Filter
Top Products
56 AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
4.3.16 Security Profiles
Submenu level: /interface wireless security-profiles
Description
This section provides WEP (Wired Equivalent Privacy) and WPA/WPA2 (Wi-Fi Protected Access)
functions to wireless interfaces.
WPA
The Wi-Fi Protected Access is a combination of 802.1X, EAP, MIC, TKIP and AES. This is a easy to
configure and secure wireless mechanism. It has been later updated to version 2, to provide greater
security.
Pairwise master key caching for EAP authentification is supported for WPA2. This means that
disconnected client can connect without repeated EAP authentication if keys are still valid (changed to
interface or security profile configuration, restart, or Session-Timeout in case of RADIUS authentication).
WEP
The Wired Equivalent Privacy encrypts data only between 802.11 devices, using static keys. It is not
considered a very secure wireless data encryption mechanism, though it is better than no encryption at
all.
The configuration of WEP is quite simple, using RouterOS security profiles.
Property Description
authentication-types (multiple choice: wpa-psk | wpa2-psk | wpa-eap | wpa2-eap; default: "") - the list of
accepted authentication types. APs will advertise the listed types. Stations will choose the AP, which
supports the "best" type from the list (WPA2 is always preferred to WPA1; EAP is preferred to PSK)
eap-methods (multiple choice: eap-tls | passthrough) - the ordered list of EAP methods. APs will to
propose to the stations one by one (if first method listed is rejected, the next one is tried). Stations will
accept first proposed method that will be on the list
eap-tls - Use TLS certificates for authentication
passthrough - relay the authentication process to the RADIUS server (not used by the stations)
group-ciphers (multiple choice: tkip | aes-ccm) - a set of ciphers used to encrypt frames sent to all
wireless station (broadcast transfers) in the order of preference
tkip - Temporal Key Integrity Protocol - encryption protocol, compatible with lagacy WEP equipment,
but enhanced to correct some of WEP flaws
aes-ccm - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption
Standard). Networks free of WEP legacy should use only this
group-key-update (time; default: 5m) - how often to update group key. This parameter is used only if
the wireless card is configured as an Access Point
interim-update (time) - default update interval for RADIUS accounting, if RADIUS server has not
provided different value
mode (none | static-keys-optional | static-keys-required | dynamic-keys; default: none) - security mode:
none - do not encrypt packets and do not accept encrypted packets
static-keys-optional - if there is a static-sta-private-key set, use it. Otherwise, if the interface is set
in an AP mode, do not use encryption, if the the interface is in station mode, use encryption if the static-
transmit-key is set
static-keys-required - encrypt all packets and accept only encrypted packets
dynamic-keys - generate encryptioon keys dynamically
name (name) - descriptive name for the security profile
radius-eap-accounting (yes | no; default: no) - use RADUIS accounting if EAP authentication is used
radius-mac-accounting (yes | no; default: no) - use RADIUS accounting, providing MAC address as
username
radius-mac-authentication (no | yes; default: no) - whether to use RADIUS server for MAC
authentication
radius-mac-caching (time; default: disabled) - how long the RADIUS authentication reply for MAC
address authentication if considered valid (and thus can be cached for faster reauthentication)
radius-mac-format (text; default: XX:XX:XX:XX:XX:XX) - MAC address format to use for
communication with RADIUS server