beautypg.com

Advanced configuration, Configuring security settings – HP ProCurve 520wl Wireless Access Point User Manual

Page 78

background image

Advanced Configuration

WPA provides the following new security measures not available with WEP:
• Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity

Check (MIC).

• Per-user, per-session dynamic encryption keys:

Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP

A client's key is different for every session; it changes each time the client associates with an AP

The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously

Encryption keys change periodically based on the Re-keying Interval parameter

WPA uses 128-bit encryption keys

• Dynamic Key distribution

The AP generates and maintains the keys for its clients

The AP securely delivers the appropriate keys to its clients

• Client/server mutual authentication

802.1x

Pre-shared key (for networks that do not have an 802.1x solution implemented)

NOTE

For more information on WPA, see the Wi-Fi Alliance Web site at

http://www.wi-fi.org

.

The AP supports two WPA authentication modes:
WPA: The AP uses 802.1x to authenticate clients. You should only use an EAP that supports mutual

authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See

802.1x Authentication

for details.

WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to

authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits. The AP also
supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an
easy-to-remember phrase rather than a string of characters).

Configuring Security Settings

You can configure each wireless interface to operate in one of the following Security modes:
1. No Security: This is the default setting for an AP.
2.

Enable WEP Encryption

: The AP and clients use the same static WEP keys to encrypt data.

3.

Enable 802.1x Security

: The AP uses the 802.1x standard to communicate with a RADIUS server and authenticate

clients. The AP generates and distributes dynamic, per user WEP Keys to each client following successful
authentication.

4.

Enable Mixed Mode (802.1x and WEP Encryption)

: The AP uses 802.1x Mode for clients that support 802.1x (and

have an 802.1x supplicant application installed). The AP uses static WEP Encryption for clients that do not use
802.1x.

5.

Enable WPA Mode

: The AP uses 802.1x to communicate with a RADIUS server and authenticate clients. The AP

generates and distributes dynamic, per user encryption keys (based on the Temporal Key Integrity Protocol (TKIP))
to each client following successful authentication. WPA mode provides message integrity checking to guard
against replay type attacks. This mode is not available for all radio types.

6.

Enable WPA-PSK Mode

: The AP uses a Pre-shared Key (manually configured on both the AP and the clients) to

authenticate clients. The AP generates and distributes dynamic, per user encryption keys (based on TKIP) to each
client following successful authentication. This mode is for customers who want to use WPA but do not have a
RADIUS server installed on their network. This mode is not available for all radio types.

You configure the AP to use a particular Security mode by setting the Authentication Mode parameter. The following
table summarizes the Authentication Mode options available in the HTTP Interface's Configure > Security >
Authentication screen and describes how each of these options correspond to the six Security Modes listed above:

4-36