A SERVICE OF

logo

Open as PDF
next previous
Configuring AP access points 261
Nortel WLAN Security Switch 2300 Series Configuration Guide
Configuring AP-WSS Security
WSS Software provides security for management traffic between WSS switches and Distributed APs. For Distributed
APs that support this feature, all management traffic between the AP and the WSS is encrypted.
The encryption uses RSA as the public key cryptosystem, with AES-CCM for data encryption and integrity checking
and HMAC-MD5 for keyed hashing and message authentication during the key exchange. Bulk data protection is
provided by AES in CCM mode (AES CTR for encryption and AES-CBC-MAC for data integrity). A 64-bit Message
Authentication Code is used for data integrity.
Encryption Key Fingerprint
APs are configured with an encryption key pair at the factory. The fingerprint for the public key is displayed on a label
on the back of the AP, in the following format:
RSA
aaaa:aaaa:aaaa:aaaa:
aaaa:aaaa:aaaa:aaaa
If the AP is already installed, you can display the fingerprint in WSS Software. (See “Finding the Fingerprint” on
page 262.)
Encryption Options
By default, an WSS switch can configure and manage a Distributed AP regardless of whether the AP has an encryption
key, and regardless of whether you have confirmed the fingerprint by setting it in WSS Software. You can configure an
WSS to require Distributed APs to have an encryption key. In this case, the switch also requires their fingerprints to be
confirmed in WSS Software. When AP security is required, an AP can establish a management session with the WSS
only if its fingerprint has been confirmed by you in WSS Software.
Table 17 lists the AP security options and whether an AP can establish a management session with an WSS based on the
option settings.
Note. This feature applies to Distributed APs only, not to directly connected APs
configured on AP access ports. In addition, AP models AP-101 and AP-122 do not have
encryption keys and do not support this feature regardless of how they are connected to the
WSS switch.
Note. The maximum transmission unit (MTU) for encrypted AP management traffic is
1498 bytes, whereas the MTU for unencrypted management traffic is 1474 bytes. Make
sure the devices in the intermediate network between the WSS switch and Distributed AP
can support the higher MTU.