Proxim ORiNOCO AP-8000 User Manual page 38

Access Point Features
Configuring the Device
WPA provides the following new security measures not available with WEP:
• Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity
Check (MIC).
• Per-user, per-session dynamic encryption keys:
– Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP
– A client's key is different for every session; it changes each time the client associates with an AP
– The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously
– Encryption keys change periodically based on the Re-keying Interval parameter
– WPA uses 128-bit encryption keys
• Dynamic Key distribution
– The AP generates and maintains the keys for its clients
– The AP securely delivers the appropriate keys to its clients
• Client/server mutual authentication
– 802.1x
– Pre-shared key (for networks that do not have an 802.1x solution implemented)
The AP supports the following WPA security modes:
• WPA: The AP uses 802.1x to authenticate clients and TKIP for encryption. You should only use an EAP that supports
mutual authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See
Authentication for details.
• WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to
authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the TKIP
Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
• 802.11i (also known as WPA2): The AP provides security to clients according to the 802.11i standard, using 802.1x
authentication, a CCMP cipher based on AES, and re-keying.
• 802.11i-PSK (also known as WPA2 PSK): The AP uses a CCMP cipher based on AES, and encrypts frames to
clients based on a Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits
or 32 alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the
Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
NOTE: For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.
Recommended Security Profiles
Proxim recommends to configure following combination of the security profiles:
• MAC-ACL + WEP/WPA-PSK
If you have enabled the MAC-ACL as Local MAC Authentication, then you need to ensure that you have the combination
of WEP/WPA-PSK security profile. Once you enable the MAC-ACL authentication then based on the MAC-ACL policy the
client will get connected.
• Radius-MAC + WEP/WPA-PSK
If you have enabled RADIUS-MAC as RADIUS-MAC Authentication, then you need to ensure that you have the
combination of WEP/WPA-PSK security profile. If you enable RADIUS-MAC, then ensure that RADIUS Authentication
server is configured.
• WPA2/WPA
CAUTION: Proxim recommends not to enable both Local MAC Authentication and RADIUS-MAC Authentication. You
also need to ensure that RADIUS MAC Authentication and Access Control is not enabled together.
AP-8000 User Guide
802.1x
38