Manualshelf

User's Manual

ManualsBrandsAirgo Networks ManualsElectronicsTrue MIMO Access Point
61626364656667686970
Data Encryption
Installation and User Guide: Airgo Access Point 147
User Security
Acceptable and effective solutions for user authentication depend upon the network size,
complexity, and existing authentication infrastructure.
Current user authentication standards are based on the IEEE 802.1x specification, which identifies
users and permits connectivity based upon policies established in a central server. Many
authentication servers use the Remote Authentication Dial-In User Service (RADIUS) protocol,
which enables remote access servers to communicate with the central server to authenticate users
and authorize service or system access. Within the RADIUS context, the most effective
authentication methods use versions of the Extensible Authentication Protocol (EAP) for the end-
to-end authentication of the client by the authentication server.
The Airgo AP can meet all the user authentication needs for the full range of wireless networks.
(See Chapter 2, “Planning Your Installation.”) Several modes of authentication are supported, as
listed in Table 13. WPA-PSK uses pre-shared keys (PSK) configured directly by the administrator
into the AP and network clients. Based on the network-wide key, the clients and AP receive unique
session keys for each client session. This approach can be effective for small businesses for which
strong encryption is desired but a centralized authentication infrastructure is not available. EAP-
TLS (EAP with Transport Layer Security) is a certificate-based authentication method based on the
TLS protocol. The RADIUS security services within the Airgo AP provide EAP-TLS for user
authentication. Integration is also supported with RADIUS servers that support EAP-TLS or EAP-
PEAP.
In addition to the EAP-based authentication methods, WEP-based encryption is available for
legacy clients. The option of no user authentication is also available.
Data Encryption
Table 14 lists the available options for data encryption, in order of decreasing protection. The
current standard for data encryption is WPA-AES, which provides financial-grade protection. The
WEP encryption options use 64-bit or 128-bit encryption keys, assigned manually or dynamically,
as dictated by the capabilities of the client. These offer some protection against casual interlopers;
however, the WEP algorithms are vulnerable to compromise and can be difficult to maintain.
WPA-TKIP closes the major WEP loopholes and can be an acceptable alternative to standard WEP.
Table 13: Authentication Options
Type Description
EAP-TLS Certificate-based authentication, used by the security portal and many external
RADIUS servers
EAP-PEAP EAP-PEAP RADIUS-based authentication
WPA-PSK Authentication acceptable for small to mid-size installations, in which manual
distribution of keys is convenient and centralized management is not required
Dynamic WEP with
802.1x
Not recommended due to limitations of the WEP algorithms. If it is necessary
to use this option to support legacy equipment, make sure a RADIUS server is
configured for the SSID. The RADIUS server should be configured to support
EAP-TLS or EAP-PEAP. Note that the Airgo Wireless LAN Client Adapter
does not support dynamic WEP.
None No user authentication