Configuring Security

For a more detailed explanation of security concepts, including a comparison of the advantages and disadvantages of using different security modes and suggestions on which mode to use; see Understanding Security Issues on Wireless Networks in the Administrators Guide.

See also the related topic, Appendix A:"Configuring Security Settings on Wireless Clients" in the Administrator Guide.

This security mode is backwards-compatible for wireless clients that support only the original WPA.WPA/WPA2 Personal (PSK)WPA/WPA2 Personal (PSK)

How Does Station Isolation Protect the Network?

When Station Isolation is enabled, the access point blocks communication between wireless clients. The access point still allows data traffic between its wireless clients and wired devices on the network, but not among wireless clients.

The traffic blocking extends to wireless clients connected to the network via WDS links; these clients cannot communicate with each other when Station Isolation is on. See Configuring the Wireless Distribution System (WDS) for more information about WDS.

The following configuration information explains how to configure security modes on the access point. Keep in mind that each wireless client that wants to exchange data with the access point must be configured with the same security mode and encryption key settings consistent with access point security.

On a two-radio AP, these Security Settings apply to both radios.


Notes	Security modes other than unencrypted ("None") apply only to configuration of the "Internal" network. On the "Guest" network, you can use only unencrypted mode. (For more information about guest networks, see Setting up Guest Access.)

Broadcast SSID, Station Isolation, and Security Mode

To configure security on the access point, select a security mode and fill in the related fields as described in the following table. (Note you can also allow or prohibit the Broadcast SSID and enable/disable Station Isolation as extra precautions as mentioned below.)


Field	Description
Broadcast SSID	Select the Broadcast SSID setting by clicking the "Allow" or "Prohibit" radio button. By default, the access point broadcasts (allows) the Service Set Identifier (SSID) in its beacon frames. You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point. When the AP's broadcast SSID is suppressed, the network name will not be displayed in the List of Available Networks on a client station. Instead, the client must have the exact network name configured in the supplicant before it will be able to connect.
Station Isolation	Select Off to disable Station Isolation or On to enable it. When Station Isolation is Off, wireless clients can communicate with one another normally by sending traffic through the access point. When Station Isolation is On, the access point blocks communication between wireless clients. The access point still allows data traffic between its wireless clients and wired devices on the network, but not among wireless clients. The traffic blocking extends to wireless clients connected to the network via WDS links; these clients cannot communicate with each other when Station Isolation is on. See Configuring the Wireless Distribution System (WDS) for more information about WDS.
Security Mode	Select the Security Mode. Select one of the following: None (unencrypted or plain text mode) Static WEP IEEE 802.1x WPA/WPA2 Enterprise (RADIUS) WPA/WPA2 Personal (PSK) For a Guest network, only the "None" setting can be used. (For more information, see Setting up Guest Access.) Security modes other than "None" apply only to configuration of the "Internal" network; on the Guest network, you can use only unencrypted ("None") mode.

None (unencrypted or plain text mode)

None (or "plain text" security) means any data transferred to and from the U.S. Robotics Professional Access Point is not encrypted.

If you select "None" for the security mode, no further security-related options are configurable on the AP.

Guest Network

Plain text mode is the only mode in which you can run the Guest network, which is by definition an easily accessible, unsecure LAN always virtually or physically separated from any sensitive information on the Internal LAN. For example, the guest network might simply provide internet and printer access for day visitors.

The absence of security on the Guest AP is designed to make it as easy as possible for guests to get a connection without having to program any security settings in their clients.

For a minimum level of protection on a guest network, you can choose to suppress (prohibit) the broadcast of the SSID (network name) to discourage client stations from automatically discovering your access point. (See also Does Prohibiting the Broadcast SSID Enhance Security? in the Administrators Guide).

For more about the Guest network, see Setting up Guest Access.

Static WEP

Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and access points on the network are configured with a static 64-bit (40-bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret key + 24-bit IV) Shared Key for data encryption.

You cannot mix 64-bit and 128-bit WEP keys between the access point and its client stations.

If you selected "Static WEP" Security Mode, provide the following on the access point settings: .


Field	Description
Transfer Key Index	Select a key index from the drop-down menu. Key indexes 1 through 4 are available. The default is 1. The Transfer Key Index indicates which WEP key the access point will use to encrypt the data it transmits.
Key Length	Specify the length of the key by clicking one of the radio buttons: 64 bits 128 bits
Key Type	Select the key type by clicking one of the radio buttons: ASCII Hex
Characters Required	Indicates the number of characters required in the WEP key. The number of characters required updates automatically based on how you set Key Length and Key Type.
WEP Keys	You can specify up to four WEP keys. In each text box, enter a string of characters for each key. If you selected "ASCII", enter any combination of integers and letters `0-9`, `a-z`, and `A-Z`. If you selected "HEX", enter hexadecimal digits (any combination of `0-9` and `a-f` or `A-F`). Use the same number of characters for each key as specified in the "Characters Required" field. These are the RC4 WEP keys shared with the stations using the access point. Each client station must be configured to use one of these same WEP keys in the same slot as specified here on the AP. (See Rules to Remember for Static WEP.)
Authentication Algorithm	The authentication algorithm defines the method used to determine whether a client station is allowed to associate with an access point when static WEP is the security mode. Specify the authentication algorithm you want to use by choosing one of the following from the drop-down menu: Open System Shared Key Both Open System authentication allows any client station to associate with the access point whether that client station has the correct WEP key or not. This is algorithm is also used in plaintext, IEEE 802.1x, and WPA modes. When the authentication algorithm is set to "Open System", any client can associate with the access point. Note that just because a client station is allowed to associate does not ensure it can exchange traffic with an access point. A station must have the correct WEP key to be able to successfully access and decrypt data from an access point, and to transmit readable data to the access point. Shared Key authentication requires the client station to have the correct WEP key in order to associate with the access point. When the authentication algorithm is set to "Shared Key", a station with an incorrect WEP key will not be able to associate with the access point. Both is the default. When the authentication algorithm is set to "Both": Client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the access point. Client stations configured to use WEP as an open system (shared key mode not enabled) will be able to associate with the access point even if they do not have the correct WEP key.

Rules to Remember for Static WEP

All client stations must have the Wireless LAN (WLAN) security set to WEP and all clients must have one of the WEP keys specified on the AP in order to de-code AP-to-station data transmissions.

The AP must have all keys used by clients for station-to-AP transmit so that it can de-code the station transmissions.C

The same key must occupy the same slot on all nodes (AP and clients). For example if the AP defines abc123 key as WEP key 3, then the client stations must define that same string as WEP key 3.

On some wireless client software (like Funk Odyssey), you can configure multiple WEP keys and define a client station "transfer key index", and then set the stations to encrypt the data they transmit using different keys. This ensures that neighboring APs cannot decode each other's transmissions.

IEEE 802.1x

IEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). IEEE 802.1x provides dynamically-generated keys that are periodically refreshed. An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.

This mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts via the Cluster > User Management tab.

The access point requires a RADIUS server capable of EAP, such as the Microsoft Internet Authentication Server or the U.S. Robotics Professional Access Point internal authentication server. To work with Windows clients, the authentication server must support Protected EAP (PEAP) and MSCHAP V2.

When configuring IEEE 802.1x mode, you have a choice of whether to use the embedded RADIUS server or an external RADIUS server that you provide. The U.S. Robotics Professional Access Point embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.

If you use your own RADIUS server, you have the option of using any of a variety of authentication methods that the IEEE 802.1x mode supports, including certificates, Kerberos, and public key authentication. Keep in mind, however, that the client stations must be configured to use the same authentication method being used by the access point.

If you selected "IEEE 802.1x" Security Mode, provide the following:


Field	Description
Authentication Server	Select one of the following from the drop-down menu: Built-in - To use the authentication server provided with the U.S. Robotics Professional Access Point. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided. External - To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use. Note: The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the U.S. Robotics Professional Access Point, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The U.S. Robotics Professional Access Point is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.
Radius IP	Enter the Radius IP in the text box. The Radius IP is the IP address of the RADIUS server. (The U.S. Robotics Professional Access Point internal authentication server is `127.0.0.1`.) For information on setting up user accounts, see Managing User Accounts.
Radius Key	Enter the Radius Key in the text box. The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as "*" characters to prevent others from seeing the RADIUS key as you type. (The U.S. Robotics Professional Access Point internal authentication server key is `secret`.) This value is never sent over the network.
Enable RADIUS Accounting	Click "Enable RADIUS Accounting" if you want to track and measure the resources a particular user has consumed such system time, amount of data transmitted and received, and so on.

WPA/WPA2 Personal (PSK)

Wi-Fi Protected Access 2 (WPA2) with Pre-Shared Key (PSK) is a Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Algorithm (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. The Personal version of WPA2 employs a pre-shared key (instead of using IEEE 802.1x and EAP as is used in the Enterprise WPA2 security mode). The PSK is used for an initial check of credentials only.

This security mode is backwards-compatible for wireless clients that support the original WPA.

If you selected "WPA/WPA2 Personal (PSK)" Security Mode, provide the following:


Field	Description
WPA Versions	Select the types of client stations you want to support: WPA WPA2 Both WPA. If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA. WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard. Both. If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select "Both". This lets both WPA and WPA2 client stations assoicate and authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interoperability, at the expense of some security.
Cipher Suites	Select the cipher you want to use from the drop-down menu: TKIP CCMP (AES) Both Temporal Key Integrity Protocol (TKIP) is the default. TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit "temporal key" shared by clients and access points. The temporal key is combined with the client's MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP uses RC4 to perform the encryption, which is the same as WEP. But TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network. Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity. When the authentication algorithm is set to "Both", both TKIP and AES clients can associate with the access point. WPA clients must have one of the following to be able to associate with the AP: A valid TKIP key A valid CCMP (AES) key Clients not configured to use a WPA-PSK will not be able to associate with AP.
Key	The Pre-shared Key is the shared secret key for WPA-PSK. Enter a string of at least 8 characters to a maximum of 63 characters.

WPA/WPA2 Enterprise (RADIUS)

Wi-Fi Protected Access 2 (WPA2) with Remote Authentication Dial-In User Service (RADIUS) is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. The Enterprise mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts via the Cluster > User Management tab.

This security mode is backwards-compatible with wireless clients that support the original WPA.

When configuring WPA2 Enterprise (RADIUS) mode, you have a choice of whether to use the built-in RADIUS server or an external RADIUS server that you provide. The U.S. Robotics Professional Access Point built-in RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.

If you selected "WPA/WPA2 Enterprise (RADIUS)" Security Mode, provide the following:


Field	Description
WPA Versions	Select the types of client stations you want to support: WPA WPA2 Both WPA. If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA. WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard. Both. If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select "Both". This lets both WPA and WPA2 client stations assoicate and authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interoperability, at the expense of some security.
Enable pre-authentication	If for WPA Versions you select "WPA2" or "Both", you can enable pre-authentication for WPA2 clients. Click "Enable pre-authentication" if you want WPA2 wireless clients to send pre-authentication packet. The pre-authentication information will be relayed from the access point the client is currently using to the target access point. Enabling this feature can help speed up authentication for roaming clients who connect to multiple access points. This option does not apply if you selected "WPA" for WPA Versions because the original WPA does not support this feature.
Cipher Suites	Select the cipher you want to use from the drop-down menu: TKIP CCMP (AES) Both Temporal Key Integrity Protocol (TKIP) is the default. TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit "temporal key" shared by clients and access points. The temporal key is combined with the client's MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP uses RC4 to perform the encryption, which is the same as WEP. But TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network. Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity. When the authentication algorithm is set to "Both", both TKIP and AES clients can associate with the access point. Client stations configured to use WPA with RADIUS must have one of the following to be able to associate with the AP: A valid TKIP RADIUS IP address and valid shared Key A valid CCMP (AES) IP address and valid shared Key Clients not configured to use WPA with RADIUS will not be able to associate with AP. Both is the default. When the authentication algorithm is set to "Both", client stations configured to use WPA with RADIUS must have one of the following: A valid TKIP RADIUS IP address and RADIUS Key A valid CCMP (AES) IP address and RADIUS Key
Authentication Server	Select one of the following from the drop-down menu: Built-in - To use the authentication server provided with the U.S. Robotics Professional Access Point. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided. External - To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use. Note: The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the U.S. Robotics Professional Access Point, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The U.S. Robotics Professional Access Point is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.
Radius IP	Enter the Radius IP in the text box. The Radius IP is the IP address of the RADIUS server. (The U.S. Robotics Professional Access Point internal authentication server is `127.0.0.1`.) For information on setting up user accounts, see Managing User Accounts.
Radius Key	Enter the Radius Key in the text box. The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as "*" characters to prevent others from seeing the RADIUS key as you type. (The U.S. Robotics Professional Access Point internal authentication server key is `secret`.) This value is never sent over the network.
Enable RADIUS Accounting	Click "Enable RADIUS Accounting" if you want to enforce authentication for WPA client stations with user names and passwords for each station. See also Managing User Accounts.
Allow non-WPA Clients	Click the "Allow non-WPA clients" checkbox if you want to let non-WPA (802.11), un-authenticated client stations use this access point.

Updating Settings

To apply your changes, click Update.