ZyXEL Communications WAP3205 User Manual page 140

Hide thumbs Also See for WAP3205:

User manual (260 pages)

Quick start manual (88 pages)

Brochure (2 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

Table of Contents

However, MD5 authentication has some weaknesses. Since the authentication server needs to get the

plaintext passwords, the passwords must be stored. Thus someone other than the authentication server

may access the password file. In addition, it is possible to impersonate an authentication server as MD5

authentication method does not perform mutual authentication. Finally, MD5 authentication method

does not support data encryption with dynamic session key. You must configure WEP encryption keys for

data encryption.

EAP- T L S (T ra nspo rt L a ye r Se c urity)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual

authentication. The server presents a certificate to the client. After validating the identity of the server,

the client sends a different certificate to the server. The exchange of certificates is done in the open

before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital

certificate is an electronic ID card that authenticates the sender's identity. However, to implement EAP-

TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management

overhead.

EAP- T T L S (T unne le d T ra nspo rt L a ye r Se rvic e )

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side

authentications to establish a secure connection. Client authentication is then done by sending

username and password through the secure connection, thus client identity is protected. For client

authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP,

MS-CHAP and MS-CHAP v2.

PEAP (Pro te c te d EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use

simple username and password methods through the secured connection to authenticate the clients,

thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2

and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by

Cisco.

L EAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.

Dyna m ic WEP Ke y Exc ha ng e

The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless

connection times out, disconnects or re-authentication times out. A new WEP key is generated each

time re-authentication is performed.

If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security

configuration screen. You may still configure and store keys, but they will not be used while dynamic

WEP is enabled.

Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for

data encryption. They are often deployed in corporate environments, but for public deployment, a

Appendix D Wireless LANs

WAP3205 v3 User's Guide

140

Table of Contents

ZyXEL Communications WAP3205 User Manual page 140

Related Manuals for ZyXEL Communications WAP3205

Related Products for ZyXEL Communications WAP3205

Table of Contents