HP ProCurve 420 Management And Configuration Manual page 127

N o t e
network by requiring an 802.1X client application to submit user credentials
for authentication. The 802.1X standard uses the Extensible Authentication
Protocol (EAP) to pass user credentials (either digital certificates, usernames
and passwords, or other) from the client to the RADIUS server. Client authen­
tication is then verified on the RADIUS server before the access point grants
client access to the network.
The 802.1X EAP packets are also used to pass dynamic unicast session keys
and static broadcast keys to wireless clients. Session keys are unique to each
client and are used to encrypt and correlate traffic passing between a specific
client and the access point. You can also enable broadcast key rotation, so the
access point provides a dynamic broadcast key and changes it at a specified
interval.
MAC Address Filtering. Using MAC address filtering, you can configure
the access point with a list of the MAC addresses of wireless clients that are
authorized to access the network. This provides a basic level of authentication
for wireless clients attempting to gain access to the network. A database of
authorized MAC addresses can be stored locally on the access point or
remotely on a central RADIUS server.
Wi-Fi Protected Access (WPA). WPA employs a combination of several
technologies to provide an enhanced security solution for 802.11 wireless
networks. The access point supports the following WPA components and
features:
■ IEEE 802.1X (802.1X) and the Extensible Authentication Protocol
(EAP): WPA employs 802.1X as its basic framework for user authentica­
tion and dynamic key management. The 802.1X client and RADIUS server
should use an appropriate EAP type—such as EAP-TLS (Transport Layer
Security), EAP-TTLS (Tunneled TLS), or PEAP (Protected EAP)—for
strongest authentication. Working together, these protocols provide
"mutual authentication" between a client, the access point, and a RADIUS
server that prevents users from accidentally joining a rogue network. Only
when a RADIUS server has authenticated a user's credentials will encryp­
tion keys be sent to the access point and client.
Implementing WPA on wireless clients requires a WPA-enabled network card
driver and 802.1X client software that supports the EAP authentication type
that you want to use. Windows XP provides native WPA support, other systems
require additional software.
Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the
■
data encryption method to replace WEP. TKIP avoids the problems of
WEP static keys by dynamically changing data encryption keys. TKIP
Access Point Configuration
Configuring Wireless Security
5-69