Installation guide

ManualsBrandsMotorola ManualsComputer equipmentRFS6000 - Wireless RF Switch

651

652

653

654

655

656

657

658

659

660

D-127

D.9.1 Applications

802.11i with AES should be considered for new WLAN applications, as it represents the strongest encryption

scheme available today for data privacy. 802.11i with AES encryption is supported by all new WLAN client

devices including workstations, handhelds and voice handsets.

For legacy deployments, which include devices that cannot support AES, Motorola recommends TKIP with

802.1x or pre-shared-keys be utilized. TKIP is supported by most (but not all) legacy devices via a software

update provided by the device manufacturer.

For legacy devices that cannot support AES or TKIP, dynamic WEP or VPN should be considered. Static WEP

should only be considered when no other encryption options are available and should be augmented with

firewalls to reduce the attack footprint.

D.9.2 Restrictions

WPA/802.11i provides support for pre-shared-keys as an alternative to 802.1x. A pre-shared-key is typically

entered as an 8 - 63 character passphrase on the WLAN infrastructure. The client must know the pre-shared

key before being permitted access to the WLAN.

WPA and 802.11i pre-shared-key implementations are potentially suspect to dictionary attacks when short,

or weak, passphrases are used. This vulnerability is not the fault of WPA/802.11i, and can be thwarted by

implementing strong passphrases utilizing 20 or more random alphanumerical and special characters.

Random passphrase generators are available on the Web and can generate strong random passphrases of

varying complexity.

Attacks can also be thwarted by implementing MU intrusion detection on the RF Switch, which alert

administrators of excessive authentication failures and provides automatic mitigation against attacking

devices.

Finally, as a general best practices it’s also recommended to frequently refresh passphrases. The frequency

of the refresh should depend on each specific environment, as passphrases will also need to be updated on

the client devices.

D.9.3 Configuring 802.11i Support

The following sections outline the steps required to configure 802.11i with 802.1X and pre-shared keys on a

RF Switch:

• 802.11i with 802.1x Authentication

• 802.11i with Pre-Shared Key Authentication

To review the running configuration deployed on the RF Switch used to create this tutorial, see RF Switch

Running Configuration on page D-135.

D.9.3.1 Requirements

The following requirements must be met prior to attempting this configuration:

• One (or more) RF Switches be installed and operational on the network

• One (or more) Access Ports be configured and adopted by the RF Switch

• A Windows XP workstation is available with Microsoft Internet Explorer or Mozilla Firefox to perform the

Web UI configuration

• One (or more) wireless workstations be available to verify 802.11i 802.1X and PSK operation