Alvarion BreezeMAX Wi and BreezeACCESS Wi 214486 Benutzerhandbuch
112
Operation
Chapter 4 - System Configuration
4.6.2.3
WiFi Protected Access (WPA)
WPA employs a combination of several technologies to provide an enhanced
security solution for 802.11 wireless networks.
security solution for 802.11 wireless networks.
The access point supports the following WPA components and features:
IEEE 802.1X and the Extensible Authentication Protocol (EAP): WPA employs
802.1X as its basic framework for user authentication and dynamic key
management. The 802.1X client and RADIUS server should use an appropriate
EAP type—such as EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled
TLS), or PEAP (Protected EAP)—for strongest authentication. Working together,
these protocols provide “mutual authentication” between a client, the access
point, and a RADIUS server that prevents users from accidentally joining a rogue
network. Only when a RADIUS server has authenticated a user’s credentials will
encryption keys be sent to the access point and client.
802.1X as its basic framework for user authentication and dynamic key
management. The 802.1X client and RADIUS server should use an appropriate
EAP type—such as EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled
TLS), or PEAP (Protected EAP)—for strongest authentication. Working together,
these protocols provide “mutual authentication” between a client, the access
point, and a RADIUS server that prevents users from accidentally joining a rogue
network. Only when a RADIUS server has authenticated a user’s credentials will
encryption keys be sent to the access point and client.
Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the data
encryption method to replace WEP. TKIP avoids the problems of WEP static keys
by dynamically changing data encryption keys. Basically, TKIP starts with a
master (temporal) key for each user session and then mathematically generates
other keys to encrypt each data packet. TKIP provides further data encryption
enhancements by including a message integrity check for each packet and a
re-keying mechanism, which periodically changes the master key.
encryption method to replace WEP. TKIP avoids the problems of WEP static keys
by dynamically changing data encryption keys. Basically, TKIP starts with a
master (temporal) key for each user session and then mathematically generates
other keys to encrypt each data packet. TKIP provides further data encryption
enhancements by including a message integrity check for each packet and a
re-keying mechanism, which periodically changes the master key.
WPA Pre-Shared Key Mode (WPA-PSK, WPA2-PSK): For enterprise deployment,
WPA requires a RADIUS authentication server to be configured on the wired
network. However, for small office networks that may not have the resources to
configure and maintain a RADIUS server, WPA provides a simple operating mode
that uses just a pre-shared password for network access. The Pre-Shared Key
mode uses a common password for user authentication that is manually entered
on the access point and all wireless clients. The PSK mode uses the same TKIP
WPA requires a RADIUS authentication server to be configured on the wired
network. However, for small office networks that may not have the resources to
configure and maintain a RADIUS server, WPA provides a simple operating mode
that uses just a pre-shared password for network access. The Pre-Shared Key
mode uses a common password for user authentication that is manually entered
on the access point and all wireless clients. The PSK mode uses the same TKIP
Enterprise AP(if-wireless g)#vap 0
Enterprise AP(if-wireless g: VAP[0])#802.1X required
Enterprise AP(if-wireless g: VAP[0])#802.1X session-timeout 300
Enterprise AP(if-wireless g: VAP[0])#auth open-system
Enterprise AP(if-wireless g: VAP[0])#encryption
Enterprise AP(if-wireless g: VAP[0])#
NOTE
To implement WPA on wireless clients requires a WPA-enabled network card driver and 802.1X
client software that supports the EAP authentication type that you want to use. Windows XP
provides native WPA support, other systems require additional software.
client software that supports the EAP authentication type that you want to use. Windows XP
provides native WPA support, other systems require additional software.