Foundry Networks IronPoint 200 User Manual page 201

data encryption enhancements by including a message integrity check for each packet and a re-
keying mechanism, which periodically changes the master key.
• WPA Pre-Shared Key (PSK) Mode: For enterprise deployment, WPA requires a RADIUS
authentication server to be configured on the wired network. However, for small office networks
that may not have the resources to configure and maintain a RADIUS server, WPA provides a
simple operating mode that uses just a pre-shared password for network access. The Pre-Shared
Key mode uses a common password for user authentication that is manually entered on the
access point and all wireless clients. The PSK mode uses the same TKIP packet encryption and
key management as WPA in the enterprise, providing a robust and manageable alternative for
small networks.
WPA2 – WPA was introduced as an interim solution for the vulnerability of WEP pending the
ratification of the IEEE 802.11i wireless security standard. In effect, the WPA security features are a
subset of the 802.11i standard. WPA2 includes the now ratified 802.11i standard, but also offers
backward compatibility with WPA. Therefore, WPA2 includes the same 802.1X and PSK modes of
operation and support for TKIP encryption. The main differences and enhancements in WPA2 can
be summarized as follows:
• Advanced Encryption Standard (AES): WPA2 uses AES Counter-Mode encryption with Cipher
Block Chaining Message Authentication Code (CBC-MAC) for message integrity. The AES
Counter-Mode/CBCMAC Protocol (AES-CCMP) provides extremely robust data confidentiality
using a 128-bit key. The AES-CCMP encryption cipher is specified as a standard requirement for
WPA2. However, the computationally intensive operations of AES-CCMP requires hardware
support on client devices. Therefore to implement WPA2 in the network, wireless clients must be
upgraded to WPA2-compliant hardware.
• WPA2 Mixed-Mode: WPA2 defines a transitional mode of operation for networks moving from
WPA security to WPA2. WPA2 Mixed Mode allows both WPA and WPA2 clients to associate to
a common SSID interface. In mixed mode, the unicast encryption cipher (TKIP or AES-CCMP) is
negotiated for each client. The access point advertises its supported encryption ciphers in beacon
frames and probe responses. WPA and WPA2 clients select the cipher they support and return
the choice in the association request to the access point. For mixed-mode operation, the cipher
used for broadcast frames is always TKIP. WEP encryption is not allowed.
• Key Caching: WPA2 provides fast roaming for authenticated clients by retaining keys and other
security information in a cache, so that if a client roams away from an access point and then
returns reauthentication is not required. When a WPA2 client is first authenticated, it receives a
Pairwise Master Key (PMK) that is used to generate other keys for unicast data encryption. This
key and other client information form a Security Association that the access point names and
holds in a cache.
• Preauthentication: Each time a client roams to another access point it has to be fully re-
authenticated. This authentication process is time consuming and can disrupt applications
running over the network. WPA2 includes a mechanism, known as preauthentication, that allows
clients to roam to a new access point and be quickly associated. The first time a client is
authenticated to a wireless network it has to be fully authenticated. When the client is about to
roam to another access point in the network, the access point sends preauthentication messages
to the new access point that include the client's security association information. Then when the
client sends an association request to the new access point the client is known to be already
authenticated, so it proceeds directly to key exchange and association.
December 2006 © 2006 Foundry Networks, Inc.
Wireless Security Configuration
21-5