Support User Manuals

Alvarion 214486 Network Router User Manual

Open as PDF

of 291

112 Operation

Chapter 4 - System Configuration

4.6.2.3 WiFi Protected Access (WPA)

WPA employs a combination of several technologies to provide an enhanced

security solution for 802.11 wireless networks.

The access point supports the following WPA components and features:

IEEE 802.1X and the Extensible Authentication Protocol

(EAP):

WPA employs

802.1X as its basic framework for user authentication and dynamic key

management. The 802.1X client and RADIUS server should use an appropriate

EAP type—such as EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled

TLS), or PEAP (Protected EAP)—for strongest authentication. Working together,

these protocols provide “mutual authentication” between a client, the access

point, and a RADIUS server that prevents users from accidentally joining a rogue

network. Only when a RADIUS server has authenticated a user’s credentials will

encryption keys be sent to the access point and client.

Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the data

encryption method to replace WEP. TKIP avoids the problems of WEP static keys

by dynamically changing data encryption keys. Basically, TKIP starts with a

master (temporal) key for each user session and then mathematically generates

other keys to encrypt each data packet. TKIP provides further data encryption

enhancements by including a message integrity check for each packet and a

re-keying mechanism, which periodically changes the master key.

WPA Pre-Shared Key Mode (WPA-PSK, WPA2-PSK): For enterprise deployment,

WPA requires a RADIUS authentication server to be configured on the wired

network. However, for small office networks that may not have the resources to

configure and maintain a RADIUS server, WPA provides a simple operating mode

that uses just a pre-shared password for network access. The Pre-Shared Key

mode uses a common password for user authentication that is manually entered

on the access point and all wireless clients. The PSK mode uses the same TKIP

Enterprise AP(if-wireless g)#vap 0

Enterprise AP(if-wireless g: VAP[0])#802.1X required 195

Enterprise AP(if-wireless g: VAP[0])#802.1X session-timeout 300

Enterprise AP(if-wireless g: VAP[0])#auth open-system

235

Enterprise AP(if-wireless g: VAP[0])#encryption 237

Enterprise AP(if-wireless g: VAP[0])#

NOTE

To implement WPA on wireless clients requires a WPA-enabled network card driver and 802.1X

client software that supports the EAP authentication type that you want to use. Windows XP

provides native WPA support, other systems require additional software.

previous next