C
HAPTER
7
| Wireless Configuration
WLAN Security
– 87 –
message integrity. The AES Counter-Mode/CBCMAC Protocol (AES-
CCMP) provides extremely robust data confidentiality using a 128-
bit key. Use of AES-CCMP encryption is specified as a standard
requirement for WPA2. Before implementing WPA2 in the network,
be sure client devices are upgraded to WPA2-compliant hardware.
■
TKIP/AES
— Uses either TKIP or AES keys for encryption. WPA and
WPA2 mixed modes allow both WPA and WPA2 clients to associate
to a common SSID. In mixed mode, the unicast encryption type
(TKIP or AES) is negotiated for each client.
◆
Key Renewal Interval
— Sets the time period for automatically
changing data encryption keys and redistributing them to all connected
clients. (Default: 3600 seconds)
◆
PMK Cache Period
— WPA2 provides fast roaming for authenticated
clients by retaining keys and other security information in a cache, so
that if a client roams away from an access point and then returns
reauthentication is not required. This parameter sets the time for
deleting the cached WPA2 Pairwise Master Key (PMK) security
information. (Default: 10 minutes)
◆
Pre-Authentication
— When using WPA2, pre-authentication can be
enabled that allows clients to roam to another access point and be
quickly associated without performing full 802.1X authentication.
(Default: Disabled)
IEEE 802.1X
AND
RADIUS
IEEE 802.1X is a standard framework for network access control that uses
a central RADIUS server for user authentication. This control feature
prevents unauthorized access to the network by requiring an 802.1X client
application to submit user credentials for authentication. The 802.1X
standard uses the Extensible Authentication Protocol (EAP) to pass user
credentials (either digital certificates, user names and passwords, or other)
from the client to the RADIUS server. Client authentication is then verified
on the RADIUS server before the client can access the network.
Remote Authentication Dial-in User Service (RADIUS) is an authentication
protocol that uses software running on a central server to control access to
RADIUS-aware devices on the network. An authentication server contains a
database of user credentials for each user that requires network access.
The WPA and WPA2 enterprise security modes use 802.1X as the method
of user authentication. IEEE 802.1X can also be enabled on its own as a
security mode for user authentication. When 802.1X is used, a RADIUS
server must be configured and be available on the connected wired
network.
N
OTE
:
This guide assumes that you have already configured RADIUS
server(s) to support the access point. Configuration of RADIUS server
software is beyond the scope of this guide, refer to the documentation
provided with the RADIUS server software.