beautypg.com

Authentication protocol hierarchy – Proxim AP-4000 User Manual

Page 118

background image

Advanced Configuration

AP-4000 Series User Guide

SSID/VLAN/Security

118

WPA is a replacement for Wired Equivalent Privacy (WEP), the encryption technique specified by the original 802.11
standard. WEP has several vulnerabilities that have been widely publicized. WPA addresses these weaknesses and
provides a stronger security system to protect wireless networks.

WPA provides the following new security measures not available with WEP:

• Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity

Check (MIC).

• Per-user, per-session dynamic encryption keys:

Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP

A client's key is different for every session; it changes each time the client associates with an AP

The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously

Encryption keys change periodically based on the Re-keying Interval parameter

WPA uses 128-bit encryption keys

• Dynamic Key distribution

The AP generates and maintains the keys for its clients

The AP securely delivers the appropriate keys to its clients

• Client/server mutual authentication

802.1x

Pre-shared key (for networks that do not have an 802.1x solution implemented)

The AP supports the following WPA security modes:

WPA: The AP uses 802.1x to authenticate clients and TKIP for encryption. You should only use an EAP that supports

mutual authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See

802.1x

Authentication

for details.

WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to

authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the TKIP
Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).

802.11i (also known as WPA2): The AP provides security to clients according to the 802.11i draft standard, using

802.1x authentication, a CCMP cipher based on AES, and re-keying.

802.11i-PSK (also known as WPA2 PSK): The AP uses a CCMP cipher based on AES, and encrypts frames to clients

based on a Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared
Key (so a user can enter an easy-to-remember phrase rather than a string of characters).

NOTE: For more information on WPA, see the Wi-Fi Alliance Web site at

http://www.wi-fi.org

.

Authentication Protocol Hierarchy

There is a hierarchy of authentication protocols defined for the AP.

The hierarchy is as follows, from Highest to lowest:

• 802.1x authentication
• MAC Access Control via RADIUS Authentication
• MAC Access Control through individual APs' MAC Access Control Lists

If you have both 802.1x and MAC authentication enabled, the 802.1x results will take effect. This is required in order
to propagate the WEP keys to the clients in such cases. Once you disable 802.1x on the AP, you will see the effects of
MAC authentication.