Client access authentication – H3C Technologies H3C WA3600 Series Access Points User Manual

260

CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM

combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The AES

block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a

dynamic key negotiation and management method, so that each wireless client can dynamically

negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP
encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to

ensure that each encrypted packet uses a different PN, thus improving the security to a certain extent.

Client access authentication

When a wireless client sets up a wireless link with an AP, the wireless client is considered to have

accessed the wireless network. However, for the security and management of the wireless network, the

wireless client can actually access the network resources after passing the subsequent access

authentication. Among the authentication mechanisms, preshared key (PSK) and 802.1X authentication
accompany the dynamic key negotiation and management of the wireless link, and therefore, they are

closely related to wireless link negotiation. However, they are not directly related to the wireless link.

1.

PSK authentication

Both WPA wireless access and WPA2 wireless access support PSK authentication. To implement PSK

authentication, the client and the authenticator must have the same shared key configured.
4-way handshake key negotiation exchanges four key packets of 802.1X to negotiate the private keys of

the wireless link at the wireless client side and the AP side, and the preshared key is used as the seed key

for key negotiation. During the negotiation process, the seed key is used by two parties for verification.

The key negotiation succeeds only when the key setting is the same, that is, the wireless client successfully

passes the PSK access authentication. Otherwise, the wireless client fails to pass the PSK access
authentication, and the link of the wireless client is broken.

2.

802.1X authentication

As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the port

level. A device connected to an 802.1X-enabled port of a WLAN access control device can access the

resources on the WLAN only after passing authentication.

3.

MAC authentication

MAC authentication provides a way for authenticating users based on ports and MAC addresses. For
this authentication, the user does not need to install any client software. When the device first detects the

MAC address of a user, it starts the authentication for the user. During the authentication process, the user

does not need to manually input username or password. In WLAN applications, MAC authentication

needs to get the MAC addresses of the clients to access the wireless network in advance. Therefore, MAC
authentication is applicable to small-scaled networks with relatively fixed users, for example, SOHO and

small offices.
MAC authentication falls into two modes:

•

Local MAC authentication: When this authentication mode is adopted, you must configure local
usernames and passwords on the device, and the authentication is directly performed on the device.
Usually, you can use the MAC address as the username, and you must know the MAC addresses of

wireless access clients in advance and configure the MAC addresses as usernames. When clients

access the wireless network, only the clients whose MAC addresses exist on the device can pass the

authentication.