AT-TQ2403 Management Software User's Guide

61

 

 

This security mode also provides backwards-compatibility for wireless clients that support only the original WPA.

Key Management

Encryption Algorithm

 

User Authentication

 

 

 

 

WPA Enterprise mode provides

Temporal Key Integrity

 

Remote Authentication Dial-In User

dynamically-generated keys that

Protocol (TKIP)

 

Service (RADIUS)

are periodically refreshed.

 

 

You have a choice of using the

 

Counter mode / CBC-MAC

 

There are different Unicast keys

Protocol (CCMP) Advanced

 

AT-TQ2403 Management Software

for each station.

Encryption Standard (AES)

 

RADIUS server or an external

 

 

 

RADIUS server. The embedded

 

 

 

RADIUS server supports Protected

 

 

 

EAP (PEAP) and MSCHAP V2.

 

 

 

 

Recommendations

WPA Enterprise mode is the recommended mode. The CCMP (AES) and TKIP encryption algorithms used with WPA modes are far superior to the RC4 algorithm used for Static WEP or IEEE 802.1x modes. Therefore, CCMP (AES) or TKIP should be used whenever possible. All WPA modes allow you to use these encryption schemes, so WPA security modes are recommended above the others when using WPA is an option.

Additionally, this mode incorporates a RADIUS server for user authentication which gives it an edge over WPA Personal mode.

Use the following guidelines for choosing options within the WPA Enterprise mode security mode:

1.The best security you can have to date on a wireless network is WPA Enterprise mode using CCMP (AES) encryption algorithm. AES is a symmetric 128-bit block data encryption technique that works on multiple layers of the network. It is the most effective encryption system currently available for wireless networks. If all clients or other APs on the network are WPA/CCMP compatible, use this encryption algorithm. (If all clients are WPA2 compatible, choose to support only WPA2 clients.)

2.The second best choice is WPA Enterprise with the encryption algorithm set to both TKIP and CCMP. This lets WPA client stations without CCMP associate, uses TKIP for encrypting Multicast and Broadcast frames, and allows clients to select whether to use CCMP or TKIP for unicast (AP-to-single- station) frames. This WPA configuration allows more interoperability, at the expense of some security. Client stations that support CCMP can use it for their unicast frames. If you encounter AP-to-station interoperability problems with the Both encryption algorithm setting, then you will need to select TKIP instead. (See [3])

3.The third best choice is WPA Enterprise with the encryption algorithm set to TKIP. Some clients have interoperability issues with CCMP and TKIP enabled at same time. If you encounter this problem, then choose TKIP as the encryption algorithm. This is the standard WPA mode, and most interoperable mode with client Wireless software security features. TKIP is the only encryption algorithm that is being tested in Wi-Fi WPA certification.

See Also

For information on how to configure this security mode, see “WPA Enterprise” under “Configuring Security Settings”.