Advanced configuration, Configuring security settings – HP ProCurve 520wl Wireless Access Point User Manual
Page 78
Advanced Configuration
WPA provides the following new security measures not available with WEP:
• Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity
Check (MIC).
• Per-user, per-session dynamic encryption keys:
–
Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP
–
A client's key is different for every session; it changes each time the client associates with an AP
–
The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously
–
Encryption keys change periodically based on the Re-keying Interval parameter
–
WPA uses 128-bit encryption keys
• Dynamic Key distribution
–
The AP generates and maintains the keys for its clients
–
The AP securely delivers the appropriate keys to its clients
• Client/server mutual authentication
–
802.1x
–
Pre-shared key (for networks that do not have an 802.1x solution implemented)
NOTE
.
The AP supports two WPA authentication modes:
• WPA: The AP uses 802.1x to authenticate clients. You should only use an EAP that supports mutual
authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See
for details.
• WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to
authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits. The AP also
supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an
easy-to-remember phrase rather than a string of characters).
Configuring Security Settings
You can configure each wireless interface to operate in one of the following Security modes:
1. No Security: This is the default setting for an AP.
2.
: The AP and clients use the same static WEP keys to encrypt data.
3.
: The AP uses the 802.1x standard to communicate with a RADIUS server and authenticate
clients. The AP generates and distributes dynamic, per user WEP Keys to each client following successful
authentication.
4.
Enable Mixed Mode (802.1x and WEP Encryption)
: The AP uses 802.1x Mode for clients that support 802.1x (and
have an 802.1x supplicant application installed). The AP uses static WEP Encryption for clients that do not use
802.1x.
5.
: The AP uses 802.1x to communicate with a RADIUS server and authenticate clients. The AP
generates and distributes dynamic, per user encryption keys (based on the Temporal Key Integrity Protocol (TKIP))
to each client following successful authentication. WPA mode provides message integrity checking to guard
against replay type attacks. This mode is not available for all radio types.
6.
: The AP uses a Pre-shared Key (manually configured on both the AP and the clients) to
authenticate clients. The AP generates and distributes dynamic, per user encryption keys (based on TKIP) to each
client following successful authentication. This mode is for customers who want to use WPA but do not have a
RADIUS server installed on their network. This mode is not available for all radio types.
You configure the AP to use a particular Security mode by setting the Authentication Mode parameter. The following
table summarizes the Authentication Mode options available in the HTTP Interface's Configure > Security >
Authentication screen and describes how each of these options correspond to the six Security Modes listed above:
4-36