ZyXEL Communications AG-225H manual 3 WPA/WPA2, User Authentication, Encryption

Page 36

ZyXEL AG-225H User’s Guide

with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE802.1x. The ZyXEL AG-225H supports EAP-TLS, EAP-TTLS and EAP-PEAP.

For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.

2.2.3 WPA/WPA2

Wi-Fi Protected Access (WPA) and WPA2 is a subset of the IEEE 802.11i security specification draft. Key differences between WPA and WEP are user authentication and improved data encryption. WPA2 is a wireless security standard that defines stronger encryption, authentication and key management than WPA.

User Authentication

WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database.

Therefore, if you don’t have an external RADIUS server, you should use WPA-PSK (WPA -Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a client will be granted access to a WLAN.

Encryption

WPA improves data encryption by using either Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES), Message Integrity Check (MIC) and IEEE 802.1x.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-

2-6

WLAN Networking

Page 35 Page 37
Image 36
Page 35 Page 37
Contents ZyXEL AG-225H Copyright 2005 by ZyXEL Communications Corporation DisclaimerTrademarks ZyXEL Limited Warranty Online RegistrationFederal Communications Commission FCC Interference Statement Customer Support Spain Table of Contents Viii Table Of Contents Problem Connecting to an Access Point About This Users Guide Syntax ConventionsRelated Documentation User Guide FeedbackGraphics Icons Key Page ZyXEL AG-225H Wi-Fi Finder User Interface About Your ZyXEL AG-225HZyXEL AG-225H Adapter Hardware and Utility Installation Using the ZyXEL Utility to Configure Your NetworkLCM Description Basic OperationGetting Started Network Profile AddZyXEL AG-225H User’s Guide Getting Started Remove Getting Started ZyXEL AG-225H User’s Guide Security Mode ZyXEL AG-225H User’s Guide Site Survey RefreshDetail Info Connect Options ZyAIR Modes VersionChange ZyAIR Modes Wireless Network Application OverviewSsid ChannelAd-Hoc Ibss BSS Example Infrastructure Network Example Access Point Mode RoamingWireless LAN Security Roaming ExampleEAP Authentication Data Encryption with WEPIeee User Authentication 3 WPA/WPA2Encryption WPA-PSK/WPA2-PSK Application Example 5 WPA/WPA2 with Radius Application ExampleFragmentation Threshold RTS/CTS ThresholdAuthentication Type RTS ThresholdZyXEL AG-225H User’s Guide Additional Setup Requirements IntroductionProfile Screen Profile Label DescriptionHow to configure in Access Point Mode Add Wlan Networking ZyXEL AG-225H User’s Guide Remove MAC Filter MAC FilterWlan Networking Version Chapter Maintenance Version ScreenUninstalling the ZyXEL Utility AboutUpgrading the ZyXEL Utility Page Configuring Security Configuring WEPWireless Security Configuring WPA-PSK Configuring WPA2-PSK Problems Starting the ZyXEL Utility Program Problem with the Link StatusTroubleshooting Starting ZyXEL Utility Program Troubleshooting Link QualityProblems Communicating With Other Computers Problem Connecting to an Access PointTroubleshooting Communication Problems Troubleshooting Access Point Connection Problem
Top Page Image Contents