Motorola AP-6511 Reference Manual page 150

Motorola Solutions AP-6511 Access Point System Reference Guide
Unicast messages are addressed to a single device on the network. Broadcast messages are addressed
to multiple devices. When using WPA2-CCMP, a wireless client can use 2 keys: one unicast key, for its
own traffic to and from an AP, and one broadcast key, the common key for all the clients in that subnet.
Motorola recommends rotating these keys so a potential hacker would not have enough data using a
single key to attack the deployed encryption scheme.
Unicast Rotation
Interval
Broadcast Rotation
Interval
7. Define the
Using 802.11i can speed up the roaming process from one AP to another. Instead of doing a complete
802.1x authentication each time a client roams between APs, 802.11i allows a client to re-use previous
PMK authentication credentials and perform a four-way handshake. This speeds up the roaming process.
In addition to reusing PMKs on previously visited APs, Opportunistic Key Caching allows multiple APs to
share PMKs amongst themselves. This allows a client to roam to an AP it has not previously visited and
reuse a PMK from another AP to skip 802.1x authentication.
Pre-Authentication
8. Set the following
TKIP
Countermeasure
Hold Time
Exclude WPA2-TKIP
6-16
Define an interval for unicast key transmission in seconds (30 -86,400).
Some clients have issues using unicast key rotation, so ensure you know
which king of clients are impacted before using unicast keys. This value is
disabled by default.
When enabled, the key indices used for encrypting/decrypting broadcast
traffic will be alternatively rotated based on the defined interval Define an
interval for broadcast key transmission in seconds (30-86,400). Key
rotation enhances the broadcast traffic security on the WLAN. This value
is disabled by default.
Fast Roaming configuration used with the WPA2-CCMP policy.
Selecting the Pre-Authentication option enables an associated client to
carry out an 802.1x authentication with another wireless controller (or
device) before it roams to it. This enables the roaming client to send and
receive data sooner by not having to conduct an 802.1x authentication
after roaming. With pre authentication, a wireless client can perform an
802.1X authentication with other detected access points while still
connected to its current access point. When a device roams to a
neighboring AP, the device is already authenticated on the access point
providing faster re-association. This feature is enabled by default.
Advanced for the WPA2-CCMP encryption scheme.
The TKIP countermeasure hold-time is the time during which the use of the
WLAN is disabled if TKIP countermeasures have been invoked on the
WLAN. Use the drop-down menu to define a value in either Hours (0-18),
Minutes (0-1,092) or Seconds (0-65,535). The default setting is 60 seconds.
Select this option for an Access Point to advertise and enable support for
only WPA-TKIP. Select this option if certain older clients are not compatible
with the newer WPA2-TKIP information elements. Enabling this option
allows backwards compatibility for clients that support WPA-TKIP and
WPA2-TKIP but do not support WPA2-CCMP.
enabling this feature if WPA-TKIP or WPA2-TKIP supported clients operate
in a WLAN populated by WPA2-CCMP enabled clients. This feature is
disabled by default.
recommends
Motorola