Allied Telesis AT-WR4500 Security Profiles, Submenu level /interface wireless security-profiles

4.3.16Security Profiles

Submenu level: /interface wireless security-profiles

Description

This section provides WEP (Wired Equivalent Privacy) and WPA/WPA2 (Wi-Fi Protected Access) functions to wireless interfaces.

WPA

The Wi-Fi Protected Access is a combination of 802.1X, EAP, MIC, TKIP and AES. This is a easy to configure and secure wireless mechanism. It has been later updated to version 2, to provide greater security.

Pairwise master key caching for EAP authentification is supported for WPA2. This means that disconnected client can connect without repeated EAP authentication if keys are still valid (changed to interface or security profile configuration, restart, or Session-Timeout in case of RADIUS authentication).

WEP

The Wired Equivalent Privacy encrypts data only between 802.11 devices, using static keys. It is not considered a very secure wireless data encryption mechanism, though it is better than no encryption at all.

The configuration of WEP is quite simple, using RouterOS security profiles.

Property Description

authentication-types(multiple choice: wpa-psk wpa2-psk wpa-eap wpa2-eap; default: "") - the list of accepted authentication types. APs will advertise the listed types. Stations will choose the AP, which supports the "best" type from the list (WPA2 is always preferred to WPA1; EAP is preferred to PSK) eap-methods(multiple choice: eap-tls passthrough) - the ordered list of EAP methods. APs will to propose to the stations one by one (if first method listed is rejected, the next one is tried). Stations will accept first proposed method that will be on the list

eap-tls- Use TLS certificates for authentication

passthrough - relay the authentication process to the RADIUS server (not used by the stations) group-ciphers(multiple choice: tkip aes-ccm) - a set of ciphers used to encrypt frames sent to all wireless station (broadcast transfers) in the order of preference

tkip - Temporal Key Integrity Protocol - encryption protocol, compatible with lagacy WEP equipment, but enhanced to correct some of WEP flaws

aes-ccm- more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this

group-key-update(time; default: 5m) - how often to update group key. This parameter is used only if the wireless card is configured as an Access Point

interim-update(time) - default update interval for RADIUS accounting, if RADIUS server has not provided different value

mode (none static-keys-optional static-keys-required dynamic-keys; default: none) - security mode: none - do not encrypt packets and do not accept encrypted packets

static-keys-optional- if there is a static-sta-private-keyset, use it. Otherwise, if the interface is set in an AP mode, do not use encryption, if the the interface is in station mode, use encryption if the static- transmit-key is set

static-keys-required- encrypt all packets and accept only encrypted packets dynamic-keys- generate encryptioon keys dynamically

name (name) - descriptive name for the security profile

radius-eap-accounting(yes no; default: no) - use RADUIS accounting if EAP authentication is used

radius-mac-accounting(yes no; default: no) - use RADIUS accounting, providing MAC address as username

radius-mac-authentication(no yes; default: no) - whether to use RADIUS server for MAC authentication

radius-mac-caching(time; default: disabled) - how long the RADIUS authentication reply for MAC address authentication if considered valid (and thus can be cached for faster reauthentication) radius-mac-format(text; default: XX:XX:XX:XX:XX:XX) - MAC address format to use for communication with RADIUS server