Access Point Features
Configuring the Device
WPA provides the following new security measures not available with WEP:
•
Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity
Check (MIC).
•
Per-user, per-session dynamic encryption keys:
–
Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP
–
A client's key is different for every session; it changes each time the client associates with an AP
–
The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously
–
Encryption keys change periodically based on the Re-keying Interval parameter
–
WPA uses 128-bit encryption keys
•
Dynamic Key distribution
–
The AP generates and maintains the keys for its clients
–
The AP securely delivers the appropriate keys to its clients
•
Client/server mutual authentication
–
802.1x
–
Pre-shared key (for networks that do not have an 802.1x solution implemented)
The AP supports the following WPA security modes:
•
WPA: The AP uses 802.1x to authenticate clients and TKIP for encryption. You should only use an EAP that supports
mutual authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See
Authentication
for details.
•
WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to
authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the TKIP
Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
•
802.11i (also known as WPA2): The AP provides security to clients according to the 802.11i standard, using 802.1x
authentication, a CCMP cipher based on AES, and re-keying.
•
802.11i-PSK (also known as WPA2 PSK): The AP uses a CCMP cipher based on AES, and encrypts frames to
clients based on a Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits
or 32 alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the
Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
NOTE: For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.
Recommended Security Profiles
Proxim recommends to configure following combination of the security profiles:
•
MAC-ACL + WEP/WPA-PSK
If you have enabled the MAC-ACL as Local MAC Authentication, then you need to ensure that you have the combination
of WEP/WPA-PSK security profile. Once you enable the MAC-ACL authentication then based on the MAC-ACL policy the
client will get connected.
•
Radius-MAC + WEP/WPA-PSK
If you have enabled RADIUS-MAC as RADIUS-MAC Authentication, then you need to ensure that you have the
combination of WEP/WPA-PSK security profile. If you enable RADIUS-MAC, then ensure that RADIUS Authentication
server is configured.
•
WPA2/WPA
CAUTION: Proxim recommends not to enable both Local MAC Authentication and RADIUS-MAC Authentication. You
also need to ensure that RADIUS MAC Authentication and Access Control is not enabled together.
AP-8000 User Guide
802.1x
38