ZyXEL Communications G-360 User Manual

ZyXEL G-360 User’s Guide

2-6

Wireless LAN Network

with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server
perform authentication.
The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports
IEEE802.1x. The ZyXEL G-360 supports EAP-TLS, EAP-TTLS and EAP-PEAP. Refer to the Types of
EAP Authentication appendix for descriptions.
For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the
certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to
authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.

2.2.3 WPA

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences
between WPA and WEP are user authentication and improved data encryption.
User Authentication
WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients
using an external RADIUS database.
Therefore, if you don’t have an external RADIUS server, you should use WPA-PSK (WPA -Pre-Shared
Key) that only requires a single (identical) password entered into each access point, wireless gateway and
wireless client. As long as the passwords match, a client will be granted access to a WLAN.
Encryption
WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity
Check (MIC) and IEEE 802.1x.
Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed
by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check
(MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying
mechanism.
TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used
twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key
hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption
keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.
This all happens in the background automatically.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering
them and resending them. The MIC provides a strong mathematical function in which the receiver and the
transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has
been tampered with and the packet is dropped.
By generating unique data encryption keys for every data packet and by creating an integrity checking
mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi network than WEP,
making it difficult for an intruder to break into the network.