User's Manual

ManualsBrandsAirgo Networks ManualsElectronics802.11 a/b/g True MIMO Access Point

141

142

143

144

145

146

147

148

149

150

Data Encryption

Installation and Configuration Guide: Airgo Access Point 137

Current user authentication standards are based on the IEEE 802.1x specification, which identifies

users and permits connectivity based upon policies established in a central server. Many

authentication servers use the Remote Authentication Dial-In User Service (RADIUS) protocol,

which enables remote access servers to communicate with the central server to authenticate users

and authorize service or system access. Within the RADIUS context, the most effective

authentication methods use versions of the Extensible Authentication Protocol (EAP) for the end-

to-end authentication of the client by the authentication server.

The Airgo AP can meet all the user authentication needs for the full range of wireless networks.

(See Chapter 2, “Planning Your Installation.”) Airgo supports several modes of authentication, as

listed in Table 11. WPA-PSK uses pre-shared keys (PSK) that is configured directly by the

administrator into the AP and network clients. Based on the network wide key, the clients and AP

receive unique session keys for each client session. This approach can be effective for small

businesses for whom strong encryption is desired but a centralized authentication infrastructure is

not available. EAP-TLS (EAP with Transport Layer Security) is a certificate-based authentication

method based on the TLS protocol. The RADIUS security services within the Airgo AP provide

EAP-TLS for user authentication. Airgo also supports integration with RADIUS servers that

support EAP-TLS or EAP-PEAP.

In addition to the EAP-based authentication methods, Airgo supports WEP-based encryption for

legacy clients. Airgo also supports the option of no user authentication.

Data Encryption

Table 12 lists the available options for data encryption, in order of decreasing protection. The

current standard for data encryption is WPA-AES, which provides financial-grade protection. The

WEP encryption options use 64-bit or 128-bit encryption keys, assigned manually or dynamically,

as dictated by the capabilities of the client. These offer some protection against casual interlopers;

however, the WEP algorithms are vulnerable to compromise and can be difficult to maintain. WPA-

TKIP closes the major WEP loopholes and can be an acceptable alternative to standard WEP. Open

Table 11: Authentication Options

Type Description

EAP-TLS Certificate-based authentication, used by the Airgo security services portal and

many external RADIUS servers

EAP-PEAP EAP-PEAP RADIUS based authentication

WPA - PSK Authentication acceptable for small to mid-size installations, in which manual

distribution of keys is convenient and centralized management is not required

Dynamic WEP with

802.1x

Not recommended due to limitations of the WEP algorithms. If it is necessary

to use this option to support legacy equipment, make sure that a RADIUS

server configured for the SSID. The RADIUS server should be configured to

support EAP-TLS or EAP-PEAP. Note that the Airgo Wireless LAN Client

Adapter does not support dynamic WEP.

None No user authentication