D-Link DWS-1008 User Manual page 185

DWS-1008 User's Manual
Note: For a MAC client that authenticates using a PSK, the RADIUS servers or local database
still must contain an authentication rule for the client, to assign the client to a VLAN.
WPA Information Element
A WPA information element (IE) is a set of extra fields in a wireless frame that contain WPA
information for the access point or client. To enable WPA support in a service profile, you
must enable the WPA IE. The following types of wireless frames can contain a WPA IE:
• Beacon (sent by a DWL-8200AP access point) - The WPA IE in a beacon frame
advertises the cipher suites and authentication methods that a DWL-8200AP radio
supports for the encrypted SSID. The WPA IE also lists the cipher suites that the radio
uses to encrypt broadcast and multicast frames. A DWL-8200AP radio always uses the
least secure of the cipher suites to encrypt broadcast and multicast frames to ensure
that all clients associated with the SSID can decrypt the frames. A DWL-8200AP radio
uses the most secure cipher suite supported by both the radio and a client to encrypt
unicast traffic to that client.
• Probe response (sent by a DWL-8200AP radio) - The WPA IE in a probe response
frame lists the same WPA information that is contained in the beacon frame.
• Association request or reassociation (sent by a client) - The WPA IE in an association
request lists the authentication method and cipher suite the client wants to use.
Client Support
To use the TKIP or CCMP cipher suite for encryption, a client must support WPA. However,
a DWL-8200AP radio configured for WPA can support non-WPA clients who use dynamic
WEP or static WEP. If the WPA IE is enabled in the service profile used by an SSID supported
by the radio, and the 40-bit WEP or 104-bit WEP cipher suite also is enabled in the service
profile, MSS allows a non-WPA client to authenticate using WEP under the following
circumstances:
• If a client wants to authenticate using dynamic WEP, MSS uses 802.1X to authenticate
the client if either the WEP40 or WEP104 cipher suite is enabled for WPA.
• If a client wants to authenticate using static WEP, the radio checks for the static WEP
key presented by the client. If the keys match, MSS authenticates the client. Because
the WEP key is static, MSS does not use 802.1X to authenticate the client.
To allow a non-WPA client that uses dynamic WEP to be authenticated by a radio on which
WPA IE is enabled, enable the WEP40 or WEP104 cipher suite in the service profile for the
SSID the client will access. To prevent non-WPA clients that use dynamic WEP from being
authenticated, do not enable the WEP40 or WEP104 cipher suite in the service profile.
To allow a client that uses static WEP to be authenticated, configure the same WEP keys on
the client and the service profile.
D-Link Systems, Inc. D-Link Systems, Inc.
Configuring User Encryption
180 180