Motorola WS5100 Series Reference Manual page 31

WPA
WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user.
However, it can also be used in a less secure pre-shared key (PSK) mode, where every user is given the same
passphrase.
WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used.
When combined with the much larger Initialization Vector, it defeats well-known key recovery attacks on
WEP. For information on configuring WPA for a WLAN, see
on page 4-51.
WPA2
WPA2 uses a sophisticated key hierarchy that generates new encryption keys each time a MU associates
with an access point. Protocols including 802.1X, EAP and Radius are used for strong authentication. WPA2
also supports the TKIP and AES-CCMP encryption protocols. For information on configuring WPA for a WLAN,
see Configuring WPA/WPA2 using TKIP and CCMP on page
Keyguard-WEP
KeyGuard is Motorola's proprietary dynamic WEP solution. Motorola (upon hearing of the vulnerabilities of
WEP) developed a non standard method of rotating keys to prevent compromises. Basically, KeyGuard is TKIP
without the message integrity check. KeyGuard is proprietary to Motorola MUs only. For information on
configuring KeyGuard for a WLAN, see
1.2.5.2 MU Authentication
The switch uses the following authentication schemes for MU association:
• Kerberos
• 802.1x EAP
• MAC ACL
Refer to Editing the WLAN Configuration on page 4-24
Kerberos
Kerberos allows for mutual authentication and end-to-end encryption. All traffic is encrypted and security
keys are generated on a per-client basis. Keys are never shared or reused, and are automatically distributed
in a secure manner. For information on configuring Kerberos for a WLAN, see
Configuring Kerboros on page
802.1x EAP
802.1x EAP is the most secure authentication mechanism for wireless networks and includes
EAP-TLS, EAP-TTLS and PEAP. The switch is a proxy for Radius packets. An MU does a full 802.11
authentication and association and begins transferring data frames. The switch realizes the MU needs to
authenticate with a Radius server and denies any traffic not Radius related. Once Radius completes its
authentication process, the MU is allowed to send other data traffic. You can use either an onboard Radius
server or internal Radius Server for authentication. For information on configuring 802.1x EAP for a WLAN,
see Configuring 802.1x EAP on page
MAC ACL
The MAC ACL feature is basically a dynamic MAC ACL where MUs are allowed/denied access to the network
based on their configuration on the Radius server. The switch allows 802.11 authentication and association,
then checks with the Radius server to see if the MAC address is allowed on the network. The Radius packet
Configuring WEP 128 / KeyGuard on page
for additional information.
4-31.
4-30.
Configuring WPA/WPA2 using TKIP and CCMP
4-51.
4-49.
1-21
Overview