Proxim ORiNOCO AP-4000 User Manual page 139

Advanced Configuration
SSID/VLAN/Security
– Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP
– A client's key is different for every session; it changes each time the client associates with an AP
– The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously
– Encryption keys change periodically based on the Re-keying Interval parameter
– WPA uses 128-bit encryption keys
• Dynamic Key distribution
– The AP generates and maintains the keys for its clients
– The AP securely delivers the appropriate keys to its clients
• Client/server mutual authentication
– 802.1x
– Pre-shared key (for networks that do not have an 802.1x solution implemented)
The AP supports the following WPA security modes:
• WPA: The AP uses 802.1x to authenticate clients and TKIP for encryption. You should only use an EAP that supports
mutual authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See
Authentication for details.
• WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to
authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the TKIP
Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
• 802.11i (also known as WPA2): The AP provides security to clients according to the 802.11i draft standard, using
802.1x authentication, a CCMP cipher based on AES, and re-keying.
• 802.11i-PSK (also known as WPA2 PSK): The AP uses a CCMP cipher based on AES, and encrypts frames to clients
based on a Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared
Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
NOTE: For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.
Authentication Protocol Hierarchy
There is a hierarchy of authentication protocols defined for the AP. The hierarchy is as follows, from highest to lowest:
• 802.1x authentication (including 802.1x, WPA, WPA-PSK, 802.11i, 802.11i-PSK)
• MAC Access Control via RADIUS Authentication
• MAC Access Control through individual APs' MAC Access Control Lists
If you have both 802.1x and MAC Access Control authentication enabled, the 802.1x authentication takes precedence
because it is higher in the authentication protocol hierarchy. This is required in order to propagate the WEP/TKIP/AES
keys to the clients in such cases. If you disable 802.1x on the AP, you will see the effects of MAC authentication.
In addition, setting MAC Access Control status to Strict will cause both MAC ACL settings and 802.1x settings to be
applied.
For example, assume that the MAC Access Control List contains MAC addresses to block, and that WPA-PSK is
configured to allow access to clients with the appropriate PSK Passphrase.
• If the MAC ACL status is set to Enable, WPA-PSK will take precedence, and clients in the MAC ACL with the correct
PSK passphrase will be allowed. Only the WPA-PSK setting is taken into consideration.
• If the MAC ACL status is set to Strict, then clients in the MAC ACL will be blocked even if they have the correct PSK
passphrase. Clients will only be allowed if they have the correct passphrase and are NOT listed in the MAC ACL. In
this way, both MAC and WPA-PSK settings are taken into consideration.
AP-4000/4000M/4900M User Guide
802.1x
139