3Com WXR100 3CRWXR10095A, WX4400 3CRWX440095A, WX1200 3CRWX120695A Configuring User Encryption

288CHAPTER 13: CONFIGURING USER ENCRYPTION

WPA Authentication You can configure an SSID to support one or both of the following Methods authentication methods for WPA clients:

„802.1X — The MAP and client use an Extensible Authentication Protocol (EAP) method to authenticate one another, then use the resulting key in a handshake to derive a unique key for the session. The 802.1X authentication method requires user information to be configured on AAA servers or in the WX switch’s local database. This is the default WPA authentication method.

„Preshared key (PSK) — A MAP radio and a client authenticate one another based on a key that is statically configured on both devices. The devices then use the key in a handshake to derive a unique key for the session. For a given service profile, you can globally configure a PSK for use with all clients. You can configure the key by entering an ASCII passphrase or by entering the key itself in raw (hexadecimal) form.

For a MAC client that authenticates using a PSK, the RADIUS servers or local database still must contain an authentication rule for the client, to assign the client to a VLAN.

MSS sets the timeout for the key exchanges between WPA (or RSN) clients and the MAP to the same value as the last setting of the retransmission timeout. The retransmission timeout is set to the lower of the 802.1X supplicant timeout or the RADIUS session-timeout attribute. See “Setting EAP Retransmission Attempts” on page 535 for more information.

WPA Information A WPA information element (IE) is a set of extra fields in a wireless frame Element that contain WPA information for the access point or client. To enable

WPA support in a service profile, you must enable the WPA IE. The following types of wireless frames can contain a WPA IE:

„Beacon (sent by a MAP) — The WPA IE in a beacon frame advertises the cipher suites and authentication methods that a MAP radio supports for the encrypted SSID. The WPA IE also lists the cipher suites that the radio uses to encrypt broadcast and multicast frames. A MAP radio always uses the least secure of the cipher suites to encrypt broadcast and multicast frames to ensure that all clients associated with the SSID can decrypt the frames. A MAP radio uses the most secure cipher suite supported by both the radio and a client to encrypt unicast traffic to that client.