- 4.1 Why Cannot Users Associate with APs When WPA-PSK Authentication Is Used?
- 4.2 Why Cannot STA Associate with an AP When WEP Authentication Is Used?
- 4.3 What Are Advantages and Disadvantages of WAPI Authentication?
- 4.4 What Is the Difference Between Portal Authentication and 802.1X Authentication?
- 4.5 What Authentication Protocols Are Supported During STA Login? Which One Is Recommended and Why?
- 4.6 Why the Administrator Cannot Log In to the Device After the Authentication Mode in the Default Authentication Scheme Is Set to Non-authentication in an Anonymous Login Scenario?
4.1 Why Cannot Users Associate with APs When WPA-PSK Authentication Is Used?
- The STA does not support WPA2-PSK. For example, the computer runs an early version of Windows XP without patches installed, the computer may not support WPA2-PSK. Patches need to be installed on the computer.
4.2 Why Cannot STA Associate with an AP When WEP Authentication Is Used?
- No WEP SSID is added to the STA. Many STAs associate with WEP SSIDs by using encryption without authentication. However, the AP uses both authentication and encryption. Therefore, the STA cannot associate with the SSID. The SSID must be manually configured on the STA. At last, set the encryption type to share mode.
- The key index configured on the AP is different from the key index on the STA. By default, the key index of an AP is 0 (ranging from 0 to 3), and the key index of STA is 1 (ranging from 1 to 4). Key index 0 on the AP matches key index 1 on the STA.
4.3 What Are Advantages and Disadvantages of WAPI Authentication?
WLAN authentication and Privacy Infrastructure (WAPI) has three independent elements: STA, AP, and Authentication Service Unit (ASU), to ensure authentication security. Encryption keys are generated after negotiation. WAPI authentication uses the SMS4 algorithm and supports 802.1X authentication applying to a large-scale network.
WAPI applies to scenarios requiring high security level. In WAPI authentication, the ASU server must check certificates, which requires support from STAs. Currently, a few STAs support WAPI. STA hardware needs to be upgraded to support WAPI. Software application is not widely used because of its low efficiency.
4.4 What Is the Difference Between Portal Authentication and 802.1X Authentication?
Portal authentication and 802.1X authentication are different at the network side. Portal authentication is simple but has poor information security. 802.1X authentication is complex to install and configure but ensures high information security. The two authentication modes are used based on service types. 802.1X authentication is recommended for scenarios requiring high security. The combination of portal authentication and 802.1X authentication is used to meet requirements of different service on the existing networks. The following table shows the comparisons between portal authentication and 802.1X authentication.
| Item | Portal | 802.1X |
|---|---|---|
| Client | Only requires a browser and does not require a client. | Requires a dedicated 802.1X client. |
| Server | Requires a portal server. | Requires a dedicated RADIUS server. |
| Installation and configuration | Requires no configuration and is easy to use. | Requires multiple configuration steps. |
| Encryption | Does not encrypt data. | Uses dynamic WEP encryption. |
| Security | Passwords entered on web pages are encrypted by SSL. Network traffic is not encrypted. No other security measures are required. | 802.1X authentication provides higher security than portal authentication. 802.1X encapsulates authentication packets in EAP format and supports multiple encryption algorithms. EAP-TLS, EAP-MD5, and EAP-SIM authentication modes are used based on the site requirements. Certificates are obtained to authenticate clients and servers. |
4.5 What Authentication Protocols Are Supported During STA Login? Which One Is Recommended and Why?
The following authentication modes are supported: 802.1X, MAC, Portal, MAC+Portal, EAP-TLS, EAP-PEAP, and EAP-PAP. The MAC+Portal mode is recommended. This mode is secure and easy to use. No client is required. Users do not need to enter passwords in a specified period.
4.6 Why the Administrator Cannot Log In to the Device After the Authentication Mode in the Default Authentication Scheme Is Set to Non-authentication in an Anonymous Login Scenario?
In an anonymous login scenario, the AAA authentication mode needs to be set to non-authentication.
If anonymous login users use the authentication scheme default, the authentication mode of the authentication scheme default needs to be set to non-authentication.
By default, the authentication scheme default is bound to the domain default_admin. If the administrator uses the default domain configuration and default authentication scheme, the AAA authentication mode is non-authentication when the administrator logs in.
When the administrator logs in to the device using Telnet, the administrator is authenticated in the VTY user interface by default and the default authentication mode is AAA (configured using the authentication-mode (user interface view) command in the user interface view). If the AAA authentication mode of the administrator is non-authentication, the administrator is not allowed to log in to the device.
NOTICE: - Service types of the administrator: ftp, http, ssh, telnet, and terminal
- Service types of common users: 8021x and web
