Configuring Security
The following sections describe how to configure Security settings on the Devicescape Reference AP:
Understanding Security Issues on Wireless Networks
Wireless mediums are inherently less secure than wired mediums. For example, an Ethernet NIC transmits its packets over a physical medium such as coaxial cable or twisted pair. A wireless NIC broadcasts radio signals over the air allowing a wireless LAN to be easily tapped without physical access or sophisticated equipment. A hacker equipped with a laptop, a wireless NIC, and a bit of knowledge can easily attempt to compromise your wireless network. One does not even need to be within normal range of the access point. By using a sophisticated antenna on the client, a hacker may be able to connect to the network from many miles away.
The Devicescape Reference AP provides a number of authentication and encryption schemes to ensure that your wireless infrastructure is accessed only by the intended users. The details of each security mode are described in the sections below.
See also the related topic, Appendix A. Security Settings on Wireless Clients and RADIUS Server Setup.
How Do I Know Which Security Mode to Use?
In general, we recommend that on your Internal network you use the most robust security mode that is feasible in your environment. When configuring security on the access point, you first must choose the security mode, then in some modes an authentication algorithm, and whether to allow clients not using the specified security mode to associate.
Wi-Fi Protected Access (WPA) with Remote Authentication Dial-In User Service (RADIUS) using the CCMP (AES) encryption algorithm provides the best data protection available and is clearly the best choice if all client stations are equipped with WPA supplicants. However, backward compatibility or interoperability issues with clients or even with other access points may require that you configure WPA with RADIUS with a different encryption algorithm or choose one of the other security modes.
That said, however, security may not be as much of a priority on some types of networks. If you are simply providing internet and printer access, as on a guest network, setting the security mode to "None (Plain-text)" may be the appropriate choice. To prevent clients from accidentally discovering and connecting to your network, you can disable the broadcast SSID so that your network name is not advertised. If the network is sufficiently isolated from access to sensitive information, this may offer enough protection in some situations. This level of protection is the only one offered for guest networks, and also may be the right convenience trade-off for other scenarios where the priority is making it as easy as possible for clients to connect. (See Does Prohibiting the Broadcast SSID Enhance Security?)
Following is a brief discussion of what factors make one mode more secure than another, a description of each mode offered, and when to use each mode.
Comparison of Security Modes for Key Management, Authentication and Encryption Algorithms
Three major factors that determine the effectiveness of a security protocol are:
- How the protocol manages keys
- Presence or absence of integrated user authentication in the protocol
- Encryption algorithm or formula the protocol uses to encode/decode the data
Following is a list of the security modes available on the Devicescape Reference AP along with a description of the key management, authentication, and encryption algorithms used in each mode. We include some suggestions as to when one mode might be more appropriate than another.
When to Use Unencrypted (No Security)
Setting the security mode to "None (Plain-text)" by definition provides no security. In this mode, the data is not encrypted but rather sent as "plain-text" across the network. No key management, data encryption or user authentication is used.
Recommendations
Unencrypted mode, i.e. None (Plain-text), is not recommended for regular use on the Internal network because it is not secure. This is the only mode in which you can run the Guest network, which is by definition an unsecure LAN, always virtually or physically separated from any sensitive information on the Internal LAN.
Therefore, only set the security mode to "None (Plain-text)" on the Guest network, and on the Internal network for initial setup, testing, or problem solving only.
See Also
For information on how to configure unencrypted security mode, see None (Plain-text) under Configuring Security Settings.
When to Use Static WEP
Static Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and access points on the network are configured with a static 64-bit (40-bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret key + 24-bit IV) Shared Key for data encryption.
|
Key Management
|
Encryption Algorithm
|
User Authentication
|
Static WEP uses a fixed key that is provided by the administrator. WEP keys are indexed in different slots (up to four on the Devicescape Reference AP).
The client stations must have the same key indexed in the same slot to access data on the access point.
|
An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.
|
If you set the Authentication Algorithm to Shared Key, this protocol provides a rudimentary form of user authentication.
However, if the Authentication Algorithm is set to "Open System", no authentication is performed.
If the algorithm is set to "Both", only WEP clients are authenticated.
|
Recommendations
Static WEP was designed to provide security equivalent of sending unencrypted data through an Ethernet connection, however it has major flaws and it does not provide even this intended level of security.
Therefore, Static WEP is not recommended as a secure mode. The only time to use Static WEP is when interoperability issues make it the only option available to you and you are not concerned with the potential of exposing the data on your network.
See Also
For information on how to configure Static WEP security mode, see Static WEP under Configuring Security Settings.
When to Use IEEE 802.1x
IEEE 802.1x is the standard for passing the Extensible Authentication Protocol (EAP) over an 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). This is a newer, more secure standard than Static WEP.
|
Key Management
|
Encryption Algorithm
|
User Authentication
|
|
IEEE 802.1x provides dynamically-generated keys that are periodically refreshed.
There are different Unicast keys for each station.
|
An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.
|
IEEE 802.1x mode supports a variety of authentication methods, like certificates, Kerberos, and public key authentication with a RADIUS server.
You have a choice of using the Devicescape Reference AP embedded RADIUS server or an external RADIUS server. The embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.
|
Recommendations
IEEE 802.1x mode is a better choice than Static WEP because keys are dynamically generated and changed periodically. However, the encryption algorithm used is the same as that of Static WEP and is therefore not as reliable as the more advanced encryption methods such as TKIP and CCMP (AES) used in Wi-Fi Protected Access (WPA) or WPA2.
Additionally, compatibility issues may be cumbersome because of the variety of authentication methods supported and the lack of a standard implementation method.
Therefore, IEEE 802.1x mode is not as secure a solution as Wi-Fi Protected Access (WPA) or WPA2. If, you cannot use WPA because some of your client stations do not have WPA, then a better solution than using IEEE 802.1x mode is to use WPA Enterprise mode.
See Also
For information on how to configure IEEE 802.1x security mode, see IEEE 802.1x under Configuring Security Settings.
When to Use WPA Personal
Wi-Fi Protected Access Personal Pre-Shared Key (PSK) is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Algorithm (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. This mode offers the same encryption algorithms as WPA 2 with RADIUS but without the ability to integrate a RADIUS server for user authentication.
This security mode is backwards-compatible for wireless clients that support only the original WPA.
|
Key Management
|
Encryption Algorithms
|
User Authentication
|
|
WPA Personal provides dynamically-generated keys that are periodically refreshed.
There are different Unicast keys for each station.
|
- Temporal Key Integrity Protocol (TKIP)
- Counter mode/CBC-MAC Protocol (CCMP) Advanced Encryption Standard (AES)
|
The use of a Pre-Shared ( PSK) key provides user authentication similar to that of shared keys in WEP.
|
Recommendations
WPA Personal is not recommended for use with the Devicescape Reference AP when WPA Enterprise is an option.
We recommend that you use WPA Enterprise mode instead, unless you have interoperability issues that prevent you from using this mode.
For example, some devices on your network may not support WPA or WPA2 with EAP talking to a RADIUS server. Embedded printer servers or other small client devices with very limited space for implementation may not support RADIUS. For such cases, we recommend that you use WPA Personal.
See Also
For information on how to configure this security mode, see WPA Personal under Configuring Security Settings.
When to Use WPA Enterprise
Wi-Fi Protected Access Enterprise with Remote Authentication Dial-In User Service (RADIUS) is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. This mode requires the use of a RADIUS server to authenticate users. WPA Enterprise provides the best security available for wireless networks.
This security mode also provides backwards-compatibility for wireless clients that support only the original WPA.
|
Key Management
|
Encryption Algorithms
|
User Authentication
|
|
WPA Enterprise mode provides dynamically-generated keys that are periodically refreshed.
There are different Unicast keys for each station.
|
- Temporal Key Integrity Protocol (TKIP)
- Counter mode/CBC-MAC Protocol (CCMP) Advanced Encryption Standard (AES)
|
Remote Authentication Dial-In User Service ( RADIUS)
You have a choice of using the Devicescape Reference AP embedded RADIUS server or an external RADIUS server. The embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.
|
Recommendations
WPA Enterprise mode is the recommended mode. The CCMP (AES) and TKIP encryption algorithms used with WPA modes are far superior to the RC4 algorithm used for Static WEP or IEEE 802.1x modes. Therefore, CCMP (AES) or TKIP should be used whenever possible. All WPA modes allow you to use these encryption schemes, so WPA security modes are recommended above the others when using WPA is an option.
Additionally, this mode incorporates a RADIUS server for user authentication which gives it an edge over WPA Personal mode.
Use the following guidelines for choosing options within the WPA Enterprise mode security mode:
- The best security you can have to date on a wireless network is WPA Enterprise mode using CCMP (AES) encryption algorithm. AES is a symmetric 128-bit block data encryption technique that works on multiple layers of the network. It is the most effective encryption system currently available for wireless networks. If all clients or other APs on the network are WPA/CCMP compatible, use this encryption algorithm. (If all clients are WPA2 compatible, choose to support only WPA2 clients.)
- The second best choice is WPA Enterprise with the encryption algorithm set to both TKIP and CCMP. This lets WPA client stations without CCMP associate, uses TKIP for encrypting Multicast and Broadcast frames, and allows clients to select whether to use CCMP or TKIP for Unicast (AP-to-single-station) frames. This WPA configuration allows more interoperability, at the expense of some security. Client stations that support CCMP can use it for their Unicast frames. If you encounter AP-to-station interoperability problems with the "Both" encryption algorithm setting, then you will need to select TKIP instead. (See [3])
- The third best choice is WPA Enterprise with the encryption algorithm set to TKIP. Some clients have interoperability issues with CCMP and TKIP enabled at same time. If you encounter this problem, then choose TKIP as the encryption algorithm. This is the standard WPA mode, and most interoperable mode with client Wireless software security features. TKIP is the only encryption algorithm that is being tested in Wi-Fi WPA certification.
See Also
For information on how to configure this security mode, see WPA Enterprise under Configuring Security Settings.
Does Prohibiting the Broadcast SSID Enhance Security?
You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point. When the AP's broadcast SSID is suppressed, the network name will not be displayed in the List of Available Networks on a client station. Instead, the client must have the exact network name configured in the supplicant before it will be able to connect.
Disabling the broadcast SSID is sufficient to prevent clients from accidentally connecting to your network, but it will not prevent even the simplest of attempts by a hacker to connect, or monitor unencrypted traffic.
This offers a very minimal level of protection on an otherwise exposed network (such as a guest network) where the priority is making it easy for clients to get a connection and where no sensitive information is available.
(See also Guest Network.)
How Does Station Isolation Protect the Network?
When Station Isolation is enabled, the access point blocks communication between wireless clients. The access point still allows data traffic between its wireless clients and wired devices on the network, but not among wireless clients.
The traffic blocking extends to wireless clients connected to the network via WDS links; these clients cannot communicate with each other when Station Isolation is on. See Configuring the Wireless Distribution System (WDS) for more information about WDS.
Navigating to Security Settings
To set the security mode, navigate to the Security tab, and update the fields as described below.
Configuring Security Settings
The following configuration information explains how to configure security modes on the access point. Keep in mind that each wireless client that wants to exchange data with the access point must be configured with the same security mode and encryption key settings consistent with access point security.
On a two-radio AP, these Security Settings apply to both radios.
|
Notes
|
Security modes other than Plain-text apply only to configuration of the "Internal" network. On the "Guest" network, you can use only Plain-text mode. (For more information about guest networks, see Setting up Guest Access.)
|
Broadcast SSID, Station Isolation, and Security Mode
To configure security on the access point, select a security mode and fill in the related fields as described in the following table. (Note you can also allow or prohibit the Broadcast SSID and enable/disable Station Isolation as extra precautions as mentioned below.)
|
Field
|
Description
|
|
Broadcast SSID
|
To enable the Broadcast SSID, select the checkbox directly beside it.
By default, the access point broadcasts (allows) the Service Set Identifier (SSID) in its beacon frames.
You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point. When the AP's broadcast SSID is suppressed, the network name will not be displayed in the List of Available Networks on a client station. Instead, the client must have the exact network name configured in the supplicant before it will be able to connect.
|
|
Station Isolation
|
To enable station isolation, select the checkbox directly beside it.
- When Station Isolation is disabled, wireless clients can communicate with one another normally by sending traffic through the access point.
- When Station Isolation is enabled, the access point blocks communication between wireless clients. The access point still allows data traffic between its wireless clients and wired devices on the network, but not among wireless clients. The traffic blocking extends to wireless clients connected to the network via WDS links; these clients cannot communicate with each other when Station Isolation is on. See Configuring the Wireless Distribution System (WDS) for more information about WDS.
|
|
Security Mode
|
Select the Security Mode. Select one of the following:
For a Guest network, the only security mode that can be applied is "None (Plain-text)". (For more information, see Setting up Guest Access.)
Security modes other than "None (Plain-text)" apply only to configuration of the "Internal" network.
|
None (Plain-text)
None (or Plain-text security) means any data transferred to and from the Devicescape Reference AP is not encrypted.
If you select "None (Plain-text)" as your security mode, no further options are configurable on the AP. This security mode can be useful during initial network configuration or for problem solving, but it is not recommended for regular use on the Internal network because it is not secure.
Guest Network
Setting security to "None (Plain-text)" is the only mode in which you can run the Guest network, which is by definition an easily accessible, unsecure LAN always virtually or physically separated from any sensitive information on the Internal LAN. For example, the guest network might simply provide internet and printer access for day visitors.
The absence of security on the Guest AP is designed to make it as easy as possible for guests to get a connection without having to program any security settings in their clients.
For a minimum level of protection on a guest network, you can choose to suppress (prohibit) the broadcast of the SSID (network name) to discourage client stations from automatically discovering your access point. (See also Does Prohibiting the Broadcast SSID Enhance Security?).
For more about the Guest network, see Setting up Guest Access.
Static WEP
Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and access points on the network are configured with a static 64-bit (40-bit secret key + 24-bit initialization vector (IV)), 128-bit (104-bit secret key + 24-bit IV), or 152-bit (128-bit secret key + 24-bit IV) Shared Key for data encryption.
You cannot mix 64-bit, 128-bit, and 152-bit WEP keys between the access point and its client stations.
Static WEP is not the most secure mode available, but it offers more protection than setting the security mode to "None (Plain-text)" as it does prevent an outsider from easily sniffing out unencrypted wireless traffic. (For more secure modes, see the sections on IEEE 802.1x, WPA Enterprise, or WPA Personal.)
WEP encrypts data moving across the wireless network based on a static key. (The encryption algorithm is a "stream" cipher called RC4.)
The access point uses a key to transmit data to the client stations. Each client station must use that same key to decrypt data it receives from the access point.
Client stations can use different keys to transmit data to the access point. (Or they can all use the same key, but this is less secure because it means one station can decrypt the data being sent by another.)
If you selected "Static WEP" Security Mode, provide the following on the access point settings:
.
|
Field
|
Description
|
|
Transfer Key Index
|
Select a key index from the drop-down menu. Key indexes 1 through 4 are available. The default is 1.
The Transfer Key Index indicates which WEP key the access point will use to encrypt the data it transmits.
|
|
Key Length
|
Specify the length of the key by clicking one of the radio buttons:
- 64 bits
- 128 bits
- 152 bits
|
|
Key Type
|
Select the key type by clicking one of the radio buttons:
|
|
WEP Keys
|
You can specify up to four WEP keys. In each text box, enter a string of characters for each key.
If you selected "ASCII", enter any combination ASCII characters. If you selected "HEX", enter hexadecimal digits (any combination of 0-9 and a-f or A-F).
Use the same number of characters for each key as specified in the "Characters Required" field. These are the RC4 WEP keys shared with the stations using the access point.
Each client station must be configured to use one of these same WEP keys in the same slot as specified here on the AP. (See Rules to Remember for Static WEP.)
Characters Required: 26 indicates the number of characters required in the WEP key. The number of characters required updates automatically based on how you set Key Length and Key Type.
|
|
Authentication
|
The authentication algorithm defines the method used to determine whether a client station is allowed to associate with an access point when static WEP is the security mode.
Specify the authentication algorithm you want to use by choosing one of the following options:
Note: You can also select both the Open System and Shared Key checkboxes.
Open System authentication allows any client station to associate with the access point whether that client station has the correct WEP key or not. This is algorithm is also used in plaintext, IEEE 802.1x, and WPA modes. When the authentication algorithm is set to "Open System", any client can associate with the access point.
Note that just because a client station is allowed to associate does not ensure it can exchange traffic with an access point. A station must have the correct WEP key to be able to successfully access and decrypt data from an access point, and to transmit readable data to the access point.
Shared Key authentication requires the client station to have the correct WEP key in order to associate with the access point. When the authentication algorithm is set to "Shared Key", a station with an incorrect WEP key will not be able to associate with the access point.
Both Open System and Shared Key. When you select both authentication algorithms:
- Client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the access point.
- Client stations configured to use WEP as an open system (shared key mode not enabled) will be able to associate with the access point even if they do not have the correct WEP key.
|
Rules to Remember for Static WEP
- All client stations must have the Wireless LAN (WLAN) security set to WEP and all clients must have one of the WEP keys specified on the AP in order to de-code AP-to-station data transmissions.
- The AP must have all keys used by clients for station-to-AP transmit so that it can de-code the station transmissions.
- The same key must occupy the same slot on all nodes (AP and clients). For example if the AP defines
abc123 key as WEP key 3, then the client stations must define that same string as WEP key 3.
- On some wireless client software (like Funk Odyssey), you can configure multiple WEP keys and define a client station "transfer key index", and then set the stations to encrypt the data they transmit using different keys. This ensures that neighboring APs cannot decode each other's transmissions.
Example of Using Static WEP
For a simple example, suppose you configure three WEP keys on the access point. In our example, the Transfer Key Index for the AP is set to "3". This means that the WEP key in slot "3" is the key the access point will use to encrypt the data it sends.
You must then set all client stations to use WEP and provide each client with one of the slot/key combinations you defined on the AP.
For this example, we'll set WEP key 1 on a Windows client.
Figure 1 Providing a Wireless Client with a WEP Key
If you have a second client station, that station also needs to have one of the WEP keys defined on the AP. You could give it the same WEP key you gave to the first station. Or for a more secure solution, you could give the second station a different WEP key (key 2, for example) so that the two stations cannot decrypt each other's transmissions.
Static WEP with Transfer Key Indexes on Client Stations
Some Wireless client software (like Funk Odyssey) lets you configure multiple WEP keys and set a transfer index on the client station, then you can specify different keys to be used for station-to-AP transmissions. (The standard Windows wireless client software does not allow you to do this.)
To build on our example, using Funk Odyssey client software you could give each of the clients WEP key 3 so that they can decode the AP transmissions with that key and also give client 1 WEP key 1 and set this as its transfer key. You could then give client 2 WEP key 2 and set this as its transfer key index.
The following figure illustrates the dynamics of the AP and two client stations using multiple WEP keys and a transfer key index.
Figure 2 Example of Using Multiple WEP Keys and Transfer Key Index on Client Stations
IEEE 802.1x
IEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). IEEE 802.1x provides dynamically-generated keys that are periodically refreshed. An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.
This mode requires the use of a RADIUS server to authenticate users. If the option for the internal RADIUS server is enabled, configure user accounts on the AP via the Cluster > User Management tab. Otherwise configure user accounts on the external RADIUS server.
The access point requires a RADIUS server capable of EAP, such as the Microsoft Internet Authentication Server or the Devicescape Reference AP internal authentication server. To work with Windows clients, the authentication server must support Protected EAP (PEAP) and MSCHAP V2.
When configuring IEEE 802.1x mode, you have a choice of whether to use the embedded RADIUS server or an external RADIUS server that you provide. The Devicescape Reference AP embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.
If you use your own RADIUS server, you have the option of using any of a variety of authentication methods that the IEEE 802.1x mode supports, including certificates, Kerberos, and public key authentication. Keep in mind, however, that the client stations must be configured to use the same authentication method being used by the access point.
If you selected "IEEE 802.1x" Security Mode, provide the following:
|
Field
|
Description
|
|
Use internal radius server
|
You can choose whether to use the built-in authentication server provided with the Devicescape Reference AP, or you can use an external radius server.
- To use the authentication server provided with the Devicescape Reference AP, ensure the checkbox beside the Use internal radius server field is selected. If this option is selected, you do not have to provide the Radius IP and Radius Key; they are automatically provided. If the option for the internal RADIUS server is enabled, configure user accounts on the AP via the Cluster > User Management tab. For more information, see Managing User Accounts.
- To use an external authentication server, ensue the checkbox beside the Use internal radius server field is deselected. If you deselect this checkbox you must supply a Radius IP and Radius Key of the server you want to use.
Note: The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the Devicescape Reference AP, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The Devicescape Reference AP is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.
|
|
Radius IP
|
Enter the Radius IP in the text box.
The Radius IP is the IP address of the RADIUS server.
(The Devicescape Reference AP internal authentication server is 127.0.0.1.)
For information on setting up user accounts, see Managing User Accounts.
|
|
Radius Key
|
Enter the Radius Key in the text box.
The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as "*" characters to prevent others from seeing the RADIUS key as you type.
(The Devicescape Reference AP internal authentication server key is secret.)
This value is never sent over the network.
|
|
Enable radius accounting
|
Click the checkbox beside "Enable radius accounting" if you want to track and measure the resources a particular user has consumed such system time, amount of data transmitted and received, and so on.
|
WPA Personal
Wi-Fi Protected Access Personal is a Wi-Fi Alliance IEEE 802.11i standard, which includes Counter mode/CBC-MAC Protocol-Advanced Encryption Algorithm - (CCMP-AES), and Temporal Key Integrity Protocol (TKIP) mechanisms. The Personal version of WPA employs a pre-shared key (instead of using IEEE 802.1x and EAP as is used in the Enterprise WPA security mode). The PSK is used for an initial check of credentials only.
This security mode is backwards-compatible for wireless clients that support the original WPA.
If you selected "WPA Personal" Security Mode, provide the following:
|
Field
|
Description
|
|
WPA Versions
|
Select the types of client stations you want to support:
WPA. If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA.
WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard.
Both. If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select "Both". This lets both WPA and WPA2 client stations associate and authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interoperability, at the expense of some security.
|
|
Cipher Suites
|
Select the cipher suite you want to use:
Temporal Key Integrity Protocol ( TKIP) is the default.
TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit "temporal key" shared by clients and access points. The temporal key is combined with the client's MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP uses RC4 to perform the encryption, which is the same as WEP. But TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network.
Counter mode/CBC-MAC Protocol ( CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm ( AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity.
If you select both TKIP and CCMP(AES), Pairwise cipher is AES and Groupwise cipher is TKIP. Pairwise cipher is used for unicast traffic and Groupwise cipher is used for multicast/broadcast traffic. Both TKIP and AES clients can associate with the access point. WPA clients must have one of the following to be able to associate with the AP:
- A valid TKIP key
- A valid CCMP (AES) key
Clients not configured to use a WPA Personal will not be able to associate with AP.
|
|
Key
|
The Pre-shared Key is the shared secret key for WPA Personal. Enter a string of at least 8 characters to a maximum of 63 characters.
|
WPA Enterprise
Wi-Fi Protected Access Enterprise with Remote Authentication Dial-In User Service (RADIUS) is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. The Enterprise mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts via the Cluster > User Management tab.
This security mode is backwards-compatible with wireless clients that support the original WPA.
When configuring WPA Enterprise mode, you have a choice of whether to use the built-in RADIUS server or an external RADIUS server that you provide. The Devicescape Reference AP built-in RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.
If you selected "WPA Enterprise" Security Mode, provide the following:
|
Field
|
Description
|
|
WPA Versions
|
Select the types of client stations you want to support:
WPA. If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA.
WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard.
Both. If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select both WPA and WPA2. This lets both WPA and WPA2 client stations associate and authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interoperability, at the expense of some security.
|
|
Enable pre-authentication
|
If for WPA Versions you select only WPA2 or both WPA and WPA2, you can enable pre-authentication for WPA2 clients.
Click Enable pre-authentication if you want WPA2 wireless clients to send pre-authentication packet. The pre-authentication information will be relayed from the access point the client is currently using to the target access point. Enabling this feature can help speed up authentication for roaming clients who connect to multiple access points.
This option does not apply if you selected "WPA" for WPA Versions because the original WPA does not support this feature.
|
|
Cipher Suites
|
Select the cipher you want to use:
Temporal Key Integrity Protocol ( TKIP) is the default.
TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit "temporal key" shared by clients and access points. The temporal key is combined with the client's MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP uses RC4 to perform the encryption, which is the same as WEP. But TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network.
Counter mode/CBC-MAC Protocol ( CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm ( AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity.
When both TKIP and CCMP are selected, both TKIP and AES clients can associate with the access point. Client stations configured to use WPA with RADIUS must have one of the following to be able to associate with the AP:
- A valid TKIP RADIUS IP address and valid shared Key
- A valid CCMP (AES) IP address and valid shared Key
Clients not configured to use WPA with RADIUS will not be able to associate with AP.
By default both TKIP and CCMP are selected. When both TKIP and CCMP are selected, client stations configured to use WPA with RADIUS must have one of the following:
- A valid TKIP RADIUS IP address and RADIUS Key
- A valid CCMP (AES) IP address and RADIUS Key
|
|
Use internal radius server
|
You can choose whether to use the built-in authentication server provided with the Devicescape Reference AP, or you can use an external radius server.
- To use the authentication server provided with the Devicescape Reference AP, ensure the checkbox beside the Use internal radius server field is selected. If this option is selected, you do not have to provide the Radius IP and Radius Key; they are automatically provided. If the option for the internal RADIUS server is enabled, configure user accounts on the AP via the Cluster > User Management tab. For more information, see Managing User Accounts.
- To use an external authentication server, ensue the checkbox beside the Use internal radius server field is deselected. If you deselect this checkbox you must supply a Radius IP and Radius Key of the server you want to use.
Note: The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the Devicescape Reference AP, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The Devicescape Reference AP is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.
|
|
Radius IP
|
Enter the Radius IP in the text box.
The Radius IP is the IP address of the RADIUS server.
(The Devicescape Reference AP internal authentication server is 127.0.0.1.)
For information on setting up user accounts, see Managing User Accounts.
|
|
Radius Key
|
Enter the Radius Key in the text box.
The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as "*" characters to prevent others from seeing the RADIUS key as you type.
(The Devicescape Reference AP internal authentication server key is secret.)
This value is never sent over the network.
|
|
Enable RADIUS Accounting
|
Click "Enable RADIUS Accounting" if you want to enforce authentication for WPA client stations with user names and passwords for each station.
|
Updating Settings
To update Security settings:
- Navigate to the Security tab page.
- Configure the security settings as required.
- Click the Update button to apply the changes.
