SMC Networks EliteConnect SMC2555W-AG2 User Manual page 130

the access point and all wireless clients. The PSK mode uses the same TKIP packet
encryption and key management as WPA in the enterprise, providing a robust and
manageable alternative for small networks.
Mixed WPA and WEP Client Support: WPA enables the access point to indicate its
supported encryption and authentication mechanisms to clients using its beacon
signal. WPA-compatible clients can likewise respond to indicate their WPA support.
This enables the access point to determine which clients are using WPA security
and which are using legacy WEP. The access point uses TKIP unicast data
encryption keys for WPA clients and WEP unicast keys for WEP clients. The global
encryption key for multicast and broadcast traffic must be the same for all clients,
therefore it restricts encryption to a WEP key.
When access is opened to both WPA and WEP clients, no authentication is provided
for the WEP clients through shared keys. To support authentication for WEP clients
in this mixed mode configuration, you can use either MAC authentication or 802.1X
authentication.
WPA2 – WPA was introduced as an interim solution for the vulnerability of WEP
pending the ratification of the IEEE 802.11i wireless security standard. In effect, the
WPA security features are a subset of the 802.11i standard. WPA2 includes the now
ratified 802.11i standard, but also offers backward compatibility with WPA.
Therefore, WPA2 includes the same 802.1X and PSK modes of operation and
support for TKIP encryption. The main differences and enhancements in WPA2 can
be summarized as follows:
• Advanced Encryption Standard (AES): WPA2 uses AES Counter-Mode
encryption with Cipher Block Chaining Message Authentication Code (CBC-MAC)
for message integrity. The AES Counter-Mode/CBCMAC Protocol (AES-CCMP)
provides extremely robust data confidentiality using a 128-bit key. The AES-CCMP
encryption cipher is specified as a standard requirement for WPA2. However, the
computational intensive operations of AES-CCMP requires hardware support on
client devices. Therefore to implement WPA2 in the network, wireless clients must
be upgraded to WPA2-compliant hardware.
• WPA2 Mixed-Mode: WPA2 defines a transitional mode of operation for networks
moving from WPA security to WPA2. WPA2 Mixed Mode allows both WPA and
WPA2 clients to associate to a common SSID interface. In mixed mode, the unicast
encryption cipher (TKIP or AES-CCMP) is negotiated for each client. The access
point advertises its supported encryption ciphers in beacon frames and probe
responses. WPA and WPA2 clients select the cipher they support and return the
choice in the association request to the access point. For mixed-mode operation,
the cipher used for broadcast frames is always TKIP. WEP encryption is not
allowed.
• Key Caching: WPA2 provides fast roaming for authenticated clients by retaining
keys and other security information in a cache, so that if a client roams away from
an access point and then returns, re-authentication is not required. When a WPA2
client is first authenticated, it receives a Pairwise Master Key (PMK) that is used to
generate other keys for unicast data encryption. This key and other client
6
Radio Interface
6-79