Configuring AP access points 261

Configuring AP-WSS Security

WSS Software provides security for management traffic between WSS switches and Distributed APs. For Distributed APs that support this feature, all management traffic between the AP and the WSS is encrypted.

The encryption uses RSA as the public key cryptosystem, with AES-CCM for data encryption and integrity checking and HMAC-MD5 for keyed hashing and message authentication during the key exchange. Bulk data protection is provided by AES in CCM mode (AES CTR for encryption and AES-CBC-MAC for data integrity). A 64-bit Message Authentication Code is used for data integrity.

Note. This feature applies to Distributed APs only, not to directly connected APs configured on AP access ports. In addition, AP models AP-101 and AP-122 do not have encryption keys and do not support this feature regardless of how they are connected to the WSS switch.

Note. The maximum transmission unit (MTU) for encrypted AP management traffic is 1498 bytes, whereas the MTU for unencrypted management traffic is 1474 bytes. Make sure the devices in the intermediate network between the WSS switch and Distributed AP can support the higher MTU.

Encryption Key Fingerprint

APs are configured with an encryption key pair at the factory. The fingerprint for the public key is displayed on a label on the back of the AP, in the following format:

RSA aaaa:aaaa:aaaa:aaaa: aaaa:aaaa:aaaa:aaaa

If the AP is already installed, you can display the fingerprint in WSS Software. (See “Finding the Fingerprint” on page 262.)

Encryption Options

By default, an WSS switch can configure and manage a Distributed AP regardless of whether the AP has an encryption key, and regardless of whether you have confirmed the fingerprint by setting it in WSS Software. You can configure an WSS to require Distributed APs to have an encryption key. In this case, the switch also requires their fingerprints to be confirmed in WSS Software. When AP security is required, an AP can establish a management session with the WSS only if its fingerprint has been confirmed by you in WSS Software.

Table 17 lists the AP security options and whether an AP can establish a management session with an WSS based on the option settings.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 260 Page 262
Page 261
Image 261
Nortel Networks 2300 manual Configuring AP-WSS Security, Encryption Key Fingerprint, Encryption Options
Page 260 Page 262
Top Page Image Contents