to the top of the list by clicking the Up and Down button. If you click the Up and Down button, then the Dialogue box will appear. You need to click the confirm button. Now the new DHCP Pool has been applied.
- 54 -
Users Manual
9.4.2
- Blocked MAC Configuration enables to block any MAC Address. Type the MAC Address in XX-XX-XX-XX-XX-XX format and click be listed in User Specific IP Address list. - Etc Configuration has the default IP Address lease time 14400 seconds. It is modifiable. - User-specific IP Address will give you much more detailed information on the MAC Address. - Leased IP Address will display the information according to the Leased IP Address. Lease Begin / End time are displayed here. 9.4.3 DHCP Disable button, This Blocked MAC Address information will
In order to terminate the DHCP function, select the Disable in the Local DHCP Server and click to apply the changes. 9.4.4 DHCP IP Pool Registration
- 55 -
Users Manual
First of all, enter the IP Pool Name. The next step is to configure the Begin IP Address, End IP Address, Subnet Mask, Default Gateway, Primary DNS Server, and the Secondary DNS Server.
If the IP Address of the existing network devices lies in DHCP IP Pool, then you need to exclude the address as the followings. Enter the IP Address to exclude in the left section and click add to the IP Address to exclude List. to
- 56 -
Users Manual
If there are more IP Addresses to exclude, you repeat the above steps. When you need to remove the excluded IP Addresses, then select the IP Address from the right section and click remove from the excluded List. Click to save the new configuration after the modification. 9.4.5 Leasing Order to
Here, you choose the Leasing Order to allocate the IP Addresses either in Ascending or Descending order. 9.4.6 Static IP Registration
Beside the DHCP functions, you can assign the specific IP Address for a specific Networking Device ( Including PC). In order to set the Static IP Addresses, you are required to configure the MAC Address, Relay IP Address, IP Address, DHCP IP Pool, Gateway, Subnet Mask, Primary DNS Server and Secondary DNS Server. The DHCP IP Pool must be set to None and click configuration. to save the new
- 57 -
Users Manual
10 System In the System Configuration, the Authentication Server Hardware is configured. The configuration of the Authentication Server Hardware is not allowed to modify easily. If you need to modify the System Configuration, you must consult the network administrator and once the modification is done, click 10.1 to apply the new configuration. System Configuration
In the left main menu, click the System > Configuration, then the following page appears.
In the System Configuration page, you are able to configure the Authentication Server related job such as Network, System, Firmware, Sys Account, and Accounting. For their configurations, click the tab in the System Configuration page. 10.1.1 Network
By clicking the Network Tab, you can setup the 2 LAN Ports and Gateway which are embedded in the WAS-2000 Authentication Server. For each LAN Port, configure the IP Address, Subnet Mask, and Gateway, and then click to save those configuration.
- 58 -
Users Manual
or
: Enable port /
: Disable port
10.1.2 System The following page is to configure the protocol of the Authentication Server to other Server to backup the important administrative files in case of the system error. After configuring the each category, click to apply the system configuration.
10.1.2.1
The System Proxy is configured by selecting the enable radio button and by typing the
- 59 -
Users Manual
designating Proxy server name. The Country setting can be selected from the combo box. The country name is required for the Certificate Issuing. After the selection, click to save the changes.
10.1.2.2
While the User Registration using the EAP-TTLS (EAP-ELASTIC-CHAP-V1), the Expiration Date Warning Configuration can be set in number of days. This affects entire users who are using the EAP-TTLS (EAP-ELASTIC-CHAP-V1). When the password is expired, the warning dialogue appears when you attempt to login.
10.1.2.3
Configurations The Authentication Notification Message which is configured here will become the default Success/Fail Authentication Message unless these messages are configured specifically for each Authenticator. (See ENAP Registration) This Global User Attribute Configuration Setting can apply the same Session Timeout and Idle Timeout for all the Users.
- 60 -
Users Manual
The Session Timeout and Idle Timeout numbers are in seconds and click configuration. You can confirm the changes in the User List. 10.1.2.4
In order to access the internal DB of the system, the IP address of the device such as Secumetry must be configured here and their shared password must be typed. The WAS-2000 Authentication Server generates the SYSLOG data files. The SYSLOG data files can be sent and saved in the SYSLOG Server which is other than the WAS-2000 Server.
After setting the IP Address of the SYSLOG Server supporting the protocol and setting it to enable, then all events of the Authentication Server can be saved. The WAS-2000 supports up to 5 servers at most. If the SYSLOG is set to Disable, then the communication with SYSLOG Server is terminated. 10.1.2.5 SNMP(Simple Network Management Protocol) Configuration
If you set the SNMP enable, in the Network Management System (NMS), you can administer the operating condition of the WAS-2000 Authentication Server.
- 61 -
Users Manual
By typing the field value of each category as shown above and then click to manage the network with SNMP Protocol.
10.1.2.6
This configuration is to give the authorization for the Client User other than the Administrator to have the access to the WMU. The user who has the access to the WMU is only allowed to modify the password for the authentication and have no access to modify the configuration of the Authentication Server.
The following page appears when user client login to WMU and the user is only allowed to modify the password.
- 62 -
Users Manual
10.1.2.7
NTP Server
By default, NTP Server IP Address is set as 203.254.163.74. Please use any convenient NTP Server Address from your network.
After you set the Use NTP to Enable and enter the NTP Server IP, click Current Date/Time will be automatically sync with global time. 10.1.2.8 Backup Database
In the System Configuration page, the network administrator must download all the backup files in binary format and store them. In case of the system failure, the network administrator must upload those backup files to operate the system. There are five files that are needed to backup and those files are in BIN file format.
- 63 -
Users Manual
User/Authenticator Data : User/Authenticator which are registered in the Authentication Server User Data Authenticator Data System Configuration System Certificate : User Information which is registered in the Authentication Server : Authenticator which is registered in the Authentication Server : Authentication Server Hardware Configuration Information : Root Certificate and Server Certificate
10.1.2.8.1 Downloading
User/Authenticator Data User Data Authenticator Data System Configuration System Certificate
10.1.2.9
filename.
- 64 -
Users Manual
Since the firmware is the core software in order to operate the WAS-2000 Authentication Server, for the better function and speed of the Authentication Server, the Elastic Networks offers the patch file. And the administrator must be aware of the most current update information regarding the Authentication Server.
- 65 -
Users Manual
In order to update the modules, you need to specify binary file path and name by clicking button followed by button for actual load.
To activate the newly loaded binary image to be effective, you must restart the system by clicking .
Reminder
The system should never be powered down while uploading binary image. Any interruption during the uploading process may cause severe damage to the system.
10.1.3.2
License Update
The WAS-2000 server only operates properly when the valid license information is registered to the server. The license information must be provided by Elastic Networks or its registered distributors or resellers. The License Update menu on this page provides to initiate or update a license.
You must enter valid serial number and license code pair on below edit control box and click button.
If license update process succeeded, you will see the updated license information on top of this page.
- 66 -
Users Manual
Reminder If license of WAS-2000 is expired, authentication function does not work. Therefore it is important to update license before the expiration date. Please consult our sales representative for more information.
Reminder The license information must be kept in safe place for a case that you need to reset WAS-2000 to factory default state. After it resets to factory default state, you must re-enter the license code by CLI as described on page 16.
10.1.4 Sys Account In the System Account Management, the administrator can manage the Administrator ID and the Authentication Method Identifier of the Authentication Server. If the newly entered User ID is same as one of the reserved Identifier in the Authentication Server, then it is treated as duplicated.
- 67 -
Users Manual
10.1.4.1
When the WAS-2000 Authentication Server is released, the administrator ID is preset as admin but for the security reasons, its recommended to modify the Administrator ID and Password. After modifying in the Administrator ID and Password, click to save.
There is no way to recover if the Administrator ID and Password is lost, please be extremely careful to modify them. 10.1.4.2 Authentication Method Identifier
The System Account Identifier to understand the algorithm according to the Authentication Method must be configured. The System Account Identifier is subject to modify. But if thats the case, the System Account Identifier of the Clients Supplicant must be modified to match the same System Account Identifier.
EAP-TTLS(EAP Tunneled TLS) In case of using EAP-TTLS method, it requires the Authentication ID for the EAP-TTLS. The default value is eapttls and this is according to the TTLS standard. (Default value: eapttls) MSPEAP(Microsoft Protected EAP) In case of using MSPEAP method, it requires the Authentication ID for the MSPEAP. (Default value: mspeap) PEAP(Protected EAP) In case of using PEAP method, it requires the Authentication ID for the PEAP. .(Default value : peap)
EAP ELASTIC In case of using EAP-ELASTIC method, it requires the Authentication ID for the EAP-ELASTIC. (Default value: eapElastic) EAP TTLS-ELASTIC PAP In case of using EAP TTL-ELASTIC PAP method, it requires the Authentication ID for the EAP TTL-ELASTIC PAP. (Default value: eapttlsp)
- 68 -
Users Manual
MSPEAP-ELASTIC PAP In case of using MSPEAP-ELASTIC PAP method, it requires the Authentication ID for the MSPEAP-ELASTIC PAP (Default value: mspeapp)
PEAP-ELASTIC PAP In case of using PEAP-ELASTIC PAP method, it requires the Authentication ID for the PEAP-ELASTIC PAP (Default value: peapp)
EAP ELASTIC-ELASTIC PAP In case of using EAP ELASTIC-ELASTIC PAP method, it requires the Authentication ID for the EAP ELASTIC-ELASTIC PAP (Default value: eapnetucubep)
10.1.5 Accounting Accounting Configuration is regarding the Accounting Log file. You can configure to back up the User Access Data Log file by the day, week and month bases, and the file size can be configure in bytes. And the Log file comes in several types. The ADIF (Accounting Data Interchange Format) is one of them. Click to apply the new Accounting configuration.
Type
NONE : Accounting Log File is not created.
- 69 -
Users Manual
ADIF(Accounting Data Interchange Format) ADIF-COMMA : The field values of the ADIF are separated by the comma , BINARY : Log file is created in the binary file
by the comma ,
Log Size : Created Accounting Log file size, in byte, -1 means the unlimited size Date: The log file is created according to the DAY, WEEK, MONTH bases. If the Log file is bigger than the Log Size, then newly numbered file is created to store the data.
Reminder
After powering off or rebooting the system, all accounting data will be lost. Please use external Accounting Server for permanent storage of accounting information or back up each accounting data as a PC file.
10.2
PKI
To build the maximum Security Network environment with the WAS-2000 Authentication Server, the Certificate Management is very important. Certificates. 10.2.1 Use Internal CA Server When you click the System PKI (Pubic Key Infrastructure) in the main menu, the following Certificate Management page appears. This page displays the configuration of the current modules of the Authorizing Certificates in the WAS-2000. This chapter explains how to manage the
- 70 -
Users Manual
The above page is an example of using the Internal CA Server. In this case, the WAS-2000 Server is issuing the Root and Server Certificates. Of course, you can use External Certificate from the other Authentication Certificate authority, and how to import the certificates will be explained later. 10.2.1.1 Root Certificate Issue
Click the Issue under Root Certificate in the Certificate Management page. Then the page of the Root Certificate Issue appears as follows.
- 71 -
Users Manual
The Root Certificate being issued now is encoded by the X.509 with 64bit format.
Field User ID(CN) Pass Phrase Private Key Encryption Password Valid For Location(L) Company(O) Department(OU) E-Mail Address
Field Information Certificate owners name A seed to produce the Secret Key of the Root Certificate The Secret Key to encrypt the Certificate
Number in days : for example, a year would be 356 Location of issuing The company name ex) SEOUL ex) ELASTIC
The department name ex) ELASTIC QA TEAM The e-mail of the Root Certificate Authority
Table 19. Fields for Certificate Issue
Type in all the field values (See Table 19) and click
. If the Root Certificate Issue is successful, in the dialogue box. Then the to
Certificate Management page appears again listing the new Root Certificate. Finally, click
update the current Certificates. Another dialogue box will announce the successful change of the Certificates and click once again to confirm.
The Root Certificate can be viewed by clicking the certificate name ROOT in [Figure 72]under Current Certificate of Certificate Management page.
- 72 -
Users Manual
The Root Certificate just issued can be downloaded by clicking the Certificate category. Click cgicertroot.cer )
Reminder
Updating the Root Certificate requires the updating every Server Certificates and Client Certificates.
10.2.1.2
Click the Issue under Server Certificate in the Certificate Management page. Then the
- 73 -
Users Manual
The Server Certificate being issued now is encoded by the X.509 with 64bit format. Type in all the field values (See Table 19) and click . If the Server Certificate Issue is successful, then the following dialogue box will announce the successful issue of the Server Certificates. Click in the dialogue box. Then the Certificate Management page to apply the new Server
appears again listing the new Server Certificate. Finally, click Certificate.
10.2.1.3
Click the Issue (PKCS #12 Type) under Server Certificate in the Certificate Management page. Then the page of the Server Certificate Issue appears as follows.
- 74 -
Users Manual
Type in all the field values (See Table 19) and click
successful, then the following dialogue box (See Figure 79) will be displayed. Click
the dialogue box. Then the Certificate Management page appears again listing the new Server Certificate. Finally, click to apply the new Server Certificate. Another dialogue box will once again to confirm.
Reminder If Root Certificate and Server Certificate is modified, please apply the new Certificate by clicking the apply button.
- 75 -
Users Manual
10.2.1.4
In case of the clients Authentication Method is the TLS, then the Administrator must create and produce the CA(Certificate Authority) Certificate and Client Certificate for each Client. The CA Certificate is common for everybody. But the Client Certificate must be created and installed in the clients PC or Notebook for each user.
10.2.1.4.1 PKCS #12 Client Certificate Issue The PKCS #12 Client Certificate Issue is for the Windows XP/2000/NT4.0/98SE users.
Type in the field value to create the PKCS #12 Client Certificate (See Table19) and click the following File downloading Dialogue box will appear. Click
. Then
- 76 -
Users Manual
The filename is cgicertedit.p12 and we recommend changing the filename when you save in your PC. 10.2.1.4.2 CER/PVK Client Certificate Issue The CER/PVK Client Certificate Issue is for the Windows CE 4.1 (CE .NET) users.
Type in all the field value to create the CER/PVK Client Certificate and click the following File downloading Dialogue box will appear. Click Client Certificate in your computer.
to save. Then
- 77 -
Users Manual
The filename is cgicertedit.tar and we recommend changing the filename when you save in your PC. The CER/PVK Client Certificate is saved in the ZIP file format tar. (Including the extension .cer and Personal key .pvk) The Winzip can unzip the tar file.
Reminder
The Client Certificate is not stored in the server. It must be installed in User PC or Notebook.
10.2.2 Use External CA Server The reason that the WAS-2000 requires the access to the External Certificate Authority is that the server imports the external Certificate and give out the authorization to access.
- 78 -
Users Manual
A. Import Certificates In order to import the External Certificate from the administrators PC or Notebook to the WAS-2000 Authentication Server, you need to type in the filename to be uploaded or locate the filename by clicking in the Certificate Management page. In case of the local server has
the encrypted password, please enter the password also. B. External Certificate List If the Root Certificate and the Server Certificate are created, every registered certificate is displayed under the Current Certificates of the Certificate Manager page. In order to get the more information on the owner and the issuer of the Current Certificates, click the cert ID. The information page appears. 10.2.3 External Certificate Modification A. Internal and External Certificates Modification The WAS-2000 Authentication Server does not allow to use both Internal CA (Certificate Authority) and External CA simultaneously. Therefore, if there is any modification on either internal or external certificate which has been configured in the server and the server will give the warning dialog box as follows.
- 79 -
Users Manual
You must be very careful when modifying the Root and Server Certificate. If you do so, you need to get new authorization for every Client Certificates that are associated with the Root and Server Certificates. Therefore, we do not recommend modifying the Root and Server Certificates once they are configured.
Reminder
Be careful with the modification on the Root and Server Certificate. Updating Root Certificate and Server Certificate require updating every Client Certificates.
- 80 -
Users Manual
10.3
Web Cert
The WMU Certificate is the Self-Signed Certificate. Therefore, it does not require the Root Certificate. The WMU WEB Server Certificates information for each fields are the same as Table.19. The WMU WEB Server Certificate is in PEM format and stored in the Authentication Server.
- 81 -
Users Manual
11 High Availability The High Availability page shows a tool for WAS-2000 Authentication Server to prepare for network instability. 11.1 High Availability Configuration
Two WAS-2000 servers can be coupled together to provide Active-Standby style high availability function by this set of interfaces. If two WAS-2000 servers are configured with high availability configuration, when actively running server (or network which connected to this one) is down, the other server woke up from the standby state to active state in order to provide uninterrupted authentication service. In order to configure this high availability function, you must configure two WAS-2000 servers to be mutually connected in which the two servers are able to communicate over the IP network each other while providing authentication service. Please follow below instruction for configuring each server. 11.1.1 Primary Server Configuration As shown in below Figure, the primary server can be configured for higher priority mode operation, which will start running as an active mode.
Field Information
- 82 -
Users Manual
Identification name of the local system Identification name of the remote system Virtual IP that two servers can be recognized with for Active-Standby service.
Physical port number that would be used for Active Standby failover.
Priority
High: If the other server is set as Low priority, this server starts running as Active state. Low: If the other server is set as High priority, this server starts running as Standby state.
11.1.2 Secondary Server Configuration As shown in below figure, the secondary server can be configured for lower priority mode operation, which will start running as a standby mode.
Detail description of each field is same as Table 20. 11.1.3 High Availability Status
- 83 -
Users Manual
When enabled, the High Availability status can be monitored in High Availability Status menu as shown in Figure 89. This status shows both local and remote servers status when both machines operation is normal. Note that only one server can be in active status at a time.
The Virtual IP of two servers should be the same, and authenticator must be set up as to refer authentication servers address by the Virtual IP. Therefore, although there are physically two servers exist, authenticator uses single servers IP address. While systems are starting up, two server check status of the other server and set its status accordingly. If local server is higher priority, it runs as an active mode, while the other server is in standby mode. When there is a problem occurred for primary server, the secondary server automatically changes its status into active mode and continues serving authentication service.
Reminder User and authenticator database of two servers must be identical. Please use data backup menu to save and restore database.
- 84 -
Users Manual
12 Dictionary The Dictionary page shows the WAS-2000 Authentication Servers RADIUS attributes dictionary customization features. 12.1 RADIUS Attribute List
RADIUS Attribute List shows the list of attributes that defined to be used in Dictionary Policy. In order to create a attribute, click as shown in below. button. Then you will see the attribute registration page
By filling information on this page, you can create an attribute parameter. Please see Table 13.1 for more information on each field.
Field Information
Name of this attribute Description of this attribute Normal Attribute: Normal attribute Vendor Specific Attribute: Vendor specific attribute
Attribute ID
Identification number of this attribute. 1~91 are defined in RFC2865, 2866, 2867, 2868, 2869
Vendor ID (Optional)
Vendor Type should be defined by each vendor TEXT: Normal ASCII string
- 85 -
Users Manual
STRING: binary data in Hex format (e.g. 01:22:ff:3e ) ADDRESS: IP address (e.g. 0.0.0.0) INTEGER: Unsigned integer value TIME: Date and time information (e.g. 2005-10-10 01:20:30)
Data
Actual data.
Table 21 Attribute Registration
After filling information for the attribute, click 12.2 Dictionary Policy List
Dictionary Policy List shows the list of Policies. In order to create a new policy, click button. Then you will see the Policy registration page as shown in Figure 13.2.
Each Dictionary Policy can have one or more attributes which should have been registered beforehand. Each attribute can be specified as to add or delete. When an attribute is set as ADD for the policy, the specified attribute will be transmitted when RADIUS accept message is being transmitted. If an attribute is set as DELETE for the policy, the RADIUS accept message will be transmitted without the specified attribute. Policy specified in this page may be applied for a user or, and an authenticator in user-authenticator sequence.
- 86 -
Users Manual
13 Statistics The Statistics page shows the WAS-2000 Authentication Servers Statistics and Event Log. 13.1 Event Log
The most recent 30 event logs are recorded in the database of the WAS-2000 Authentication Server, and you can see the records by clicking the Event Log in the main menu. If you click at the bottom or at the upper right corner of the page, you will be able
Enter the line number to be displayed in the Event Log Page at one time and then click reset the number.
to
In the Event Log page, the Successful Login Only or the Failed Login Only are the other options in displaying the Event Log data. And click to apply the new filter. If you want to see the Entire Event Log, select the No Filter in Apply View Filter.
- 87 -
Users Manual
Click
with right mouse button and select Save target as then Save as window
will appear. Click save confirm button to save the file and Download complete window appears. Click the close button to finish.
- 88 -
Users Manual
The default filename is as.log and we recommend changing the filename when you save in your PC. The saved log file can be viewed with the Microsoft Wordpad or Notepad. 13.2 Statistics
If you click the Statistics under the Statistics menu, the statistics of the logged in users appears. The statistical information on every User ID such as the Authentication Method, the number of the Authentication Requests, Successes and Rejects are displayed on the Statistics page. You can update the Statistics Page by clicking .
- 89 -
Users Manual
14 Reset If you want to reset the WAS-2000 Authentication Server, you may click the reset button at the top of the page.
If you click the Reset button, you will see the warning dialog box as follows.
Click
- 90 -
Users Manual
Click
After the resetting the system, you must reboot the Authentication Server.
Reminder The license information must be kept in safe place for a case that you need to reset WAS-2000 to factory default state. After it resets to factory default state, you must re-enter the license code by CLI as described on page 16.
- 91 -
Users Manual
15 Restart To restart, click the Restart button located at the top of the page.
After the resetting the system, you must reboot the Authentication Server.
If you click
, then a window will appear. It will show you how long the restart has remaining
in seconds. It will take about 160 seconds. Please withdraw from selecting other menu while the restart process is running. When the restart is completed, the System Summary page will be displayed.
- 92 -
Users Manual
16 Log-Off Every task such as the configuration, management and modification of the Authentication Server are accomplished, the user must properly log-off. To do so, press the log-off button at the top of the page. Then, the administrators login page will be displayed.
- 93 -
Users Manual
MEMO
- 94 -
Users Manual
WAS-2000 Specification
The WAS-2000 WiMax Edition supports the standard specifications as follows: IEEE 802.1X IEEE 802.16 IEEE 802.16e IETF RFC2865 IETF RFC2869 IETF RFC2284 IETF RFC2484 Port-Based Network Access Control Air Interface for Fixed Broadband Wireless Access Systems Amendment for Combined Fixed and Mobile Operation Remote Access Dial-In User Service (RADIUS) RADIUS Extensions PPP Extensible Authentication Protocol (EAP) PPP LCP Internationalization Configuration Option
IETF Draft EAP Tunneled TLS Authentication Protocol IETF Draft Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE) Authentication Algorithms WAS-2000 supports various authentication methods widely used in industry for wireless LAN systems, Ethernet based LAN systems and WiMax systems. The following protocols are supported in WAS-2000. PKM PKMv2 RADIUS-CHAP RADIUS-PAP EAP-MD5 EAP-TLS EAP-TTLS EAP-AKA PEAPv0/1/2 Physical Specifications WAS-2000 is a compact appliance server that is designed to operate in even industrys toughest condition. The followings are physical characteristics of WAS-2000 appliance server.
- 95 -
Users Manual
Network Port: 10/100BT x 4EA Console Port: RS232 x 1EA Dimension: 426(W) x 230(D) x 43(H) in MM Net Weight: 5.6 Kg Power Input: 100~240V, 4~2A, 50~60Hz Power Supplier Capacity: 150W Operation Temperature: 0~50 Storage Temperature: -20~80 Relative Humidity: 10%~90%(Non Condensing) Regulatory: FCC Class A, CE Approval
- 96 -
Users Manual
GLOSSARY
AAA Authentication, Authorization and Accounting AP AP (Access Point) is a wireless LAN data transceiver which to connect a wired network with wireless stations. AP is an independent device which can be run through either Ethernet hub or Server. Authentication
Issuing the certificates on user or access point which is required to enter the network with the maximum security
CA(Certificate Authority) A trusted third-party organization or company that issues digital certificate used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. CLI
Abbreviation for the command line interface. With the commands and the variable options, user can interface with the system. For example, all commands that display information about the system, configuration,
or hardware are grouped under the show command. DES Abbreviation for the Data Encryption Standard. DHCP(Dynamic Host Configuration Protocol) DHCP is an Internet protocol for automating the configuration of computers that use TCP/IP. DHCP can be used to automatically assign IP addresses, to deliver TCP/IP stack configuration parameters such as the subnet mask and default router, and to provide other configuration information such as the addresses for printer, time and news servers. EAP(Extensible Authentication Protocol)
- 97 -
Users Manual
EAP is the protocol for the optional IEEE 802.1X wireless LAN security feature. An access point that supports 802.1X and EAP, acts as the interface between a wireless client and an authentication server, such as a Remote Authentication Dial-In User Service (RADIUS) server, to which the access point communicates over the wired network. EAP-MD5 EAP-MD5 is a simple challenge-response protocol using the users ID and password based on the EAP protocol. MD5 is an abbreviation for the Message Digest Algorithm 5. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key. EAP-TLS
EAP-TLS(Transport Layer Security) with a support for the fragmentation and reassembly, provides TLS mechanisms within the EAP. The TLS provides the mutual authentication and key exchange between
EAP-TTLS EAP-TTLS is an abbreviation for the EAP-Tunneled TLS, and it is an extended EAP-TLS (RFC2716) and provides mutual authentication of client and server. The client authentication is done with the secure password and the server authentication is done by using the authentication certificate.
ESSID (Extended Service Set ID) The ESSID is the identifying name of an 802.11b. wireless network. By specifying the ESSID in your client setup is how you make sure that you connect to your wireless network instead of your neighbors network by mistake
Firmware
Software that is programmed on a memory chip and kept in a computer's semi-permanent memory.
IEEE802.1X Also called 802.1X for 802.11. 802.1X is the new standard for wireless LAN security, as defined by the Institute of Electrical and Electronics Engineers (IEEE). An access point that supports 802.1X and its protocol, Extensible Authentication Protocol (EAP), acts as the interface between a wireless client and an authentication server such as a Remote Authentication Dial-In User Service (RADIUS) server, to which the access point communicates over the wired network.
- 98 -
Users Manual
IP address An identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address
MAC address Abbreviation for Media Access Control address, a hardware address that uniquely identifies each node of a network. In IEEE 802 networks, the Data Link Control layer of the OSI Reference Model is divided into two sublayers: the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. The MAC layer interfaces directly with the network medium. Consequently, each different type of network medium requires a different MAC layer. The Media Access Control (MAC)
address is a unique serial number assigned to a networking device by the manufacturer.
PEAP
Protected EAP (PEAP) is an 802.1X authentication type for WLANs. PEAP provides strong security, user database extensibility, and support for one-time token authentication and password change or aging. RADIUS RADIUS(Remote Authentication Dial-In User Service) is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations. SNMP(Simple Network Management Protocol) SNMP is the most popular Network Management Protocol by which management information for a network element may be inspected or altered by logically remote users. SNMP provides a simple, workable architecture and system for managing TCP/IP-based internets and in particular the Internet. TFTP
- 99 -
Users Manual
Trivial File Transfer Protocol (TFTP) is a simplified version of FTP that allows files to be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password).
WEP(Wired Equivalent Privacy) An optional security mechanism defined within the 802.11 standard designed to protect your data as it is transmitted through your wireless network by encrypting it through the use of encryption keys.
- 100 -
Users Manual
Elastic Networks, Inc. Technical Support Team #203 Samhwan Digital Venture Tower., 280-13, Seongsu-dong 2-ga, Seongdong-gu, Seoul, Korea 133-120 Tel: Fax: +82-2-2205-9132 +82-2-2205-9111 jyheo@elastic.ne.kr
Support Email:
- 101 -
Users Manual
Thank You
- 102 -