89
Performing Advanced Configuration
• Dynamic Key distribution
– The AP generates and maintains the keys for its clients
– The AP securely delivers the appropriate keys to its clients
• Client/server mutual authentication
– 802.1x
– Pre-shared key (for networks that do not have an 802.1x solution implemented)
NOTE
For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.
The AP supports the following WPA authentication modes:
• WPA: The AP uses 802.1x to authenticate clients. You should only use an EAP that supports mutual
authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See 802.1x Authentication
for details.
• WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to
authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and
each of its clients. The Pre-Shared Key must be 256 bits long, which is 64 hexadecimal digits. The AP also
supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an
easy-to-remember phrase rather than a string of characters).
• 802.11i (also known as WPA2): The AP authenticates clients according to the 802.11i draft standard, using 802.1x
authentication, an AES cipher, and re-keying.
• 802.11i-PSK (also known as WPA2 PSK): The AP uses an AES cipher, and authenticates clients based on a
Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits. The AP also
supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an
easy-to-remember phrase rather than a string of characters).
Authentication Protocol Hierarchy
There is a hierarchy of authentication protocols defined for the AP.
The hierarchy is as follows, from Highest to lowest:
• 802.1x authentication
• MAC Access Control via RADIUS Authentication
• MAC Access Control through individual APs' MAC Access Control Lists
If you have both 802.1x and MAC authentication enabled, the 802.1x results will take effect. This is required in
order to propagate the WEP keys to the clients in such cases. Once you disable 802.1x on the AP, you will
see the effects of MAC authentication.
VLANs and Security Profiles
The AP2000 allows you to segment wireless networks into multiple sub-networks based on Network Name (SSID)
and VLAN membership. A Network Name (SSID) identifies a wireless network. Clients associate with Access Points
that share an SSID. During installation, the Setup Wizard prompts you to configure a Primary Network Name for each
wireless interface.
After initial setup and once VLAN is enabled, the AP can be configured to support up to 16 SSIDs per wireless
interface to segment wireless networks based on VLAN membership.
Each VLAN can be associated to a Security Profile and RADIUS Server Profiles. A Security Profile defines the allowed
wireless clients, and authentication and encryption types. Refer to VLANs and Security Profiles for configuration
details.
NOTE
The ability to configure up to 16 VLAN/SSID pairs and to configure a security profile per SSID is available only
for 802.11b/g APs and 802.11a Upgrade Kit APs.
802.11b APs do not support multiple VLAN/SSID pairs. APs with the 802.11a card support multiple
VLAN/SSID pairs, but do not support the security profile per SSID capability.