Configuring Wired Equivalent Privacy - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Configuring Wired Equivalent Privacy

392
The Wi-Fi Protected Access (WPA) method patches many of the security vulnerabilities
found in WEP, greatly enhancing payload integrity checks and the key exchange process.
You can use WPA in one of the following modes:
WPA Mode—In this mode, also known as Enterprise Mode, the device uses the Extensible
Authentication Protocol (EAP) for authentication through an 802.1X-compliant RADIUS
server (such as the OAC RADIUS server and the Microsoft IAS RADIUS server). When
handling wireless traffic, the device forwards authentication requests and replies
between the wireless clients and the RADIUS server; after successfully authenticating
a client, the RADIUS server sends an encryption key to both the client and to the device.
The device itself manages the encryption process using Temporal Key Integrity Protocol
(TKIP) or Advanced Encryption Standard (AES).
WPA-PSK—In this mode, also known as Personal Mode, the device uses preshared
keys (PSKs) or a passphrase for authentication and encryption. Keys are stored on the
device and on all wireless clients; you do not need to configure a separate authentication
server.
NOTE: For details about TKIP, see the IEEE standard 802.11. For details about
AES, see RFC 3268, " Advanced Encryption Standard (AES) Ciphersuites for
Transport Layer Security (TLS)."
For details on configuring WPA, see "Using Wi-Fi Protected Access" on page 395.
Although you can configure WEP for all the basic service sets (BSSs), the NetScreen-5GT
Wireless device intentionally restricts its use to only one BSS at a time.
Auto—When selected, the device automatically negotiates with wireless clients whether
or not the client authenticates itself with a WEP shared key (device accepts both open
encryption or shared-key authentication). Use this option to improve compatibility
between the WAP and wireless devices using various operating systems that support
different implementations of WEP.
Open—When selected, a wireless client must provide the SSID to the device before
the device authenticates the client. For encryption, select one of the following:
None—When selected, no encryption is performed.
WEP—When enabled, an authenticated wireless client must provide a WEP key to
the device before the client can encrypt and decrypt communication over the WLAN.
Because the Open option is insecure (especially if the device is configured to
broadcast the SSID), we recommend that you also enable WEP encryption.
When using WEP encryption, you must also select a key source, which specifies the
location of the WEP key:
None or Local—The key is stored on the security device. This is the default key-source
when None is selected. When enabled, you must configure a default WEP key on the
security device.
Copyright © 2010, Juniper Networks, Inc.