Chapter 6: Configuring Security

When You

Configure

Different SSIDs

with Different

Security Settings

Use an 802.1x security solution. 802.1x security provides a framework to authenticate user traffic to a protected wireless network. Using 802.1x security provides secure data transmission by creating a secure spanning tree and dynamically rotating the WEP keys. You configure the access point as an authenticator. For the authentication server, you can either use an external RADIUS server or you can use the access point’s embedded authentication server (EAS). For help, see “Implementing an 802.1x Security Solution” on page 192.

Use Wi-Fi Protected Access (WPA) security. WPA is a strongly enhanced, interoperable Wi-Fi security that addresses many of the vulnerabilities of Wired Equivalent Privacy (WEP). For help, see “Configuring Wi-Fi Protected Access (WPA) Security” on page 199.

For help troubleshooting security, see “Troubleshooting Security” on page 255.

You can configure each 802.11g and 802.11a radio with up to four SSIDs or service sets. Although each service set shares one physical radio configuration, you can configure each service set with a different security configuration. Also, you can configure each service set for a separate VLAN. For example, you can configure:

ˆprimary service set for WPA/PSK.

ˆsecondary 1 service set for WPA/802.1x and VLAN 13.

ˆsecondary 2 service set for static WEP and an ACL.

ˆsecondary 3 service set for Dynamic WEP/802.1x and VLAN 150.

Note that using multiple services sets is not part of the Wi-Fi standard. When multiple service sets are enabled, the SSID is hidden in the beacons, which is similar to checking the Disallow Network Name of 'ANY' check box. The access point master radio only sends a beacon from the primary service set. However, if an end device's radio sends a probe request for an SSID that belongs to a secondary service set, then the access point radio will send a probe response from that service set.

Many end device radios do not support using multiple service sets to implement a mixed security environment. The radios do not understand different security information coming from the beacons and probe responses. This means:

ˆif any type of security is set on the primary service set, then the secondary service sets should also the same type of security.

ˆif no security is set on the primary service set, then the secondary service sets cannot use any type of security.

For example, you have an access point with an 802.11g radio. You configure the primary service set for WPA/PSK and you do not configure any security for the secondary 1 service set. An older end device with an

172

Page 172
Image 172
Allied Telesis AT-WA7500, AT-WA7501 manual 172