Table of Contents
Advertisement
Performing Advanced Configuration
–
Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP
–
A client's key is different for every session; it changes each time the client associates with an AP
–
The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously
–
Encryption keys change periodically based on the Re-keying Interval parameter
–
WPA uses 128-bit encryption keys
•
Dynamic Key distribution
–
The AP generates and maintains the keys for its clients
–
The AP securely delivers the appropriate keys to its clients
•
Client/server mutual authentication
–
802.1x
–
Pre-shared key (for networks that do not have an 802.1x solution implemented)
NOTE
For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.
The AP supports the following WPA authentication modes:
•
WPA: The AP uses 802.1x to authenticate clients. You should only use an EAP that supports mutual authentication
and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See
•
WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to
authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is 64 hexadecimal digits. The AP also
supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an
easy-to-remember phrase rather than a string of characters).
•
802.11i (also known as WPA2): The AP authenticates clients according to the 802.11i draft standard, using 802.1x
authentication, an AES cipher, and re-keying.
•
802.11i-PSK (also known as WPA2 PSK): The AP uses an AES cipher, and authenticates clients based on a
Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits. The AP also
supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an
easy-to-remember phrase rather than a string of characters).
Authentication Protocol Hierarchy
There is a hierarchy of authentication protocols defined for the AP.
The hierarchy is as follows, from Highest to lowest:
•
802.1x authentication
•
MAC Access Control via RADIUS Authentication
•
MAC Access Control through individual APs' MAC Access Control Lists
If you have both 802.1x and MAC authentication enabled, the 802.1x results will take effect. This is required in
order to propagate the WEP keys to the clients in such cases. Once you disable 802.1x on the AP, you will see
the effects of MAC authentication.
VLANs and Security Profiles
The AP600allows you to segment wireless networks into multiple sub-networks based on Network Name (SSID) and
VLAN membership. A Network Name (SSID) identifies a wireless network. Clients associate with Access Points that
share an SSID. During installation, the
wireless interface.
After initial setup and once VLAN is enabled, the AP can be configured to support up to 16 SSIDs per wireless
interface to segment wireless networks based on VLAN membership.
Each VLAN can be associated to a Security Profile and RADIUS Server Profiles. A Security Profile defines the allowed
wireless clients, and authentication and encryption types. Refer to
details.
The ability to configure up to 16 VLAN/SSID pairs and to configure a security profile per SSID is available only
for AP-600a/b/g and AP-600b/g.
Setup Wizard
prompts you to configure a Primary Network Name for each
802.1x Authentication
VLANs and Security Profiles
for details.
for configuration
94
Advertisement
Table of Contents
