WPA2 Enterprise Security on cnPilot E400 and ePMP1000 Hotspot

The WLANs on the cnPilot E400 and ePMP 1000 Hotspot can also be configured for WPA2-Enterprise (EAP/802.1x Authentication with AES-CCM/CCMP Encryption).

Most recent enterprise grade WiFi client devices are capable of WPA2-Enterprise, and you also need a RADIUS server capable of EAP/802.1x (options range from the ones built into Windows Server, to freeRadius, to several commercial solutions). RADIUS authentication allows you to maintain the database of allowed users in a central location. It can also be used to assign policy parameters such as dynamic vlans and rate limits to a specific user on authentication.

Security is configured on a per-WLAN/SSID basis, and you can have 3 different WLANs, with open, pre-shared-keys and WPA2-Enterprise all simultaneously on the same radio serving different set of clients.

To enable WPA2-Enterprise first select WPA2-Enterprise in the pulldown for 'Security' in the WLAN:

Then configure one more RADIUS servers on the 'Radius Server' tab on the same page:

Servers can be specified by Hostname or IP address, and if multiple servers are defined, you can also choose whether requests to them are to be load balanced, or if they are to be used in an active-standby scenario.

Realm can be left blank, it is only used if you would like this server to be used for only certain usernames where the network domain is included (Eg: In user@att.net, or DS/username the realms are @att.net and DS/, and this server will be selected only if the username has the appropriate realm)

Note that the Secret you configure for each RADIUS server entry must match the secret configured on the RADIUS server for this access points IP address or subnet. RADIUS relies on a shared secret for authentication of all messages between the Access Point and the RADIUS server, and if the shared secret is not the same, the RADIUS server will drop authentication requests from the Access Point

3 Likes