User guide
Table Of Contents
- Introduction
- Installation and Initialization
- System Status
- Advanced Configuration
- System
- Network
- Interfaces
- Management
- Filtering
- Alarms
- Bridge
- QoS
- Radius Profiles
- SSID/VLAN/Security
- Monitoring
- Commands
- Troubleshooting
- Command Line Interface (CLI)
- General Notes
- Command Line Interface (CLI) Variations
- CLI Command Types
- Using Tables and Strings
- Configuring the AP using CLI commands
- Set Basic Configuration Parameters using CLI Commands
- Set System Name, Location and Contact Information
- Set Static IP Address for the AP
- Change Passwords
- Set Network Names for the Wireless Interface
- Enable 802.11d Support and Set the Country Code
- Enable and Configure TX Power Control for the Wireless Interface
- Configure SSIDs (Network Names), VLANs, and Profiles
- Download an AP Configuration File from your TFTP Server
- Backup your AP Configuration File
- Set up Auto Configuration
- Other Network Settings
- Configure the AP as a DHCP Server
- Configure the DNS Client
- Configure DHCP Relay
- Configure DHCP Relay Servers
- Maintain Client Connections using Link Integrity
- Change Wireless Interface Settings
- Set Ethernet Speed and Transmission Mode
- Set Interface Management Services
- Configure Syslog
- Configure Intra BSS
- Configure Wireless Distribution System
- Configure MAC Access Control
- Set RADIUS Parameters
- Set Rogue Scan Parameters
- Set Hardware Configuration Reset Parameters
- Set VLAN/SSID Parameters
- Set Security Profile Parameters
- CLI Monitoring Parameters
- Parameter Tables
- CLI Batch File
- ASCII Character Chart
- Specifications
- Technical Services and Support
- Statement of Warranty
Advanced Configuration AP-700 User Guide
SSID/VLAN/Security
110
Wi-Fi Protected Access (WPA/802.11i [WPA2])
Wi-Fi Protected Access (WPA) is a security standard designed by the Wi-Fi Alliance in conjunction with the Institute of
Electrical and Electronics Engineers (IEEE). The AP supports 802.11i (WPA2), based on the IEEE 802.11i security
standard.
WPA is a replacement for Wired Equivalent Privacy (WEP), the encryption technique specified by the original 802.11
standard. WEP has several vulnerabilities that have been widely publicized. WPA addresses these weaknesses and
provides a stronger security system to protect wireless networks.
WPA provides the following new security measures not available with WEP:
• Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity
Check (MIC).
• Per-user, per-session dynamic encryption keys:
– Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP
– A client's key is different for every session; it changes each time the client associates with an AP
– The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously
– Encryption keys change periodically based on the Re-keying Interval parameter
– WPA uses 128-bit encryption keys
• Dynamic Key distribution
– The AP generates and maintains the keys for its clients
– The AP securely delivers the appropriate keys to its clients
• Client/server mutual authentication
–802.1x
– Pre-shared key (for networks that do not have an 802.1x solution implemented)
The AP supports the following WPA security modes:
• WPA: The AP uses 802.1x to authenticate clients and TKIP for encryption. You should only use an EAP that supports
mutual authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See 802.1x
Authentication for details.
• WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to
authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the TKIP
Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
• 802.11i (also known as WPA2): The AP provides security to clients according to the 802.11i draft standard, using
802.1x authentication, a CCMP cipher based on AES, and re-keying.
• 802.11i-PSK (also known as WPA2 PSK): The AP uses a CCMP cipher based on AES, and encrypts frames to clients
based on a Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared
Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
NOTE: For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.
Authentication Protocol Hierarchy
There is a hierarchy of authentication protocols defined for the AP. The hierarchy is as follows, from highest to lowest:
• 802.1x authentication (including 802.1x, WPA, WPA-PSK, 802.11i, 802.11i-PSK)
• MAC Access Control via RADIUS Authentication
• MAC Access Control through individual APs' MAC Access Control Lists