Encryption And Authentication; Mu Authentication - Motorola RFS7000 Series System Reference Manual

• Certificate Management

1.2.5.1 Encryption and Authentication

WEP
Wired Equivalent Privacy (WEP) is an encryption scheme used to secure wireless networks. WEP was intended
to provide comparable confidentiality to a traditional wired network, hence the name. WEP had many serious
weaknesses and hence was superseded by Wi-Fi Protected Access (WPA). Regardless, WEP still provides a
level of security that can deter casual snooping. For information on configuring WEP for a target WLAN, see
Configuring WEP 64 on page 4-50
WEP uses passwords entered manually at both ends (Pre Shared Keys). Using the RC4 encryption algorithm,
WEP originally specified a 40-bit key, but was later boosted to 104 bits. Combined with a 24-bit initialization
vector, WEP is often touted as having a 128-bit key.
WPA
WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user.
However, it can also be used in a less secure pre-shared key (PSK) mode, where every user is given the same
passphrase.
WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When
combined with the much larger Initialization Vector, it defeats well-known key recovery attacks on WEP. For
information on configuring WPA for a WLAN, see
WPA2
WPA2 uses a sophisticated key hierarchy that generates new encryption keys each time a MU associates with
an access point. Protocols including 802.1X, EAP and Radius are used for strong authentication. WPA2 also
supports the TKIP and AES-CCMP encryption protocols. For information on configuring WPA2 for a target
WLAN, see Configuring WPA/WPA2 using TKIP and CCMP on page
Keyguard-WEP
KeyGuard is a proprietary dynamic WEP solution. Motorola (upon hearing of the vulnerabilities of WEP)
developed a non standard method of rotating keys to prevent compromises. Basically, KeyGuard is TKIP
without the message integrity check MIC. KeyGuard is proprietary to Motorola MUs only. For information on
configuring KeyGuard for a target WLAN, see

1.2.5.2 MU Authentication

The switch uses the following 802.11 authentication schemes for MU association:
• Kerberos
• 802.1x EAP
• MAC ACL
Refer to Editing the WLAN Configuration on page 4-27
Kerberos
Kerberos allows for mutual authentication and end-to-end encryption. All traffic is encrypted and security keys
are generated on a per-client basis. Keys are never shared or reused, and are automatically distributed in a
secure manner. For information on configuring Kerberos for a WLAN, see
or Configuring WEP 128 / KeyGuard on page
Configuring WPA/WPA2 using TKIP and CCMP on page
Configuring WEP 128 / KeyGuard on page
to WLAN MU authentication.
Overview
4-51.
4-52.
4-51.
Configuring Kerboros on page
1-23
4-52.
4-34.