Wireless Security Modes


network_protection 2

None (unencrypted or plain text mode)

None (or “plain text” security) means any data will transfer to.

If you select “None” for the security mode, no further security-related options are
configurable on the AP.

Guest Network

Plain text mode is the only mode in which you can run the Guest network, which is by

definition an easily accessible, unsecure LAN always virtually or physically separated

from any sensitive information on the Internal LAN. For example, the guest network

might simply provide internet and printer access for day visitors.

The absence of security on the Guest AP is designed to make it as easy as possible for

guests to get a connection without having to program any security settings in their clients.

For a minimum level of protection on a guest network, you can choose to suppress (prohibit) the broadcast of the SSID (network name) to discourage client stations from automatically discovering your access point.

Static WEP

Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and access points on the network are configured with a static 64-bit (40-bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret key + 24-bit IV) Shared Key for data encryption.

You cannot mix 64-bit and 128-bit WEP keys between the access point and its client stations.

If you selected “Static WEP” Security Mode, provide the following on the access point settings: .

 
Field
Description
Transfer Key Index
Select a key index from the drop-down menu. Key indexes 1 through 4 are available. The default is 1.
The Transfer Key Index indicates which WEP key the access point will use to encrypt the data it transmits.
Key Length
Specify the length of the key by clicking one of the radio buttons:
  • 64 bits
  • 128 bits
Key Type
Select the key type by clicking one of the radio buttons:
  • ASCII
  • Hex
Characters Required
Indicates the number of characters required in the WEP key.
The number of characters required updates automatically based on how you set Key Length and Key Type.
WEP Keys
You can specify up to four WEP keys. In each text box, enter a string of characters for each key.
If you selected “ASCII”, enter any combination of integers and letters 0-9, a-z, and A-Z. If you selected “HEX”, enter hexadecimal digits (any combination of 0-9 and a-f or A-F).
Use the same number of characters for each key as specified in the “Characters Required” field. These are the WEP keys shared with the stations using the access point.
Each client station must be configured to use one of these same WEP keys in the same slot as specified here on the AP.
Authentication Algorithm
The authentication algorithm defines the method used to determine whether a client station is allowed to associate with an access point when static WEP is the security mode.
Specify the authentication algorithm you want to use by choosing one of the following from the drop-down menu:
  • Open System
  • Shared Key
  • Both
Open System authentication allows any client station to associate with the access point whether that client station has the correct WEP key or not. This is algorithm is also used in plaintext, IEEE 802.1x, and WPA modes. When the authentication algorithm is set to “Open System”, any client can associate with the access point.
Note that just because a client station is allowed to associate does not ensure it can exchange traffic with an access point. A station must have the correct WEP key to be able to successfully access and decrypt data from an access point, and to transmit readable data to the access point.
Shared Key authentication requires the client station to have the correct WEP key in order to associate with the access point. When the authentication algorithm is set to “Shared Key”, a station with an incorrect WEP key will not be able to associate with the access point.
Both is the default. When the authentication algorithm is set to “Both”:
  • Client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the access point.
  • Client stations configured to use WEP as an open system (shared key mode not enabled) will be able to associate with the access point even if they do not have the correct WEP key.

Rules to Remember for Static WEP

  • All client stations must have the Wireless LAN (WLAN) security set to WEP and all clients must have one of the WEP keys specified on the AP in order to de-code AP-to-station data transmissions.
  • The AP must have all keys used by clients for station-to-AP transmit so that it can de-code the station transmissions.
  • The same key must occupy the same slot on all nodes (AP and clients). For example if the AP defines abc123 key as WEP key 3, then the client stations must define that same string as WEP key 3.
  • On some wireless client software (like Funk Odyssey), you can configure multiple WEP keys and define a client station “transfer key index”, and then set the stations to encrypt the data they transmit using different keys. This ensures that neighboring APs cannot decode each other’s transmissions.

WPA/WPA2 Personal (PSK)

Wi-Fi Protected Access 2 (WPA2) with Pre-Shared Key (PSK) is a Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Algorithm (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. The Personal version of WPA2 employs a pre-shared key (instead of using IEEE 802.1x and EAP as is used in the Enterprise WPA2 security mode). The PSK is used for an initial check of credentials only.

This security mode is backwards-compatible for wireless clients that support the original WPA.

If you selected “WPA/WPA2 Personal (PSK)” Security Mode, provide the following:

 
Field
Description
WPA Versions
Select the types of client stations you want to support:
  • WPA
  • WPA2
  • Both
WPA. If all client stations on the network support the original WPA but none support the newerWPA2, then select WPA.
WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard.
Both. If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select “Both”. This lets both WPA and WPA2 client stations assoicate and authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interoperability, at the expense of some security.
Cipher Suites
Select the cipher you want to use from the drop-down menu:
  • TKIP
  • CCMP (AES)
  • Both
Temporal Key Integrity Protocol (TKIP) is the default.
TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit “temporal key” shared by clients and access points. The temporal key is combined with the client’s MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network.
Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity.
When the authentication algorithm is set to “Both“, both TKIP and AES clients can associate with the access point. WPA clients must have one of the following to be able to associate with the AP:
  • A valid TKIP key
  • A valid CCMP (AES) key
Clients not configured to use a WPA-PSK will not be able to associate with AP.
Key
The Pre-shared Key is the shared secret key for WPA-PSK. Enter a string of at least 8 characters to a maximum of 63 characters.

WPA/WPA2 Enterprise (RADIUS)

Wi-Fi Protected Access 2 (WPA2) with Remote Authentication Dial-In User Service (RADIUS) is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. The Enterprise mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts via the Cluster > User Management tab.

This security mode is backwards-compatible with wireless clients that support the original WPA.

When configuring WPA2 Enterprise (RADIUS) mode, you have a choice of whether to use the built-in RADIUS server or an external RADIUS server that you provide.

If you selected “WPA/WPA2 Enterprise (RADIUS)” Security Mode, provide the following:

 
Field
Description
WPA Versions
Select the types of client stations you want to support:
  • WPA
  • WPA2
  • Both
WPA. If all client stations on the network support the original WPA but none support the newerWPA2, then select WPA.
WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard.
Both. If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select “Both”. This lets both WPA and WPA2 client stations assoicate and authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interoperability, at the expense of some security.
Enable pre-authentication
If for WPA Versions you select “WPA2” or “Both”, you can enable pre-authentication for WPA2clients.
Click “Enable pre-authentication” if you want WPA2 wireless clients to send pre-authentication packet. The pre-authentication information will be relayed from the access point the client is currently using to the target access point. Enabling this feature can help speed up authentication for roaming clients who connect to multiple access points.
This option does not apply if you selected “WPA” for WPA Versions because the original WPAdoes not support this feature.
Cipher Suites
Select the cipher you want to use from the drop-down menu:
  • Both
Temporal Key Integrity Protocol (TKIP) is the default.
TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit “temporal key” shared by clients and access points. The temporal key is combined with the client’s MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data.  TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network.
Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity.
When the authentication algorithm is set to “Both“, both TKIP and AES clients can associate with the access point. Client stations configured to use WPA with RADIUS must have one of the following to be able to associate with the AP:
  • A valid TKIP RADIUS IP address and valid shared Key
  • A valid CCMP (AES) IP address and valid shared Key
Clients not configured to use WPA with RADIUS will not be able to associate with AP.
Both is the default. When the authentication algorithm is set to “Both”, client stations configured to use WPA with RADIUS must have one of the following:
  • A valid TKIP RADIUS IP address and RADIUS Key
  • A valid CCMP (AES) IP address and RADIUS Key
Authentication Server
Select one of the following from the drop-down menu:
  • Built-in – To use the authentication server provided. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided.
  • External – To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use.
Note: The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides.
Radius IP
Enter the Radius IP in the text box.
The Radius IP is the IP address of the RADIUS server.
Radius Key
Enter the Radius Key in the text box.
The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as “*” characters to prevent others from seeing the RADIUS key as you type.
This value is never sent over the network.
Enable RADIUS Accounting
Click “Enable RADIUS Accounting” if you want to enforce authentication for WPA client stations with user names and passwords for each station.
Allow non-WPA Clients
Click the “Allow non-WPA clients” checkbox if you want to let non-WPA (802.11), un-authenticated client stations use this access point.

Leave a comment

Your email address will not be published. Required fields are marked *