Madge WLAN Enterprise Access Server Data Sheet Part Number 95-02 Multi-Vendor WLAN Policy-based Security and Management A Secure WLAN Management System The Madge WLAN Enterprise Access Server delivers a secure, scalable, standards compliant set of services which dramatically simpliﬁes the security and integration challenges unique to the implementation of a wireless infrastructure. The WLAN Enterprise Access Server provides centralized management for the wireless network, and administers the security, the wireless devices and interfaces between the wireless and wired network. You are able to take complete control of your wireless network from a single point, as the WLAN Enterprise Access Server allows you to establish a security policy that can be automatically applied to most standards-compliant SNMP -manageable Enterprise Access Points. • Enables easy WLAN deployment • Combines Security and Wireless Management • Integrates Wireless and Wired LANs • Multi-Vendor Access Point SNMP-based management • Open and industry standards compliance • Scalable to 1,000’s of users ©2005 Madge Limited In addition, the WLAN Enterprise Access Server provides a range of integrated functions that usually require separate installation and management, such as RADIUS server, ﬁrewalls, wired and wireless integration, Certiﬁcate Authority and wireless network management. Madge’s WLAN Enterprise Access Server allows the business to deploy simple, scalable, wireless networking management protocols from workgroup and branch, through to multi-site corporate locations. Multi-Vendor WLAN ‘Loadable Module’ Technology A key function of the WLAN Enterprise Access Server is the ability to establish a Security Policy that can be automatically applied to Access Points on your network. In addition to Madge Access Points, via Madge Loadable Module Technology, it can support many SNMP manageable Access Points, including devices from Cisco, Proxim, Symbol, D-Link, 3Com, Intel and Avaya. Madge Loadable Module Technology allows the integration of future wireless technology and will ensure investment protection with your existing WLAN products. Easy Set-Up And Zero Conﬁguration Single CD installation: the Operating System and Enterprise Access Server Application are installed using a single CD. A fully operational Access Server can therefore be installed and setup in minutes. Customers using the Madge WLAN Access Point (95-10 and 96-10) will beneﬁt from the automatic set up function when connecting to the WLAN Enterprise Access Server, which also establishes the security policy you have speciﬁed. This is zero-conﬁguration at its best, ensuring that your network is safe from attacks through poorly conﬁgured Access Points. For additional protection from Rogue Access Points and other wirelessbased attacks, consider deploying the Madge WLAN Probe 2 (9703). A Scalable WLAN Solution The WLAN Enterprise Access Server can scale easily to support large wireless installations from dozens to thousands of users. It operates on industry standard server platforms, running under the well-proven Linux operating system. The multitechnology beneﬁts of the WLAN Enterprise Access server support covers 802.11a, 802.11b, 802.11g and Bluetooth devices. Enterprise Class Security Management The WLAN Enterprise Access Server implements industry standard security mechanisms that guard the enterprise data from wireless intrusion – for example it fully supports 802.1x using EAP-TLS, which, with its mutual certiﬁcate authentication, is recognized as the strongest authentication solution. Put simply, once an Access Point is under the control of the Enterprise Access Server, and 802.1x policy is applied, that Access Point will block any non-authenticated wireless client from connecting to your wired network. Simple Set Up By integrating both RADIUS server and Certiﬁcate Authority functionality into the Access Server, the user can create certiﬁcates for clients and choose overall policy with a few mouse clicks. The RADIUS server, which is used to authenticate clients, is completely transparent and requires no user conﬁguration, while the Certiﬁcate Authority lets you generate certiﬁcates for clients within seconds of starting the server for the ﬁrst time – a real beneﬁt compared to other systems. As part of your security regime, you can also set up the following: • MAC address Access Control Lists allowing or denying speciﬁc clients to connect to your Access Points. Radius MAC is supported. • The type of WEP encryption to use for all clients. Note that under 802.1x you can rely on automatic WEP key management, so there is no more typing long key strings into all your devices. • Firewall Services to enable or deny access to particular IP ports and services. • Virtual Private Networking (VPN) to allow IPSec clients to communicate using highly secure tunnels over the wireless connection. ©2005 Madge Limited The WLAN Enterprise Access Server has two modes of operation: • In Gateway Mode the WLAN Enterprise Access Server requires two network interfaces, one for connection to the wired network and the other for connecting to the wireless network (i.e. to the Access Points). This is the most secure installation method as the wired network is separated from the Wireless network using the included Firewall functionality. • In Controller Mode the WLAN Enterprise Access Server requires only a single network interface for connecting to the LAN. This mode provides greater scalability than Gateway Mode and is recommended for larger installations. Integrates Easily Into An Existing Network The WLAN Enterprise Access Server can be integrated into existing network management systems using the SNMP interface. The Wireless network can be closely monitored and easily maintained using the comprehensive statistics and event logging, group management and software upgrade features. 802.11 Access Point Management New Loadable Modules, supporting the control and monitoring of additional 802.11a/b/g Access Points from multiple vendors can be added at any time without having to re-load the entire software application. Access Points from Cisco, Proxim, Symbol, D-Link, 3Com, Intel, Avaya and Madge can currently be managed. Management Tools Policy-Based Management The administration of wireless networks with multiple users, wireless devices and Access Points is simpliﬁed by using policy-based management. This allows users, wireless devices and Access Points to have key features and platform parameters set up for each group, rather than having to set each element individually. Secure Web-Based Management The wireless network can be managed from a web browser using its web management interface. This can be run over a secure link using HTTPS to prevent unauthorized users attempting to change the conﬁguration of the wireless network. Statistics and Event Logging Events and alerts are automatically logged and can be viewed from the browser user interface. This can be used for monitoring the performance of the wireless network and logging, for example, user connections and disconnections. Security Features Certiﬁcate Management Standard digital certiﬁcates are used in order to provide the highest levels of security using 802.1x. The WLAN Enterprise Access Server includes a Certiﬁcate Authority (CA) for generating the certiﬁcates (for both clients and servers) and it also allows certiﬁcates to be imported from external Certiﬁcate Authorities. Security Wizard A Security Wizard is included to allow different security policies to be rapidly implemented. Three standard settings, ultra-secure, normal and low are pre-conﬁgured, but of course, the user can also customize the settings. The Security Wizard guides the Network Manager through all the tasks required to implement each level of security. The WLAN Enterprise Access Server provides central management of the entire wireless network avoiding the need to manage each access point individually (except where desirable; for example, setting up an RF channel allocation plan to avoid cross-AP interference). Admin Security As all management of the Access Server is executed through a standard Web Browser, Network Managers must use a username and password to gain access. HTTPS can be speciﬁed to allow secure management of the server. Device Wireless clients are denied a connection to the wireless network until authorized. All wireless devices are identiﬁed by a unique number (i.e. MAC address of an 802.11 device) and the WLAN Enterprise Access Server centrally manages these addresses and conﬁgures the Access Points accordingly, thereby providing the protection at the point of connection to the wireless network. User Mutual authentication ensures that only certiﬁed clients access certiﬁed servers. Clients are authenticated using digital certiﬁcates as part of the 802.1x protocol - using EAP-TLS, acknowledged to be the strongest option in 802.1x. Warnings are issued when digital certiﬁcates are about to expire. Link The reading of sensitive information passing over the wireless link is prevented using per session encryption. A unique key (i.e., 128-bit WEP) is generated every time the user authenticates to encrypt the data passing over the wireless link. The key is regenerated at userdeﬁned periods, forcing transparent client re-authentication. The WLAN Enterprise Access Server can also manage static WEP keys where certain wireless devices do not support dynamic keys. VPN An IPSec VPN server is included allowing wireless users to form a secure connection (using IPSec tunnels) from their wireless client to the VPN Server incorporated in the WLAN Enterprise Access Server. This eliminates the need for an additional and costly VPN server. The highly secure and industry standard 3DES encryption scheme is used to protect data from eavesdropping. Digital certiﬁcates and passwords (MD5) can be used to authenticate the user and prevent unauthorized users from accessing the data. Wireless Firewall The wireless ﬁrewall is used to prevent unauthorized access to the wired network by ﬁltering data packets. The ﬁrewall can be turned on or off and can also be set to enable or disable common applications or protocols. Speciﬁc ports can also be enabled to allow applications requiring special ports to run. Interfaces SNMP and HTTP Interface All internal WLAN Enterprise Access Server events and alerts can be conﬁgured to generate SNMP traps or HTTP posts to notify network management systems, or other applications. RADIUS Server & Client The WLAN Enterprise Access Server contains a RADIUS Server to allow ©2005 Madge Limited it to authenticate all Wireless users attaching to the network using 802.1x. DHCP Relay DHCP Relay Allows Wireless clients to obtain their IP address from an existing DHCP server on the wired network, when operating the WLAN Enterprise Access Server in Gateway mode. XML API Allows the integration of other applications to exploit the information in the Enterprise Access Server. Information accessible across the API allows other applications to determine which devices are connected, for how long, which Access Point they are connected to and how much information they have transmitted and received. Platform Standard Linux Server The WLAN Enterprise Access Server runs on a standard server platform running Linux (supplied in the Media Pack). The WLAN Enterprise Access Server works with your wired LAN over the following interfaces: Ofﬁce Locations Worldwide Headquarters Madge Limited Madge House Priors Way Maidenhead UK SL6 2HP Tel +44 (0) 1628 408000 Fax +44 (0) 1628 408010 United States of America Madge Limited 39293 Plymouth Road Suite 107H Livonia, MI 48150 USA Tel (734) 432-7005 Fax (734) 432-7092 Deutschland Madge Limited Humboldtstr. 12 85609 Dornach Germany Tel +49 (0)89 944 90 260 Fax +49 (0)89 944 90 460 • 10/100 Ethernet • 4/16/100 Token Ring • Gigabit (Intel-based adapters) For additional information on the WLAN Enterprise Access Server and Madge’s complete WLAN solutions please visit: www.madge.com/wireless Ordering Information Part No Madge WLAN Enterprise Access Server 95-02 WLAN Enterprise Access Server Media Pack 95-60 5 device license pack 95-61 10 device license pack 95-66 15 device license pack 95-62 50 device license pack 95-63 100 device license pack 95-67 1000 device license pack 95-03 WLAN Enterprise Access Server Evaluation Pack (includes Media Pack and Evaluation CD) Madge Wireless and Token Ring Networking Madge Limited is a global supplier of advanced networking product solutions to enterprises, and is the market leader in Token Ring networking. Madge is pioneering next generation networking solutions, which enable the painless and secure deployment of Wireless networks in enterprises while protecting customers’ investments in existing LAN and Token Ring. Madge’s principal business centres are located in Maidenhead, United Kingdom; Munich, Germany; and the USA. Information about Madge’s complete range of products and services can be accessed at www. madge.com. Madge reserves the right to change speciﬁcations without notice. Madge, the Madge logo, and product names are trademarks and in some jurisdictions may be registered trademarks of Madge. Other trademarks appearing in this document are the property of their respective owners.