Advertisement
WEP
Wired Equivalent Privacy (WEP) is an encryption scheme used to secure wireless networks. WEP was
intended to provide comparable confidentiality to a traditional wired network, hence the name. WEP
had many serious weaknesses and hence was superseded by Wi-Fi Protected Access (WPA). Regardless,
WEP still provides a level of security that can deter casual snooping. For more information on
configuring WEP for a target WLAN, see
128" on page
142.
WEP uses passwords entered manually at both ends (Pre Shared Keys). Using the RC4 encryption
algorithm, WEP originally specified a 40-bit key, but was later boosted to 104 bits. Combined with a 24-
bit initialization vector, WEP is often touted as having a 128-bit key.
WPA
WPA is designed for use with an 802.1X authentication server, which distributes different keys to each
user. However, it can also be used in a less secure pre-shared key (PSK) mode, where every user is given
the same passphrase.
WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used.
When combined with the much larger Initialization Vector, it defeats well-known key recovery attacks
on WEP. For information on configuring WPA for a WLAN, see
and CCMP" on page
143.
WPA2
WPA2 uses a sophisticated key hierarchy that generates new encryption keys each time a MU associates
with an Access Point. Protocols including 802.1X, EAP and Radius are used for strong authentication.
WPA2 also supports the TKIP and the AES-Counter Mode CBC-MAC Protocol (AES-CCMP) encryption
protocols. For information on configuring WPA for a WLAN, see
TKIP and CCMP" on page
MU Authentication
The controller uses the following authentication schemes for MU association:
802.1x EAP
●
MAC ACL
●
Refer to
"Editing the WLAN Configuration" on page 113
802.1x EAP
802.1x EAP is the most secure authentication mechanism for wireless networks and includes
EAP-TLS, EAP-TTLS and PEAP. The controller is a proxy for Radius packets. An MU does a full 802.11
authentication and association and begins transferring data frames. The controller realizes the MU
needs to authenticate with a Radius server and denies any traffic not Radius related. Once Radius
completes its authentication process, the MU is allowed to send other data traffic. You can use either an
internal Radius server or internal Radius Server for authentication. For information on configuring
802.1x EAP for a WLAN, see
MAC ACL
The MAC ACL feature is basically a dynamic MAC ACL where MUs are allowed/denied access to the
network based on their configuration on the Radius server. The controller allows 802.11 authentication
and association, then checks with the Radius server to see if the MAC address is allowed on the
network. The Radius packet uses the MAC address of the MU as both the username and password (this
Summit WM3000 Series Controller System Reference Guide
"Configuring WEP 64" on page 140
143.
"Configuring 802.1x EAP" on page
or
"Configuring WEP
"Configuring WPA/WPA2 using TKIP
"Configuring WPA/WPA2 using
for additional information.
119.
29
- Quick Links:
- Introduction
- Configuration Management
Hide quick links:
Advertisement
Troubleshooting
