Madge WLAN Enterprise Access Server

Madge WLAN Enterprise Access Server
Data Sheet
Part Number 95-02
Multi-Vendor WLAN
Policy-based Security
and Management
A Secure WLAN Management
The Madge WLAN Enterprise Access
Server delivers a secure, scalable,
standards compliant set of services
which dramatically simplifies the
security and integration challenges
unique to the implementation of a
wireless infrastructure.
The WLAN Enterprise Access Server
provides centralized management
for the wireless network, and
administers the security, the
wireless devices and interfaces
between the wireless and wired
You are able to take complete
control of your wireless network
from a single point, as the WLAN
Enterprise Access Server allows
you to establish a security policy
that can be automatically applied
to most standards-compliant SNMP
-manageable Enterprise Access
Enables easy WLAN
Combines Security and
Wireless Management
Integrates Wireless
and Wired LANs
Multi-Vendor Access
Point SNMP-based
Open and industry
standards compliance
Scalable to 1,000’s of
©2005 Madge Limited
In addition, the WLAN Enterprise
Access Server provides a range of
integrated functions that usually
require separate installation and
management, such as RADIUS
server, firewalls, wired and wireless
integration, Certificate Authority and
wireless network management.
Madge’s WLAN Enterprise Access
Server allows the business to
deploy simple, scalable, wireless
networking management protocols
from workgroup and branch,
through to multi-site corporate
Multi-Vendor WLAN ‘Loadable
Module’ Technology
A key function of the WLAN
Enterprise Access Server is the
ability to establish a Security Policy
that can be automatically applied to
Access Points on your network.
In addition to Madge Access
Points, via Madge Loadable Module
Technology, it can support many
SNMP manageable Access Points,
including devices from Cisco,
Proxim, Symbol, D-Link, 3Com,
Intel and Avaya.
Madge Loadable Module Technology
allows the integration of future
wireless technology and will ensure
investment protection with your
existing WLAN products.
Easy Set-Up And Zero
Single CD installation: the
Operating System and Enterprise
Access Server Application are
installed using a single CD. A fully
operational Access Server can
therefore be installed and setup in
Customers using the Madge WLAN
Access Point (95-10 and 96-10)
will benefit from the automatic
set up function when connecting
to the WLAN Enterprise Access
Server, which also establishes the
security policy you have specified.
This is zero-configuration at its
best, ensuring that your network
is safe from attacks through poorly
configured Access Points.
For additional protection from Rogue
Access Points and other wirelessbased attacks, consider deploying
the Madge WLAN Probe 2 (9703).
A Scalable WLAN Solution
The WLAN Enterprise Access Server
can scale easily to support large
wireless installations from dozens to
thousands of users. It operates on
industry standard server platforms,
running under the well-proven
Linux operating system. The multitechnology benefits of the WLAN
Enterprise Access server support
covers 802.11a, 802.11b, 802.11g
and Bluetooth devices.
Enterprise Class Security
The WLAN Enterprise Access Server
implements industry standard
security mechanisms that guard
the enterprise data from wireless
intrusion – for example it fully
supports 802.1x using EAP-TLS,
which, with its mutual certificate
authentication, is recognized as the
strongest authentication solution.
Put simply, once an Access Point is
under the control of the Enterprise
Access Server, and 802.1x policy is
applied, that Access Point will block
any non-authenticated wireless
client from connecting to your wired
Simple Set Up
By integrating both RADIUS
server and Certificate Authority
functionality into the Access Server,
the user can create certificates for
clients and choose overall policy
with a few mouse clicks. The
RADIUS server, which is used to
authenticate clients, is completely
transparent and requires no user
configuration, while the Certificate
Authority lets you generate
certificates for clients within seconds
of starting the server for the first
time – a real benefit compared to
other systems.
As part of your security regime, you
can also set up the following:
• MAC address Access Control Lists
allowing or denying specific clients
to connect to your Access Points.
Radius MAC is supported.
• The type of WEP encryption to
use for all clients. Note that under
802.1x you can rely on automatic
WEP key management, so there is
no more typing long key strings into
all your devices.
• Firewall Services to enable or deny
access to particular IP ports and
• Virtual Private Networking
(VPN) to allow IPSec clients
to communicate using highly
secure tunnels over the wireless
©2005 Madge Limited
The WLAN Enterprise Access
Server has two modes of
• In Gateway Mode the WLAN
Enterprise Access Server requires
two network interfaces, one for
connection to the wired network
and the other for connecting to
the wireless network (i.e. to the
Access Points). This is the most
secure installation method as the
wired network is separated from
the Wireless network using the
included Firewall functionality.
• In Controller Mode the
WLAN Enterprise Access Server
requires only a single network
interface for connecting to the
LAN. This mode provides greater
scalability than Gateway Mode
and is recommended for larger
Integrates Easily Into An
Existing Network
The WLAN Enterprise Access Server
can be integrated into existing
network management systems using
the SNMP interface. The Wireless
network can be closely monitored
and easily maintained using the
comprehensive statistics and event
logging, group management and
software upgrade features.
802.11 Access Point
New Loadable Modules, supporting
the control and monitoring of
additional 802.11a/b/g Access
Points from multiple vendors can be
added at any time without having
to re-load the entire software
application. Access Points from
Cisco, Proxim, Symbol, D-Link,
3Com, Intel, Avaya and Madge can
currently be managed.
Management Tools
Policy-Based Management
The administration of wireless
networks with multiple users,
wireless devices and Access Points
is simplified by using policy-based
management. This allows users,
wireless devices and Access Points
to have key features and platform
parameters set up for each group,
rather than having to set each
element individually.
Secure Web-Based Management
The wireless network can be
managed from a web browser using
its web management interface. This
can be run over a secure link using
HTTPS to prevent unauthorized
users attempting to change the
configuration of the wireless
Statistics and Event Logging
Events and alerts are automatically
logged and can be viewed from
the browser user interface. This
can be used for monitoring the
performance of the wireless network
and logging, for example, user
connections and disconnections.
Security Features
Certificate Management
Standard digital certificates are
used in order to provide the highest
levels of security using 802.1x. The
WLAN Enterprise Access Server
includes a Certificate Authority (CA)
for generating the certificates (for
both clients and servers) and it also
allows certificates to be imported
from external Certificate Authorities.
Security Wizard
A Security Wizard is included to
allow different security policies
to be rapidly implemented. Three
standard settings, ultra-secure,
normal and low are pre-configured,
but of course, the user can also
customize the settings. The Security
Wizard guides the Network Manager
through all the tasks required to
implement each level of security.
The WLAN Enterprise Access Server
provides central management of
the entire wireless network avoiding
the need to manage each access
point individually (except where
desirable; for example, setting up
an RF channel allocation plan to
avoid cross-AP interference).
Admin Security
As all management of the Access
Server is executed through a
standard Web Browser, Network
Managers must use a username and
password to gain access. HTTPS
can be specified to allow secure
management of the server.
Wireless clients are denied a
connection to the wireless network
until authorized. All wireless devices
are identified by a unique number
(i.e. MAC address of an 802.11
device) and the WLAN Enterprise
Access Server centrally manages
these addresses and configures the
Access Points accordingly, thereby
providing the protection at the
point of connection to the wireless
Mutual authentication ensures that
only certified clients access
certified servers. Clients are
authenticated using digital certificates as part of the 802.1x protocol
- using EAP-TLS, acknowledged to
be the strongest option in 802.1x.
Warnings are issued when digital
certificates are about to expire.
The reading of sensitive information passing over the wireless link is
prevented using per session encryption. A unique key (i.e., 128-bit
WEP) is generated every time the
user authenticates to encrypt the
data passing over the wireless link.
The key is regenerated at userdefined periods, forcing transparent
client re-authentication. The WLAN
Enterprise Access Server can also
manage static WEP keys where
certain wireless devices do not
support dynamic keys.
An IPSec VPN server is included
allowing wireless users to form a
secure connection (using IPSec
tunnels) from their wireless client
to the VPN Server incorporated in
the WLAN Enterprise Access Server.
This eliminates the need for an
additional and costly VPN server.
The highly secure and industry
standard 3DES encryption scheme
is used to protect data from eavesdropping. Digital certificates and
passwords (MD5) can be used to
authenticate the user and prevent
unauthorized users from accessing
the data.
Wireless Firewall
The wireless firewall is used to
prevent unauthorized access to
the wired network by filtering data
packets. The firewall can be turned
on or off and can also be set to
enable or disable common applications or protocols. Specific ports
can also be enabled to allow applications requiring special ports to
SNMP and HTTP Interface
All internal WLAN Enterprise Access
Server events and alerts can be
configured to generate SNMP traps
or HTTP posts to notify network
management systems, or other
RADIUS Server & Client
The WLAN Enterprise Access Server
contains a RADIUS Server to allow
©2005 Madge Limited
it to authenticate all Wireless users
attaching to the network using
DHCP Relay DHCP Relay
Allows Wireless clients to obtain
their IP address from an existing
DHCP server on the wired network,
when operating the WLAN Enterprise Access Server in Gateway
Allows the integration of other
applications to exploit the information in the Enterprise Access Server.
Information accessible across the
API allows other applications to
determine which devices are connected, for how long, which Access
Point they are connected to and
how much information they have
transmitted and received.
Standard Linux Server
The WLAN Enterprise Access Server
runs on a standard server platform running Linux (supplied in the
Media Pack).
The WLAN Enterprise Access Server
works with your wired LAN over the
following interfaces:
Office Locations
Worldwide Headquarters
Madge Limited
Madge House
Priors Way
Tel +44 (0) 1628 408000
Fax +44 (0) 1628 408010
United States of America
Madge Limited
39293 Plymouth Road
Suite 107H
Livonia, MI 48150
Tel (734) 432-7005
Fax (734) 432-7092
Madge Limited
Humboldtstr. 12
85609 Dornach
Tel +49 (0)89 944 90 260
Fax +49 (0)89 944 90 460
• 10/100 Ethernet
• 4/16/100 Token Ring
• Gigabit (Intel-based adapters)
For additional information on the
WLAN Enterprise Access Server and
Madge’s complete WLAN solutions
please visit:
Ordering Information
Part No
Madge WLAN Enterprise Access Server
WLAN Enterprise Access Server Media Pack
5 device license pack
10 device license pack
15 device license pack
50 device license pack
100 device license pack
1000 device license pack
WLAN Enterprise Access Server Evaluation Pack
(includes Media Pack and Evaluation CD)
Madge Wireless and Token Ring Networking
Madge Limited is a global supplier of advanced networking product solutions to enterprises, and
is the market leader in Token Ring networking. Madge is pioneering next generation networking solutions, which enable the painless and secure deployment of Wireless networks in enterprises while protecting customers’ investments in existing LAN and Token Ring. Madge’s principal
business centres are located in Maidenhead, United Kingdom; Munich, Germany; and the USA.
Information about Madge’s complete range of products and services can be accessed at www.
Madge reserves the right to change specifications without notice.
Madge, the Madge logo, and product names are trademarks and in some jurisdictions may be registered trademarks of Madge. Other trademarks appearing in this document are the property of their respective owners.