Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

221

222

223

224

225

226

227

228

229

230

Configuring WPA

10-6 Configuring User Encryption

•AclientthatreceivesanotherframewithaninvalidMICdisassociatesfromitsaccess

pointanddoesnotsendoracceptanyframesencryptedwithTKIPorWEP.

TheAPorclientrefusestosendorreceivetrafficencryptedwithTKIPorWEPforthe

durationofthecountermeasurestimer,which

is60,000milliseconds(60seconds)by

default.Whenthecountermeasurestimerexpires,theaccesspointallowsassociationsand

reassociationsandgeneratesnewsessionkeysforthem.Youcansetthecountermeasures

timerforAPradiostoavaluefrom0to60,000milliseconds(ms).Ifyouspecify0ms,the

radios

donotusecountermeasuresbutinsteadcontinuetoacceptandforwardencrypted

trafficfollowingasecondMICfailure.However,MSSstillgeneratesanSNMPtrapto

informyouoftheMICfailure.

TheMICusedbyCCMP,CBC‐MAC,isevenstrongerthanMichaelanddoesnotrequireor

provide

countermeasures.WEPdoesnotuseaMIC.Instead,WEPperformsacyclicredundancy

check(CRC)ontheframeandgeneratesanintegritycheckvalue(ICV).

WPA Authentication Methods

YoucanconfigureanSSIDtosupportoneorbothofthefollowingauthenticationmethodsfor

WPAclients:

• 802.1X—TheAPandclientuseanExtensibleAuthenticationProtocol(EAP)methodto

authenticateoneanother,thenusethe resultingkeyinahandshaketoderiveauniquekeyfor

thesession.The802.1X

authenticationmethod requiresuserinformationtobeconfiguredon

AAAserversorintheRoamAboutSwitch’s localdatabase.Thisisthe defaultWPA

authenticationmethod.

•Presharedkey(PSK)—AnAPradioandaclientauthenticateoneanotherbasedonakeythat

isstaticallyconfiguredonbothdevices.Thedevicesthenuse

thekeyinahandshaketoderive

auniquekeyforthesession.Foragivenserviceprofile,youcangloballyconfigureaPSKfor

usewithallclients.YoucanconfigurethekeybyenteringanASCIIpassphraseorbyentering

thekeyitselfinraw(hexadecimal)form.

WPA Information Element

AWPAinformationelement(IE)isasetofextrafieldsinawirelessframethatcontainWPA

informationfortheaccesspointorclient.ToenableWPAsupportinaserviceprofile,youmust

enabletheWPAIE.ThefollowingtypesofwirelessframescancontainaWPAIE:

•Beacon

(sentbyanAP)—TheWPAIEinabeaconframeadvertisestheciphersuitesand

authenticationmethodsthatanAPradiosupportsfortheencryptedSSID.TheWPAIEalso

liststheciphersuitesthattheradiousestoencryptbroadcastandmulticastframes.AnAP

radioalwaysusestheleast

secureoftheciphersuitestoencryptbroadcastandmulticast

framestoensurethatallclientsassociatedwiththeSSIDcandecrypttheframes.AnAPradio

usesthemostsecureciphersuitesupportedbyboththeradioandaclienttoencryptunicast

traffictothatclient.

•Proberesponse

(sentbyanAPradio)—TheWPAIEinaproberesponseframeliststhesame

WPAinformationthatiscontainedinthebeaconframe.

• Associationrequestorreassociation(sentbyaclient)—TheWPAIEinanassociationrequest

liststheauthenticationmethodandciphersuitetheclientwantstouse.

Notes: For a MAC client that authenticates using a PSK, the RADIUS servers or local database still

must contain an authentication rule for the client, to assign the client to a VLAN.