beautypg.com

Client access authentication – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 355

background image

334

Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP provides

advantages over WEP, and provides more secure protection for WLAN, as follows:

TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP
encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24 bits

to 48 bits.

TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single
static key with a base key generated by an authentication server. TKIP dynamic keys cannot be

easily deciphered.

TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the
data might be tampered, and the system might be attacked. If two packets fail the MIC in a
specific period, the AP automatically takes countermeasures. It will not provide services to

prevent attacks while it takes countermeasures.

AES-CCMP encryption.
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the

integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The

AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP
contains a dynamic key negotiation and management method, so that each wireless client can

dynamically negotiate a key suite, which can be updated periodically to further enhance the

security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit

packet number (PN) to make sure each encrypted packet uses a different PN, which improves
security.

Client access authentication

PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key
configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.

802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device connected to an 802.1X-enabled port of a WLAN access control device

can access the resources on the WLAN only after passing authentication.
The administrators of access devices can select to use RADIUS or local authentication to cooperate
with 802.1X for authenticating users. For more information about remote/local 802.1X

authentication, see "

Configuring 802.1X

."

MAC authentication
MAC authentication provides a method to authenticate users based on ports and MAC addresses.
You can configure permitted MAC address lists to filter MAC addresses of clients. However, the

efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is
applicable to environments without high security requirements, for example, SOHO and small

offices.
MAC authentication includes the following modes:

Local MAC authentication—When this authentication mode is used, you need to configure a
permitted MAC address list on the device. If the MAC address of a client is not in the list, its

access request will be denied.