Manuals / USRobotics / Computer Equipment / Network Card

USRobotics Instant802 APSDK manual Understanding Security Issues on Wireless Networks

Models: Instant802 APSDK

1 328

Download 328 pages 174 b

Page 101

Professional Access Point

Administrator Guide

Security

The following sections describe how to configure security settings on the Professional Access Point:

•Understanding Security Issues on Wireless Networks

•How Do I Know Which Security Mode to Use?

•Comparison of Security Modes for Key Management, Authentication and Encryption Algorithms

•Does Prohibiting the Broadcast of SSID Enhance Security?

•How Does Station Isolation Protect the Network?

•Navigating to Security Settings

•Configuring Security Settings

•Broadcast SSID, Station Isolation, and Security Mode

•None

•Static WEP

•IEEE 802.1x

•WPA/WPA2 Personal (PSK)

•WPA/WPA2 Enterprise (RADIUS)

•Updating Settings

Understanding Security Issues on Wireless Networks

Wireless mediums are inherently less secure than wired mediums. For example, an Ethernet NIC trans- mits its packets over a physical medium such as coaxial cable or twisted pair. A wireless NIC broadcasts radio signals over the air allowing a wireless LAN to be easily tapped without physical access or sophisti- cated equipment. A hacker equipped with a laptop, a wireless NIC, and a bit of knowledge can easily attempt to compromise your wireless network. By using a sophisticated antenna on the client, a hacker may even be able to connect to the network from many miles away.

The Professional Access Point provides a number of authentication and encryption schemes to ensure that your wireless infrastructure is accessed only by the intended users. The details of each security mode are described in the sections below.

How Do I Know Which Security Mode to Use?

In general, USRobotics recommends that on your Internal network you use the most robust security mode that is feasible in your environment. When configuring security on the access point, you first must choose the security mode. Then, in some modes you must choose an authentication algorithm and whether to allow clients not using the specified security mode to associate.

Security - 101

Image 101

USRobotics Instant802 APSDK manual Understanding Security Issues on Wireless Networks

Contents

R46.1224.00 rev 2.0 07/06 Professional Access Point Administrator GuidePage USA Professional Access Point Administrator GuideProfessional Access Point Administrator Guide Contents Advanced Class Structure, Commands, and ExamplesClass and Field Reference Support InformationRobotics Corporation Two 2 Year Limited Warranty Viii Online Help Features Administrator AudienceTypographical Conventions Recommended Settings, Notes and CautionsGetting Started Ieee Standards Support and Wi-Fi Compliance Features and BenefitsWireless Features Security FeaturesNetworking Guest InterfaceClustering and Auto-Management Maintainability What’s Next?Snmp Support Professional Access Point Option Default Settings Related Information Default Settings for the Professional Access PointTransmit Power Ieee 802.11 ModeSecurity Mode None Authentication TypeRequired Software or Component Description Administrator’s ComputerWhat the Access Point Does Not Provide Required Component Description Wireless Client ComputersRequired Component How Does the Access Point Obtain an IP Address at Startup?Dynamic IP Addressing Static IP Addressing Recovering an IP AddressProfessional Access Point Administrator Guide What’s inside the Access Point? Unpack the access pointAccess Point Hardware and Ports Connect the access point to network and power UK Users Hardware Connections for a Guest Vlan Professional Access Point Administrator Guide Professional Access Point Administrator Guide Professional Access Point Administrator Guide Field Default Setting Viewing Basic Settings for Access PointsLog on to the Web User Interface UsernameConfigure Basic Settings and start the wireless network Default Configuration Make Sure the Access Point is Connected to the LAN Wall Mounting the Access PointTest LAN Connectivity with Wireless Clients Web User Interface Navigating to Basic Settings Field Description Review / Describe the Access PointMAC Address Firmware VersionAdministrator Password Provide Administrator Password and Wireless Network NameAdministrator Password again Wireless Network Name SsidField Set Configuration Policy for New Access PointsNew Access Points Summary of Settings Update Basic SettingsIcon Description Basic Settings for a Standalone Access PointYour Network at a Glance Understanding Indicator Icons Professional Access Point Administrator Guide Cluster Access PointsUnderstanding Clustering Navigating to Access Points ManagementWhat Kinds of APs Can Cluster? What is a Cluster?How Many APs Can a Cluster Support? Settings Not Shared by the Cluster Cluster Formation Cluster ModeStandalone Mode Auto-Synchronization of Cluster Configuration Understanding Access Point SettingsCluster Size and Membership Intra-Cluster SecurityModifying the Location Description Removing an Access Point from the ClusterHttp//IPAddressOfAccessPoint Adding an Access Point to a ClusterProfessional Access Point Administrator Guide Professional Access Point Administrator Guide User Management Adding a User Navigating to User Management for Clustered Access PointsViewing User Accounts Enabling and Disabling User Accounts Editing a User AccountEnabling a User Account Real NameRemoving a User Account Restoring a User Database from a Backup FileBacking Up and Restoring a User Database Disabling a User AccountProfessional Access Point Administrator Guide Professional Access Point Administrator Guide Navigating to Session Monitoring SessionsUser AP Location User MAC Idle Rate Understanding Session Monitoring InformationSignal Utilization Rx Total Tx Total Error Rate Viewing Session Information for Access PointsSorting Session Information Refreshing Session InformationProfessional Access Point Administrator Guide Channel Management Understanding Channel Management Navigating to Channel ManagementHow it Works Overview Overlapping Channels Background InformationExample a Network before and after Channel Management Configuring and Viewing Channel Management SettingsStopping/Starting Automatic Channel Assignment Viewing Last Proposed Set of Changes Viewing Current Channel Assignments and Setting LocksIP Address Band Current Locked IP Address Current ProposedAdvanced Use these channels when applying channel assignmentsChange channels if interference is reduced by at least Determine if there is better set of channels everyApply channel modifications even when the network is busy Professional Access Point Administrator Guide Wireless Neighborhood Understanding Wireless Neighbourhood Information Navigating to Wireless NeighborhoodCluster Viewing Wireless NeighborhoodDisplay neighboring APs Neighbors Details for a Cluster Member AP Viewing Details for a Cluster MemberBeacon Age SignalChannel Interfaces StatusWireless Settings Ethernet Wired SettingsLog Relay Host for Kernel Messages EventsUnderstanding Remote Logging Setting Up the Log Relay HostSYSLOGD=-r Tmp/APsyslogEnabled Log Relay Host EnabledEtc/init.d/sysklogd restart Relay HostEvents Log Transmit/Receive StatisticsClient Associations ErrorsName Ssid Total PacketsLink Integrity Monitoring What is the Difference Between an Association and a Session?Select AP Detection Enabled Neighboring Access PointsPrivacy Beacon IntType Rates # of BeaconsLast Beacon Professional Access Point Administrator Guide Advanced Ethernet Wired SettingsNavigating to Ethernet Wired Settings Managing Guest Access Setting the DNS NameConfiguring an Internal LAN and a Guest Network Enabling and Disabling Guest AccessSpecifying a Virtual Guest Network Guest AccessFor Guest access, use Virtual Wireless Networks Configuring Internal Interface Ethernet SettingsDNS Nameservers Default GatewayStatic IP Address Subnet Configuring Guest Interface Ethernet Wired SettingsUpdating Settings Professional Access Point Administrator Guide Navigating to Wireless Settings Wireless Settings802.11d Regulatory Domain Support Configuring 802.11d Regulatory Domain SupportMode Channel Configuring the Radio InterfaceConfiguring Internal LAN Wireless Settings Read-only field Configuring Guest Network Wireless SettingsSecurity Understanding Security Issues on Wireless NetworksHow Do I Know Which Security Mode to Use? When to Use No Security Encryption Algorithm User AuthenticationKey Management Encryption Algorithms When to Use WPA/WPA2 Enterprise Radius How Does Station Isolation Protect the Network? Does Prohibiting the Broadcast of Ssid Enhance Security?Broadcast SSID, Station Isolation, and Security Mode Navigating to Security SettingsConfiguring Security Settings Static WEP NoneProfessional Access Point Administrator Guide Key Length Transfer Key IndexBits Key TypeOpen System Shared Key Both Authentication AlgorithmExample of Using Static WEP Static WEP with Transfer KEY Indexes on Client Devices Ieee Enable Radius Accounting Authentication ServerWPA/WPA2 Personal PSK Radius IPCipher Suites WPA VersionsKey WPA/WPA2 Enterprise RadiusImproving the security of the network Enable pre-authenticationEnter the Radius IP Professional Access Point Administrator Guide Configuring a Guest Network on a Virtual LAN Guest LoginConfiguring Guest Access Using Virtual LANs DSL/T1 Using the Guest Network Configuring the Welcome Screen Captive PortalConfiguring a Guest Network on a Dedicated Access Point Configuring Guest Access without Virtual LANsNavigating to Virtual Wireless Network Settings Virtual Wireless NetworksVirtual Wireless Network Configuring VLANsOne TwoTon Professional Access Point Administrator Guide Radio Understanding Radio SettingsStatus On/Off Navigating to Radio SettingsConfiguring Radio Settings Super G ModeIeee 802.11b Maximum Stations Broadcast a subset of its supported rate sets Rate SetsProfessional Access Point Administrator Guide MAC Filtering Navigating to MAC Filtering SettingsFilter Using MAC FilteringStations List Professional Access Point Administrator Guide Specifying Limits for Utilization and Client Associations Load BalancingUnderstanding Load Balancing Load Balancing and QoS Navigating to Load Balancing SettingsConfiguring Load Balancing Utilization for Disassociation Utilization for No New AssociationsStations Threshold for Disassocia TionTo apply your changes, click Update Settings Understanding QoS Quality of ServiceQoS and Load Balancing 802.11e and WMM Standards SupportQoS Queues and Parameters to Coordinate Traffic Flow Professional Access Point Administrator Guide Random Backoff and Minimum / Maximum Contention Windows Configuring QoS Queues Navigating to QoS SettingsConfiguring AP Edca Parameters Enabling/Disabling Wi-Fi Multimedia Data 0 Voice Configuring Station Edca ParametersTransmission Opportunity Limit Txop LimitProfessional Access Point Administrator Guide Using WDS to Bridge Distant Wired LANs Wireless Distribution SystemUnderstanding the Wireless Distribution System LAN Segment Backup Links and Unwanted Loops in WDS BridgesSecurity Considerations Related to WDS Bridges Navigating to WDS SettingsConfiguring WDS Settings Remote Address Local AddressBridge with Internal NetworkWEP Key Example of Configuring a WDS LinkDisabled Local Address Professional Access Point Administrator Guide Time Protocol Navigating to Time Protocol SettingsEnabling and Disabling a Network Time Protocol NTP Server NTP Server Professional Access Point Administrator Guide Understanding Snmp SnmpNavigating to Simple Network Management Protocol Read-only Community Name entire Enable SnmpAllow Snmp SET Requests Read-write community name for perSource hostname or subnet Configuring Your Network Management SystemRebooting and Upgrading Your Access Point Using Snmp Upgrading your Access Point Rebooting Your Access Point Using SnmpFtp//testuser1testuser1@192.168.1.9922/54531.1.23.tar Ftp//192.168.1.100/54531.1.24.tarProfessional Access Point Administrator Guide Reset Configuration RebootUpgrade Professional Access Point Administrator Guide Navigating to Backup and Restore Settings Backup/RestoreRestoring Access Point Settings to a Previous Configuration Backing up Configuration Setting for an Access PointProfessional Access Point Administrator Guide Command Line Interface Professional Access Point Administrator Guide Basic Settings Yes Described in Backup/Restore on Telnet Connection to the Access Point How to Access the CLI for an Access PointUSR5453-AP login Password USR5453-AP login admin Password Enter help for helpTelnet Function Telnet Command SSH2 Connection to the Access PointStatus Status DownUSR5453-AP# Login asCommands and Syntax Quick View of Commands and How to Get HelpSSH Function SSH Command Set ssh StatusGet log CommandGet log-entry Get bss wlan0bssInternalAdd radius-user wally Command DescriptionRemove radius-user wally Getting Help on Commands at the CLIReady to Get Started? Command Usage and Configuration ExamplesProfessional Access Point Administrator Guide Interface Description Understanding Interfaces as Presented in the CLIWlan0vwn1 Vlan1234Get interface vlan1234 role Saving Configuration ChangesGet interface vlanVLANID role Basic Setting Example Get Both the IP Address and MAC Address Get the MAC Address for an Access PointWlan0wds1 Wds Down Wlan0wds2 Wlan0wds3 USR5453-AP# Get the Location of the Access Point Get the Firmware Version for the Access PointSet the Location for an Access Point Get the Current PasswordCluster Command Example Access Point and Cluster SettingsGet MAC Addresses for all Access Points in the Cluster User AccountsUSR5453-AP#get radius-user all name name User Account Command ExampleGet All User Accounts USR5453-AP#set radius-user samantha disabled USR5453-AP#set radius-user samantha password westportAdd Users USR5453-AP#add radius-user samantha username samanthaRemove a User Account Status Command ExampleUSR5453-AP#remove radius-user wally Larry samantha endora darrenUSR5453-AP#get interface br0 Get Current Wireless Radio Settings Get Current Settings for the Ethernet Wired Guest InterfaceGet Status on Events USR5453-AP# get radio wlan0 detailUSR5453-AP# get log-entry Priority DaemonUSR5453-AP#set log relay-enabled USR5453-AP#set log relay-host myserver USR5453-AP#set log relay-hostUSR5453-AP#set log relay-port USR5453-AP# get logGet Client Associations Get neighbouring Access PointsGet Transmit / Receive Statistics USR5453-AP# get detected-ap USR5453-AP#get detected-apWired Interface Command Example Ethernet Wired InterfaceGet Wired Guest Interface Settings Get Wired Internal Interface SettingsSet Up Guest Access Get Summary View of Internal and Guest InterfacesUSR5453-AP# get bss USR5453-AP#get interface brguest status downUSR5453-AP#remove bridge-port br0 interface eth0 USR5453-AP#get interface brguest status up USR5453-AP# get interface brguestUSR5453-AP#get bridge-port brguest USR5453-AP#get bridge-port br0 Name InterfaceUSR5453-AP#get dhcp-client status up Get/Change the Connection Type Dhcp or Static IPUSR5453-AP#set dhcp-client status up USR5453-AP#get interface br0 detailUSR5453-AP#get interface br0 static-ip Re-Configure Static IP Addressing ValuesUSR5453-AP#set interface br0 static-ip USR5453-AP#get interface br0 static-maskSecurity Wireless InterfaceGet the Current Security Mode Security Command ExampleGet Detailed Description of Current Security Settings USR5453-AP#get interface wlan0 security noneSet the Broadcast Ssid Allow or Prohibit Enable / Disable Station IsolationUSR5453-AP#set interface wlan0 security none Set Security to NoneSet Security to Static WEP USR5453-AP#set interface wlan0 security static-wepSet bss wlan0bssInternal shared-key-authentication off Set bss wlan0bssInternal open-system-authentication onSet bss wlan0bssInternal shared-key-authentication on USR5453-AP#set interface wlan0 wep-key-ascii yesUSR5453-AP#get interface wlan0 detail USR5453-AP#set interface wlan0 security dot1x Set Security to IeeeRadius Option Example USR5453-AP#set bss wlan0bssInternal radius-ipSet Bss USR5453-AP#set bss wlan0bssInternal radius-key secretUSR5453-AP#set bss wlan0bssInternal radius-accounting off USR5453-AP#get interface wlan0 security dot1xWPA Option Example Set Security to WPA/WPA2 Personal PSKUSR5453-AP#set interface wlan0 security wpa-personal Set bss wlan0bssInternal wpa-cipher-tkip on Cipher Suite Option ExampleSet bss wlan0bssInternal wpa-cipher-ccmp off Set bss wlan0bssInternal wpa-cipher-tkip offSet Security to WPA/WPA2 Enterprise Radius USR5453-AP#get interface wlan0 security wpa-personalUSR5453-AP#set interface wlan0 security wpa-enterprise Enable Pre-Authentication USR5453-AP#set bss wlan0bssInternal radius-key KeepSecret Cipher Suite OptionUSR5453-AP#get interface wlan0 security wpa-enterprise USR5453-AP#set bss wlan0bssInternal radius-accounting onView Guest Login Settings Enable/Configure Guest Login WelcomeEnable/Disable the Guest Welcome Set Guest Welcome Page TextReview Guest Login Settings Configuring Multiple BSSIDs on Virtual Wireless NetworksConfiguring Virtual Wireless Network One on Radio One Set interface wlan0vwn1 security wpa-enterpriseRadio Setting Command Example Radio SettingsGet Ieee 802.11 Radio Mode Creating VWN Two on Radio One with WPA securityGet Radio Channel Get Basic Radio SettingsGet All Radio Settings Get Supported Rate Set Configure Radio SettingsUSR5453-AP#get supported-rate Get Basic Rate SetUSR5453-AP#set radio wlan0 beacon-interval USR5453-AP#set radio wlan0 mode gUSR5453-AP#set bss wlan0bssInternal dtim-period USR5453-AP#get bss wlan0bssInternal dtim-periodUSR5453-AP#set radio wlan0 rts-threshold USR5453-AP#set radio wlan0 fragmentation-thresholdUSR5453-AP#add basic-rate wlan0 rate USR5453-AP#add supported-rate wlan0 rateUSR5453-AP#get supported-rate wlan0 rate MAC FilteringAdd MAC Addresses of Client Stations to the Filtering List Specify an Accept or Deny ListSet bss wlan0bssGuest mac-acl-name Guest USR5453-AP#remove mac-acl Guest mac Get Current MAC Filtering SettingsGet bss interface mac-acl-mode USR5453-AP#get bss wlan0bssGuest mac-acl-mode accept-listLoad Balancing Quality of ServiceQoS Command Enable/Disable Wi-Fi Multimedia QoS Command ExampleData Access Point Station About Access Point and Station Edca ParametersUnderstanding the Queues for Access Point and Station Get QoS Settings on the Client Station Get QoS Settings on the Access PointUSR5453-AP#get wme-queue Set Arbirtation Interframe Spaces AifsUSR5453-AP#set wme-queue wlan0 with queue vo to aifs Setting Minimum and Maximum Contention Windows cwmin, cwmaxSet wme-queue wlan0 with queue QueueName to aifs AIFSValue Set tx-queue wlan0 with queue QueueName to burst burstValue Set the Maximum Burst Length burst on the Access PointUSR5453-AP#set wme-queue wlan0 with queue vi cwmin 7 cwmax USR5453-AP#set wme-queue wlan0 with queue vo to txop-limit USR5453-AP#set tx-queue wlan0 with queue data2 to burstConfiguring a WDS Link Wireless Distribution SystemGetting Details on a WDS Configuration USR5453-AP#set interface wlan0wds0 remote-mac 00E0B8761B14USR5453-AP#get ntp detail Time ProtocolSet ntp server ntp.instant802.com Reset the Access Point to Factory Defaults Reboot the Access PointUSR5453-AP#factory-reset Keyboard Shortcuts and Tab Completion HelpAction on CLI Keyboard Shortcut Keyboard ShortcutsTab Completion and Help USR5453-AP#get system v USR5453-AP#get system version USR5453-AP# set mac-acl CLI Class and Field OverviewHas name? \ # of instances? One Multiple Field Reference onCLI Class Relationships Class Description Class IndexAssociation Field Index AuthenticatedInterface StationBridge-port Basic-ratePriority BssPath-cost Description StatusRadio Beacon-interfaceDtim-period MacMax-stations Ignore-broadcast-ssidChannel-planner Open-system-authenticationCluster Cluster-memberDefault ConfigNo-external-updates DebugField Description Detected-apCapability Beacon-intervalType Erp Dhcp-clientBeacons Last-beaconHost Dot11Debug Dot11dDomain Dns-12Static-dns-12 Static-domainMask InterfaceType Rx-errorsStatic-ip Static-maskRx-compressed Tx-errorsRx-multicast Tx-packetsIp-route Kickstartd JvmLog GatewayDepth Log-entryNumber TimeNtp Mac-aclMessage ServerWelcome-screen-text PortalWelcome-screen Max-bss Max-bss Tx-powerChannel-policy ModeRts-threshold WmewifinoacktestFragmentation-threshold Load-balance-disassociation-utilizationSerial Radius-userSnmp Ro-communitySupported-rate SshSystem Rw-communityEncrypted-password PasswordPassword-initialized TelnetQueue Tx-queueCommunity Wme-queue Web-uiPossible Solution Professional Access Point Detection Utility does not findCannot access the Web User Interface Access pointMy wireless device cannot find the wireless network Possible Solution Am experiencing poor wireless link quality Wireless Distribution System WDS Problems and SolutionsReboot or Reset Access Point Cluster RecoveryClick Stop Clustering Stop Clustering and Reset Each Access Point in the ClusterProfessional Access Point Administrator Guide Country Webmail Voice Support InformationUAE Detachable Antenna Information Declaration of ConformityFCC Radiation Exposure Statement Radio and Television InterferenceUL Listing/CUL Listing For Canadian UsersIndustry Canada IC Declaration of Conformity CE ComplianceEU Detachable Antenna Information Regulatory Channel FrequencyEU Health Protection Professional Access Point Administrator Guide Professional Access Point Administrator Guide Robotics Corporation Two 2 Year Limited Warranty Obtaining Warranty Service Limitations Disclaimer 802.1x 802802.2 802.3802.11d 802.11b802.11e 802.11fAES Bridge BeaconBroadcast Broadcast AddressCcmp BssidCGI CSMA/CADhcp DCFDNS DOMEdcf EAPESS EthernetGateway FrameHtml HttpIbss Infrastructure ModeIeee Intrusion DetectionISP IPSecJitter LatencyLdap LANLLC MACNIC NATNTP OSIPacket Loss PacketPHY PIDPSK PPPRC4 RadiusRssi RTPSTP SnmpSsid TCP Supported Rate SetTCP/IP TkipUnicast UDPURL VlanWDS WANWEP WinsWPA2 WMM WPAWrap XMLIndex DCF Ieee Snmp WDS Index-328