Proxim AP-4000 Manuel D’Utilisation

Page de 235
Advanced Configuration
AP-4000 Series User Guide
SSID/VLAN/Security
118
WPA is a replacement for Wired Equivalent Privacy (WEP), the encryption technique specified by the original 802.11 
standard. WEP has several vulnerabilities that have been widely publicized. WPA addresses these weaknesses and 
provides a stronger security system to protect wireless networks.
WPA provides the following new security measures not available with WEP:
• Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity 
Check (MIC).
• Per-user, per-session dynamic encryption keys:
Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP
A client's key is different for every session; it changes each time the client associates with an AP
The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously
Encryption keys change periodically based on the Re-keying Interval parameter
WPA uses 128-bit encryption keys
• Dynamic Key distribution
The AP generates and maintains the keys for its clients
The AP securely delivers the appropriate keys to its clients
• Client/server mutual authentication
802.1x
Pre-shared key (for networks that do not have an 802.1x solution implemented)
The AP supports the following WPA security modes:
• WPA: The AP uses 802.1x to authenticate clients and TKIP for encryption. You should only use an EAP that supports 
mutual authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See 
 for details.
• WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to 
authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and 
each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32 
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the TKIP 
Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters). 
• 802.11i (also known as WPA2): The AP provides security to clients according to the 802.11i draft standard, using 
802.1x authentication, a CCMP cipher based on AES, and re-keying.
• 802.11i-PSK (also known as WPA2 PSK): The AP uses a CCMP cipher based on AES, and encrypts frames to clients 
based on a Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32 
alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared 
Key (so a user can enter an easy-to-remember phrase rather than a string of characters).
NOTE: For more information on WPA, see the Wi-Fi Alliance Web site at 
Authentication Protocol Hierarchy
There is a hierarchy of authentication protocols defined for the AP. 
The hierarchy is as follows, from Highest to lowest:
• 802.1x authentication
• MAC Access Control via RADIUS Authentication
• MAC Access Control through individual APs' MAC Access Control Lists
If you have both 802.1x and MAC authentication enabled, the 802.1x results will take effect. This is required in order 
to propagate the WEP keys to the clients in such cases. Once you disable 802.1x on the AP, you will see the effects of 
MAC authentication.