Proxim AP-2000 manual Authentication Protocol Hierarchy, VLANs and Security Profiles

Performing Advanced Configuration

•Dynamic Key distribution

–The AP generates and maintains the keys for its clients

–The AP securely delivers the appropriate keys to its clients

•Client/server mutual authentication

–802.1x

–Pre-shared key (for networks that do not have an 802.1x solution implemented)

NOTE

For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.

The AP supports the following WPA authentication modes:

•WPA: The AP uses 802.1x to authenticate clients. You should only use an EAP that supports mutual authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See 802.1x Authentication for details.

•WPA-PSK(Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and each of its clients. The Pre-Shared Key must be 256 bits long, which is 64 hexadecimal digits. The AP also supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).

•802.11i (also known as WPA2): The AP authenticates clients according to the 802.11i draft standard, using 802.1x authentication, an AES cipher, and re-keying.

•802.11i-PSK(also known as WPA2 PSK): The AP uses an AES cipher, and authenticates clients based on a Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits. The AP also supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).

Authentication Protocol Hierarchy

There is a hierarchy of authentication protocols defined for the AP.

The hierarchy is as follows, from Highest to lowest:

•802.1x authentication

•MAC Access Control via RADIUS Authentication

•MAC Access Control through individual APs' MAC Access Control Lists

If you have both 802.1x and MAC authentication enabled, the 802.1x results will take effect. This is required in order to propagate the WEP keys to the clients in such cases. Once you disable 802.1x on the AP, you will see the effects of MAC authentication.

VLANs and Security Profiles

The AP2000 allows you to segment wireless networks into multiple sub-networks based on Network Name (SSID) and VLAN membership. A Network Name (SSID) identifies a wireless network. Clients associate with Access Points that share an SSID. During installation, the Setup Wizard prompts you to configure a Primary Network Name for each wireless interface.

After initial setup and once VLAN is enabled, the AP can be configured to support up to 16 SSIDs per wireless interface to segment wireless networks based on VLAN membership.

Each VLAN can be associated to a Security Profile and RADIUS Server Profiles. A Security Profile defines the allowed wireless clients, and authentication and encryption types. Refer to VLANs and Security Profiles for configuration details.

NOTE

The ability to configure up to 16 VLAN/SSID pairs and to configure a security profile per SSID is available only for 802.11b/g APs and 802.11a Upgrade Kit APs.

802.11b APs do not support multiple VLAN/SSID pairs. APs with the 802.11a card support multiple VLAN/SSID pairs, but do not support the security profile per SSID capability.

89