Authentication Between the Mobile Access Service and SafeLinx Clients
SafeLinx Clients must authenticate with the mobile access service before they can establish an encrypted connection.
Mobile access services use a modified Point-to-Point Protocol (PPP) called wireless optimized link protocol (WLP) to authenticate connections with SafeLinx Clients. A connection profile is configured and assigned to the HTTP or TCP MNC through which SafeLinx Clients connect.
- Single-party key distribution protocol
- The SafeLinx Client is authenticated to the SafeLinx Server by using a password.
- Two-party key distribution protocol
- The SafeLinx Server and the SafeLinx Clients authenticate the passwords for each other. The SafeLinx Client validates that the Connection Manager has the client password before it sends the password to the SafeLinx Server.
- Diffie-Hellman key agreement algorithm
- Both the SafeLinx Server and the Mobility
Client are given
the means to compute the same key. Note: This choice does not complete authentication.
Some devices have serial numbers that are associated with their hardware, and that can be used for identification. Users who connect by using a SafeLinx Client that is configured for Password key exchange can take advantage of an extra level of security by taking advantage of device identifiers. Not all client operating systems and devices support device identification. If device identification is supported, from the SafeLinx Client, clickto view the device identifier. If a user is configured to use device identification, the unique identifier is combined with the password during authentication. For more information about enabling device identification, see Using device identification with SafeLinx Clients
For more information about SafeLinx Client key exchange, see Connection and transport profiles.