Table of Contents
Advertisement
Chapter 12: BlueSecure Access Points
•
Note: Only one SSID is supported on the BSAP-1700's 11a radio.
Creating SSIDs
As part of the BSAP configuration, you can create a pool of Service Set Identifiers (SSIDs)
that you can assign to BSAPs (maximum of 8 per radio). By assigning multiple SSIDs to a
particular radio, the radio is virtualized and each SSID can have a unique security profile
and also be mapped to a unique VLAN.
As part of the SSID configuration, you must define how wireless clients connecting to the
BSAP are to be authenticated and how data transmitted from the BSAP is to be encrypted.
•
See "BSAP Authentication Options" on page 12-20.
•
See "BSAP Data Encryption Options" on page 12-21.
•
See "SSID Configuration Procedure" on page 12-22.
BSAP Authentication Options
Possible BSAP authentication options are:
Open System
SSIDs are configured by default as "open system. " In this mode, no 802.11
authentication is performed before a client connects to the AP. Also, if no cipher is
selected, all packets from an open system SSID are transmitted as clear text. If WEP is
selected, the client's traffic is encrypted using WEP.
Shared Key
Sets the BSAP to use WEP shared keys meaning that before a client connects to the AP,
the client must authenticate by properly deciphering a challenge text from the AP using
the shared static WEP key. If this option is selected, you must configure at least one WEP
key on the BSAP and all clients.
WPA
Wi-Fi Protected Access (WPA) provides improved data encryption that was largely
missing in WEP. WPA uses the following security mechanisms.
•
Temporal Key Integrity Protocol (TKIP). TKIP provides data encryption enhancements
including per-packet key hashing (i.e., changing the encryption key on each packet),
a message integrity check, an extended initialization vector with sequencing rules,
and a re-keying mechanism.
•
Enterprise-level User Authentication via 802.1x and EAP - To strengthen user
authentication, WPA uses 802.1x and the Extensible Authentication Protocol (EAP).
Used together, these protocols provide strong user authentication via a central
RADIUS authentication server that authenticates each user on the network before they
join it. WPA also employs "mutual authentication" to prevent a wireless client from
accidentally joining a rogue network.
Clients are authenticated using 802.1x via a RADIUS server. Each client has to be WPA-
enabled or support 802.1x client software. A RADIUS server must also be configured and
be available in the wired network.
Keys are generated for each wireless client associating with the BSAP. These keys are
regenerated periodically, and also each time the wireless client is re-authenticated.
WPA-PSK
For enterprise deployment, WPA requires a RADIUS authentication server to be
configured on the wired network. However, for small office networks that may not have
the resources to configure and maintain a RADIUS server, WPA provides a simple
operating mode that uses just a pre-shared password for network access. The Pre-Shared
Key mode uses a common password for user authentication that is manually entered on
12-20
Only Use Selected SSIDs - The BSAP will use only those SSIDs selected in the
Select SSID picklist.
Advertisement
Table of Contents
