System information

ManualsBrandsProCurve ManualsComputer equipment420

171

172

173

174

175

176

177

178

179

180

Wireless Security Configuration

Wireless Security Overview

■ WPA2 Mixed-Mode: WPA2 defines a transitional mode of operation for

networks moving from WPA security to WPA2. WPA2 Mixed Mode allows

both WPA and WPA2 clients to associate to a common SSID interface. In

mixed mode, the unicast encryption cipher (TKIP or AES-CCMP) is

negotiated for each client. The access point advertises it’s supported

encryption ciphers in beacon frames and probe responses. WPA and

WPA2 clients select the cipher they support and return the choice in the

association request to the access point. For mixed-mode operation, the

cipher used for broadcast frames is always TKIP. WEP encryption is not

allowed.

■ Key Caching: WPA2 provides fast roaming for authenticated clients by

retaining keys and other security information in a cache, so that if a client

roams away from an access point and then returns reauthentication is not

required. When a WPA2 client is first authenticated, it receives a Pairwise

Master Key (PMK) that is used to generate other keys for unicast data

encryption. This key and other client information form a Security Associ-

ation that the access point names and holds in a cache.

■ Preauthentication: Each time a client roams to another access point it

has to be fully re-authenticated. This authentication process is time

consuming and can disrupt applications running over the network. WPA2

includes a mechanism, known as preauthentication, that allows clients to

roam to a new access point and be quickly associated. The first time a

client is authenticated to a wireless network it has to be fully authenti-

cated. When the client is about to roam to another access point in the

network, the access point sends preauthentcation messages to the new

access point that include the client’s security association information.

Then when the client sends an association request to the new access point

the client is known to be already authenticated, so it proceeds directly to

key exchange and association.

Table 7-1. Summary of Wireless Security

Security Mechanism Client Support Implementation Considerations

Static WEP Keys Built-in support on all 802.11b and • Provides only weak security

802.11g devices

• Requires manual key management

Dynamic WEP Keys with Requires 802.1X client support in

• Provides dynamic key rotation for improved WEP

802.1X system or by add-in software

security

(support provided in Windows 2000

• Requires configured RADIUS server

SP3 or later and Windows XP)

• 802.1X EAP type may require management of digital

certificates for clients and server

7-6