Table of Contents
Advertisement
WPA
WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user. However, it
can also be used in a less secure pre-shared key (PSK) mode, where every user is given the same passphrase.
WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When combined
with the much larger Initialization Vector, it defeats well-known key recovery attacks on WEP. For information on
configuring WPA for a WLAN, see
WPA2
WPA2 uses a sophisticated key hierarchy that generates new encryption keys each time a MU associates with an Access
Point. Protocols including 802.1X, EAP and Radius are used for strong authentication. WPA2 also supports the TKIP and
AES-CCMP encryption protocols. For information on configuring WPA for a WLAN, see
and CCMP on page
Keyguard-WEP
KeyGuard is Motorola Solutions' proprietary dynamic WEP solution. Motorola Solutions (upon hearing of the
vulnerabilities of WEP) developed a non standard method of rotating keys to prevent compromises. Basically, KeyGuard is
TKIP without the message integrity check. KeyGuard is proprietary to Motorola Solutions MUs only. For information on
configuring KeyGuard for a WLAN, see
1.2.5.2 MU Authentication
The switch uses the following authentication schemes for MU association:
•
Kerberos
•
802.1x EAP
•
MAC ACL
Refer to
Editing the WLAN Configuration on page 4-27
Kerberos
Kerberos allows for mutual authentication and end-to-end encryption. All traffic is encrypted and security keys are
generated on a per-client basis. Keys are never shared or reused, and are automatically distributed in a secure manner. For
information on configuring Kerberos for a WLAN, see
Configuring Kerberos on page
802.1x EAP
802.1x EAP is the most secure authentication mechanism for wireless networks and includes
EAP-TLS, EAP-TTLS and PEAP. The switch is a proxy for Radius packets. An MU does a full 802.11 authentication and
association and begins transferring data frames. The switch realizes the MU needs to authenticate with a Radius server
and denies any traffic not Radius related. Once Radius completes its authentication process, the MU is allowed to send
other data traffic. You can use either an onboard Radius server or internal Radius Server for authentication. For information
on configuring 802.1x EAP for a WLAN, see
MAC ACL
The MAC ACL feature is basically a dynamic MAC ACL where MUs are allowed/denied access to the network based on
their configuration on the Radius server. The switch allows 802.11 authentication and association, then checks with the
Radius server to see if the MAC address is allowed on the network. The Radius packet uses the MAC address of the MU
as both the username and password (this configuration is also expected on the Radius server). MAC-Auth supports all
encryption types, and (in case of 802.11i) the handshake is completed before the Radius lookup begins. For information on
configuring 802.1x EAP for a WLAN, see
Configuring WPA/WPA2 using TKIP and CCMP on page
4-56.
Configuring WEP 128 / KeyGuard on page
4-35.
Configuring 802.1x EAP on page
Configuring MAC Authentication on page
4-54.
for additional information.
4-34.
4-46.
Overview 1 - 19
4-56.
Configuring WPA/WPA2 using TKIP
Advertisement
Table of Contents
Troubleshooting
