User guide
Table Of Contents
- Introduction
- Installation and Initialization
- Managing the Access Point
- Basic Configuration for an Enterprise
- Access Point Features
- Using Web Interface to Manage the Access Point
- Using SNMP Interface to Manage the Access Point
- Using CLI to Manage the Access Point
- Global Configuration Mode
- General Notes
- Configuring the AP using CLI Commands
- Command Line Interface Mode Overview
- User Exec Mode
- Privileged Exec Mode
- Show Command Tree Structure Command
- Show VLAN Command
- Show MAC ACL Command
- Show RADIUS Server Table Command
- Show RADIUS Supported Profile Table Command
- Show Security Wireless Config Table Command
- Show QoS Profile and Policy Command
- Show QoS EDCA Command
- Show Wireless Properties Command
- Show 11n Wireless Properties Command
- Wireless VAP Command
- Ethernet Interface Command
- Network Configuration Command
- Advaned Filter and Global Filter Command
- TCP-UDP and Static MAC Address Table Commands
- Protocl Filter, Filter Type and Filter Control Table Command
- Access Control and HTTP, Telnet and TFTP Commands
- SNMP Read, Read-Write Password and Trap Host Table Command
- Country Code and Management Commands
- System Information Command
- System Inventory Management Command
- Event Logand ICMP Commands
- IP ARP Statistics and SNTP Command
- Syslog configuration and RADIUS Client Authentication Table Commands
- RADIUS Client Access Command
- Interface Statistics Command
- Wireless Station Statistics Command
- IP Address, Subnet Mask and Gateway Command
- Scalar Objects Commands
- Table Entries Commands
- Table Entry Deletion Command
- Table Entry Edition Command
- VAP Table Commands
- Troubleshooting
- ASCII Character Chart
- Bootloader CLI
- Specifications
- Technical Services and Support
- Statement of Warranty
Access Point Features AP-800 User Guide
Configuring the Device
38
• Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity
Check (MIC).
• Per-user, per-session dynamic encryption keys:
– Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP
– A client's key is different for every session; it changes each time the client associates with an AP
– The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously
– Encryption keys change periodically based on the Re-keying Interval parameter
– WPA uses 128-bit encryption keys
• Dynamic Key distribution
– The AP generates and maintains the keys for its clients
– The AP securely delivers the appropriate keys to its clients
• Client/server mutual authentication
–802.1x
– Pre-shared key (for networks that do not have an 802.1x solution implemented)
The AP supports the following WPA security modes:
• WPA: The AP uses 802.1x to authenticate clients and TKIP for encryption. You should only use an EAP that supports
mutual authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See 802.1x
Authentication for details.
• WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to
authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the TKIP
Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
• 802.11i (also known as WPA2): The AP provides security to clients according to the 802.11i standard, using 802.1x
authentication, a CCMP cipher based on AES, and re-keying.
• 802.11i-PSK (also known as WPA2 PSK): The AP uses a CCMP cipher based on AES, and encrypts frames to
clients based on a Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits
or 32 alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the
Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
NOTE: For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.
Recommended Security Profiles
Proxim recommends to configure following combination of the security profiles:
• MAC-ACL + WEP/WPA-PSK
If you have enabled the MAC-ACL as Local MAC Authentication, then you need to ensure that you have the combination
of WEP/WPA-PSK security profile. Once you enable the MAC-ACL authentication then based on the MAC-ACL policy the
client will get connected.
• Radius-MAC + WEP/WPA-PSK
If you have enabled RADIUS-MAC as RADIUS-MAC Authentication, then you need to ensure that you have the
combination of WEP/WPA-PSK security profile. If you enable RADIUS-MAC, then ensure that RADIUS Authentication
server is configured.
•WPA2/WPA
CAUTION: Proxim recommends not to enable both Local MAC Authentication and RADIUS-MAC Authentication. You
also need to ensure that RADIUS MAC Authentication and Access Control is not enabled together.