beautypg.com

Client access authentication – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 66

background image

54

{

Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP

replaces a single static key with a base key generated by an authentication server. TKIP
dynamic keys cannot be easily deciphered.

{

Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the
MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC

in a certain period, the AP automatically takes countermeasures. It will not provide services in

a certain period to prevent attacks.

4.

CCMP encryption
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The

AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP

contains a dynamic key negotiation and management method, so that each wireless client can

dynamically negotiate a key suite, which can be updated periodically to further enhance the
security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit

packet number (PN) to make sure each encrypted packet uses a different PN, improving the

security to a certain extent.

Client access authentication

1.

PSK authentication
To implement pre-shared key (PSK) authentication, the client and the authenticator must have the
same shared key configured. Otherwise, the client cannot pass pre-shared key (PSK)

authentication.

2.

802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device connected to an 802.1X-enabled port of a WLAN access control device

can access the resources on the WLAN only after passing authentication.

3.

MAC authentication
MAC address authentication does not require any client software. The MAC address of a client is
compared against a predefined list of allowed MAC addresses. If a match is found, the client can

pass the authentication and access the WLAN; if not, the authentication fails and access is denied.
The entire process does not require the user to enter a username or password. This type of

authentication is suited to small networks (such as families and small offices) with fixed clients.
MAC address authentication can be done locally or through a RADIUS server.

{

Local MAC address authentication—A list of usernames and passwords (the MAC addresses of
allowed clients) is created on the wireless access device to authenticate the clients. Only clients

whose MAC addresses are included in the list can pass the authentication and access the

WLAN.

{

MAC address authentication through RADIUS server—The wireless access device serves as the
RADIUS client and sends the MAC address of each requesting client to the RADIUS server. If the

client passes the authentication on the RADIUS server, the client can access the WLAN within

the authorization assigned by the RADIUS server. In this authentication mode, if different

domains are defined, authentication information of different SSIDs are sent to different RADIUS
servers based on their domains.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: