Proxim AP-4000 manual Authentication Protocol Hierarchy, 118

WPA is a replacement for Wired Equivalent Privacy (WEP), the encryption technique specified by the original 802.11 standard. WEP has several vulnerabilities that have been widely publicized. WPA addresses these weaknesses and provides a stronger security system to protect wireless networks.

WPA provides the following new security measures not available with WEP:

•Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity Check (MIC).

•Per-user, per-session dynamic encryption keys:

–Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP

–A client's key is different for every session; it changes each time the client associates with an AP

–The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously

–Encryption keys change periodically based on the Re-keying Interval parameter

–WPA uses 128-bit encryption keys

•Dynamic Key distribution

–The AP generates and maintains the keys for its clients

–The AP securely delivers the appropriate keys to its clients

•Client/server mutual authentication

–802.1x

–Pre-shared key (for networks that do not have an 802.1x solution implemented)

The AP supports the following WPA security modes:

•WPA: The AP uses 802.1x to authenticate clients and TKIP for encryption. You should only use an EAP that supports mutual authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See 802.1x Authentication for details.

•WPA-PSK(Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32 alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the TKIP Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).

•802.11i (also known as WPA2): The AP provides security to clients according to the 802.11i draft standard, using 802.1x authentication, a CCMP cipher based on AES, and re-keying.

•802.11i-PSK(also known as WPA2 PSK): The AP uses a CCMP cipher based on AES, and encrypts frames to clients based on a Pre-Shared Key. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits or 32 alphanumeric characters. The AP also supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).

NOTE: For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.

Authentication Protocol Hierarchy

There is a hierarchy of authentication protocols defined for the AP.

The hierarchy is as follows, from Highest to lowest:

•802.1x authentication

•MAC Access Control via RADIUS Authentication

•MAC Access Control through individual APs' MAC Access Control Lists

If you have both 802.1x and MAC authentication enabled, the 802.1x results will take effect. This is required in order to propagate the WEP keys to the clients in such cases. Once you disable 802.1x on the AP, you will see the effects of MAC authentication.

118