Security | USRobotics Instant802 APSDK instruction

Professional Access Point

Administrator Guide

Security

The following sections describe how to configure security settings on the Professional Access Point:

•Understanding Security Issues on Wireless Networks

•How Do I Know Which Security Mode to Use?

•Comparison of Security Modes for Key Management, Authentication and Encryption Algorithms

•Does Prohibiting the Broadcast of SSID Enhance Security?

•How Does Station Isolation Protect the Network?

•Navigating to Security Settings

•Configuring Security Settings

•Broadcast SSID, Station Isolation, and Security Mode

•None

•Static WEP

•IEEE 802.1x

•WPA/WPA2 Personal (PSK)

•WPA/WPA2 Enterprise (RADIUS)

•Updating Settings

Understanding Security Issues on Wireless Networks

Wireless mediums are inherently less secure than wired mediums. For example, an Ethernet NIC trans- mits its packets over a physical medium such as coaxial cable or twisted pair. A wireless NIC broadcasts radio signals over the air allowing a wireless LAN to be easily tapped without physical access or sophisti- cated equipment. A hacker equipped with a laptop, a wireless NIC, and a bit of knowledge can easily attempt to compromise your wireless network. By using a sophisticated antenna on the client, a hacker may even be able to connect to the network from many miles away.

The Professional Access Point provides a number of authentication and encryption schemes to ensure that your wireless infrastructure is accessed only by the intended users. The details of each security mode are described in the sections below.

How Do I Know Which Security Mode to Use?

In general, USRobotics recommends that on your Internal network you use the most robust security mode that is feasible in your environment. When configuring security on the access point, you first must choose the security mode. Then, in some modes you must choose an authentication algorithm and whether to allow clients not using the specified security mode to associate.

Security - 101

Image 101

USRobotics Instant802 APSDK manual Understanding Security Issues on Wireless Networks

Contents

R46.1224.00 rev 2.0 07/06 Professional Access Point Administrator GuidePage USA Professional Access Point Administrator Guide Professional Access Point Administrator Guide Contents Advanced Class Structure, Commands, and ExamplesClass and Field Reference Support Information Robotics Corporation Two 2 Year Limited Warranty Viii Online Help Features Administrator Audience Typographical Conventions Recommended Settings, Notes and Cautions Getting Started Ieee Standards Support and Wi-Fi Compliance Features and BenefitsWireless Features Security Features Networking Guest InterfaceClustering and Auto-Management Maintainability What’s Next?Snmp Support Professional Access Point Option Default Settings Related Information Default Settings for the Professional Access Point Transmit Power Ieee 802.11 ModeSecurity Mode None Authentication Type Required Software or Component Description Administrator’s ComputerWhat the Access Point Does Not Provide Required Component Description Wireless Client Computers Required Component How Does the Access Point Obtain an IP Address at Startup?Dynamic IP Addressing Static IP Addressing Recovering an IP Address Professional Access Point Administrator Guide What’s inside the Access Point? Unpack the access pointAccess Point Hardware and Ports Connect the access point to network and power UK Users Hardware Connections for a Guest Vlan Professional Access Point Administrator Guide Professional Access Point Administrator Guide Professional Access Point Administrator Guide Field Default Setting Viewing Basic Settings for Access PointsLog on to the Web User Interface Username Configure Basic Settings and start the wireless network Default Configuration Make Sure the Access Point is Connected to the LAN Wall Mounting the Access Point Test LAN Connectivity with Wireless Clients Web User Interface Navigating to Basic Settings Field Description Review / Describe the Access PointMAC Address Firmware Version Administrator Password Provide Administrator Password and Wireless Network NameAdministrator Password again Wireless Network Name Ssid Field Set Configuration Policy for New Access PointsNew Access Points Summary of Settings Update Basic Settings Icon Description Basic Settings for a Standalone Access PointYour Network at a Glance Understanding Indicator Icons Professional Access Point Administrator Guide Cluster Access Points Understanding Clustering Navigating to Access Points Management What Kinds of APs Can Cluster? What is a Cluster?How Many APs Can a Cluster Support? Settings Not Shared by the Cluster Cluster Formation Cluster ModeStandalone Mode Auto-Synchronization of Cluster Configuration Understanding Access Point SettingsCluster Size and Membership Intra-Cluster Security Modifying the Location Description Removing an Access Point from the Cluster Http//IPAddressOfAccessPoint Adding an Access Point to a Cluster Professional Access Point Administrator Guide Professional Access Point Administrator Guide User Management Adding a User Navigating to User Management for Clustered Access PointsViewing User Accounts Enabling and Disabling User Accounts Editing a User AccountEnabling a User Account Real Name Removing a User Account Restoring a User Database from a Backup FileBacking Up and Restoring a User Database Disabling a User Account Professional Access Point Administrator Guide Professional Access Point Administrator Guide Navigating to Session Monitoring Sessions User AP Location User MAC Idle Rate Understanding Session Monitoring Information Signal Utilization Rx Total Tx Total Error Rate Viewing Session Information for Access PointsSorting Session Information Refreshing Session Information Professional Access Point Administrator Guide Channel Management Understanding Channel Management Navigating to Channel ManagementHow it Works Overview Overlapping Channels Background Information Example a Network before and after Channel Management Configuring and Viewing Channel Management Settings Stopping/Starting Automatic Channel Assignment Viewing Last Proposed Set of Changes Viewing Current Channel Assignments and Setting LocksIP Address Band Current Locked IP Address Current Proposed Advanced Use these channels when applying channel assignmentsChange channels if interference is reduced by at least Determine if there is better set of channels every Apply channel modifications even when the network is busy Professional Access Point Administrator Guide Wireless Neighborhood Understanding Wireless Neighbourhood Information Navigating to Wireless Neighborhood Cluster Viewing Wireless NeighborhoodDisplay neighboring APs Neighbors Details for a Cluster Member AP Viewing Details for a Cluster Member Beacon Age SignalChannel Interfaces Status Wireless Settings Ethernet Wired Settings Log Relay Host for Kernel Messages Events Understanding Remote Logging Setting Up the Log Relay HostSYSLOGD=-r Tmp/APsyslog Enabled Log Relay Host EnabledEtc/init.d/sysklogd restart Relay Host Events Log Transmit/Receive Statistics Client Associations ErrorsName Ssid Total Packets Link Integrity Monitoring What is the Difference Between an Association and a Session? Select AP Detection Enabled Neighboring Access Points Privacy Beacon IntType Rates # of BeaconsLast Beacon Professional Access Point Administrator Guide Advanced Ethernet Wired Settings Navigating to Ethernet Wired Settings Managing Guest Access Setting the DNS NameConfiguring an Internal LAN and a Guest Network Enabling and Disabling Guest Access Specifying a Virtual Guest Network Guest AccessFor Guest access, use Virtual Wireless Networks Configuring Internal Interface Ethernet Settings DNS Nameservers Default GatewayStatic IP Address Subnet Configuring Guest Interface Ethernet Wired SettingsUpdating Settings Professional Access Point Administrator Guide Navigating to Wireless Settings Wireless Settings 802.11d Regulatory Domain Support Configuring 802.11d Regulatory Domain Support Mode Channel Configuring the Radio InterfaceConfiguring Internal LAN Wireless Settings Read-only field Configuring Guest Network Wireless Settings Security Understanding Security Issues on Wireless NetworksHow Do I Know Which Security Mode to Use? When to Use No Security Encryption Algorithm User AuthenticationKey Management Encryption Algorithms When to Use WPA/WPA2 Enterprise Radius How Does Station Isolation Protect the Network? Does Prohibiting the Broadcast of Ssid Enhance Security? Broadcast SSID, Station Isolation, and Security Mode Navigating to Security SettingsConfiguring Security Settings Static WEP None Professional Access Point Administrator Guide Key Length Transfer Key IndexBits Key Type Open System Shared Key Both Authentication Algorithm Example of Using Static WEP Static WEP with Transfer KEY Indexes on Client Devices Ieee Enable Radius Accounting Authentication ServerWPA/WPA2 Personal PSK Radius IP Cipher Suites WPA Versions Key WPA/WPA2 Enterprise Radius Improving the security of the network Enable pre-authentication Enter the Radius IP Professional Access Point Administrator Guide Configuring a Guest Network on a Virtual LAN Guest LoginConfiguring Guest Access Using Virtual LANs DSL/T1 Using the Guest Network Configuring the Welcome Screen Captive Portal Configuring a Guest Network on a Dedicated Access Point Configuring Guest Access without Virtual LANs Navigating to Virtual Wireless Network Settings Virtual Wireless Networks Virtual Wireless Network Configuring VLANsOne Two Ton Professional Access Point Administrator Guide Radio Understanding Radio Settings Status On/Off Navigating to Radio SettingsConfiguring Radio Settings Super G ModeIeee 802.11b Maximum Stations Broadcast a subset of its supported rate sets Rate Sets Professional Access Point Administrator Guide MAC Filtering Navigating to MAC Filtering Settings Filter Using MAC Filtering Stations List Professional Access Point Administrator Guide Specifying Limits for Utilization and Client Associations Load BalancingUnderstanding Load Balancing Load Balancing and QoS Navigating to Load Balancing SettingsConfiguring Load Balancing Utilization for Disassociation Utilization for No New AssociationsStations Threshold for Disassocia Tion To apply your changes, click Update Settings Understanding QoS Quality of ServiceQoS and Load Balancing 802.11e and WMM Standards Support QoS Queues and Parameters to Coordinate Traffic Flow Professional Access Point Administrator Guide Random Backoff and Minimum / Maximum Contention Windows Configuring QoS Queues Navigating to QoS Settings Configuring AP Edca Parameters Enabling/Disabling Wi-Fi Multimedia Data 0 Voice Configuring Station Edca Parameters Transmission Opportunity Limit Txop Limit Professional Access Point Administrator Guide Using WDS to Bridge Distant Wired LANs Wireless Distribution SystemUnderstanding the Wireless Distribution System LAN Segment Backup Links and Unwanted Loops in WDS Bridges Security Considerations Related to WDS Bridges Navigating to WDS Settings Configuring WDS Settings Remote Address Local AddressBridge with Internal Network WEP Key Example of Configuring a WDS LinkDisabled Local Address Professional Access Point Administrator Guide Time Protocol Navigating to Time Protocol Settings Enabling and Disabling a Network Time Protocol NTP Server NTP Server Professional Access Point Administrator Guide Understanding Snmp Snmp Navigating to Simple Network Management Protocol Read-only Community Name entire Enable SnmpAllow Snmp SET Requests Read-write community name for per Source hostname or subnet Configuring Your Network Management SystemRebooting and Upgrading Your Access Point Using Snmp Upgrading your Access Point Rebooting Your Access Point Using SnmpFtp//testuser1testuser1@192.168.1.9922/54531.1.23.tar Ftp//192.168.1.100/54531.1.24.tar Professional Access Point Administrator Guide Reset Configuration Reboot Upgrade Professional Access Point Administrator Guide Navigating to Backup and Restore Settings Backup/Restore Restoring Access Point Settings to a Previous Configuration Backing up Configuration Setting for an Access Point Professional Access Point Administrator Guide Command Line Interface Professional Access Point Administrator Guide Basic Settings Yes Described in Backup/Restore on Telnet Connection to the Access Point How to Access the CLI for an Access PointUSR5453-AP login Password USR5453-AP login admin Password Enter help for help Telnet Function Telnet Command SSH2 Connection to the Access PointStatus Status Down USR5453-AP# Login as Commands and Syntax Quick View of Commands and How to Get HelpSSH Function SSH Command Set ssh Status Get log CommandGet log-entry Get bss wlan0bssInternal Add radius-user wally Command Description Remove radius-user wally Getting Help on Commands at the CLI Ready to Get Started? Command Usage and Configuration Examples Professional Access Point Administrator Guide Interface Description Understanding Interfaces as Presented in the CLIWlan0vwn1 Vlan1234 Get interface vlan1234 role Saving Configuration ChangesGet interface vlanVLANID role Basic Setting Example Get Both the IP Address and MAC Address Get the MAC Address for an Access Point Wlan0wds1 Wds Down Wlan0wds2 Wlan0wds3 USR5453-AP# Get the Location of the Access Point Get the Firmware Version for the Access PointSet the Location for an Access Point Get the Current Password Cluster Command Example Access Point and Cluster SettingsGet MAC Addresses for all Access Points in the Cluster User Accounts USR5453-AP#get radius-user all name name User Account Command ExampleGet All User Accounts USR5453-AP#set radius-user samantha disabled USR5453-AP#set radius-user samantha password westportAdd Users USR5453-AP#add radius-user samantha username samantha Remove a User Account Status Command ExampleUSR5453-AP#remove radius-user wally Larry samantha endora darren USR5453-AP#get interface br0 Get Current Wireless Radio Settings Get Current Settings for the Ethernet Wired Guest Interface Get Status on Events USR5453-AP# get radio wlan0 detailUSR5453-AP# get log-entry Priority Daemon USR5453-AP#set log relay-enabled USR5453-AP#set log relay-host myserver USR5453-AP#set log relay-hostUSR5453-AP#set log relay-port USR5453-AP# get log Get Client Associations Get neighbouring Access PointsGet Transmit / Receive Statistics USR5453-AP# get detected-ap USR5453-AP#get detected-ap Wired Interface Command Example Ethernet Wired Interface Get Wired Guest Interface Settings Get Wired Internal Interface SettingsSet Up Guest Access Get Summary View of Internal and Guest Interfaces USR5453-AP# get bss USR5453-AP#get interface brguest status downUSR5453-AP#remove bridge-port br0 interface eth0 USR5453-AP#get interface brguest status up USR5453-AP# get interface brguestUSR5453-AP#get bridge-port brguest USR5453-AP#get bridge-port br0 Name Interface USR5453-AP#get dhcp-client status up Get/Change the Connection Type Dhcp or Static IPUSR5453-AP#set dhcp-client status up USR5453-AP#get interface br0 detail USR5453-AP#get interface br0 static-ip Re-Configure Static IP Addressing ValuesUSR5453-AP#set interface br0 static-ip USR5453-AP#get interface br0 static-mask Security Wireless Interface Get the Current Security Mode Security Command ExampleGet Detailed Description of Current Security Settings USR5453-AP#get interface wlan0 security none Set the Broadcast Ssid Allow or Prohibit Enable / Disable Station Isolation USR5453-AP#set interface wlan0 security none Set Security to NoneSet Security to Static WEP USR5453-AP#set interface wlan0 security static-wep Set bss wlan0bssInternal shared-key-authentication off Set bss wlan0bssInternal open-system-authentication onSet bss wlan0bssInternal shared-key-authentication on USR5453-AP#set interface wlan0 wep-key-ascii yes USR5453-AP#get interface wlan0 detail USR5453-AP#set interface wlan0 security dot1x Set Security to IeeeRadius Option Example USR5453-AP#set bss wlan0bssInternal radius-ip Set Bss USR5453-AP#set bss wlan0bssInternal radius-key secretUSR5453-AP#set bss wlan0bssInternal radius-accounting off USR5453-AP#get interface wlan0 security dot1x WPA Option Example Set Security to WPA/WPA2 Personal PSKUSR5453-AP#set interface wlan0 security wpa-personal Set bss wlan0bssInternal wpa-cipher-tkip on Cipher Suite Option ExampleSet bss wlan0bssInternal wpa-cipher-ccmp off Set bss wlan0bssInternal wpa-cipher-tkip off Set Security to WPA/WPA2 Enterprise Radius USR5453-AP#get interface wlan0 security wpa-personal USR5453-AP#set interface wlan0 security wpa-enterprise Enable Pre-Authentication USR5453-AP#set bss wlan0bssInternal radius-key KeepSecret Cipher Suite Option USR5453-AP#get interface wlan0 security wpa-enterprise USR5453-AP#set bss wlan0bssInternal radius-accounting on View Guest Login Settings Enable/Configure Guest Login WelcomeEnable/Disable the Guest Welcome Set Guest Welcome Page Text Review Guest Login Settings Configuring Multiple BSSIDs on Virtual Wireless NetworksConfiguring Virtual Wireless Network One on Radio One Set interface wlan0vwn1 security wpa-enterprise Radio Setting Command Example Radio SettingsGet Ieee 802.11 Radio Mode Creating VWN Two on Radio One with WPA security Get Radio Channel Get Basic Radio SettingsGet All Radio Settings Get Supported Rate Set Configure Radio SettingsUSR5453-AP#get supported-rate Get Basic Rate Set USR5453-AP#set radio wlan0 beacon-interval USR5453-AP#set radio wlan0 mode gUSR5453-AP#set bss wlan0bssInternal dtim-period USR5453-AP#get bss wlan0bssInternal dtim-period USR5453-AP#set radio wlan0 rts-threshold USR5453-AP#set radio wlan0 fragmentation-thresholdUSR5453-AP#add basic-rate wlan0 rate USR5453-AP#add supported-rate wlan0 rate USR5453-AP#get supported-rate wlan0 rate MAC Filtering Add MAC Addresses of Client Stations to the Filtering List Specify an Accept or Deny ListSet bss wlan0bssGuest mac-acl-name Guest USR5453-AP#remove mac-acl Guest mac Get Current MAC Filtering SettingsGet bss interface mac-acl-mode USR5453-AP#get bss wlan0bssGuest mac-acl-mode accept-list Load Balancing Quality of ServiceQoS Command Enable/Disable Wi-Fi Multimedia QoS Command Example Data Access Point Station About Access Point and Station Edca ParametersUnderstanding the Queues for Access Point and Station Get QoS Settings on the Client Station Get QoS Settings on the Access PointUSR5453-AP#get wme-queue Set Arbirtation Interframe Spaces Aifs USR5453-AP#set wme-queue wlan0 with queue vo to aifs Setting Minimum and Maximum Contention Windows cwmin, cwmaxSet wme-queue wlan0 with queue QueueName to aifs AIFSValue Set tx-queue wlan0 with queue QueueName to burst burstValue Set the Maximum Burst Length burst on the Access PointUSR5453-AP#set wme-queue wlan0 with queue vi cwmin 7 cwmax USR5453-AP#set wme-queue wlan0 with queue vo to txop-limit USR5453-AP#set tx-queue wlan0 with queue data2 to burst Configuring a WDS Link Wireless Distribution SystemGetting Details on a WDS Configuration USR5453-AP#set interface wlan0wds0 remote-mac 00E0B8761B14 USR5453-AP#get ntp detail Time ProtocolSet ntp server ntp.instant802.com Reset the Access Point to Factory Defaults Reboot the Access PointUSR5453-AP#factory-reset Keyboard Shortcuts and Tab Completion Help Action on CLI Keyboard Shortcut Keyboard ShortcutsTab Completion and Help USR5453-AP#get system v USR5453-AP#get system version USR5453-AP# set mac-acl CLI Class and Field Overview Has name? \ # of instances? One Multiple Field Reference on CLI Class Relationships Class Description Class IndexAssociation Field Index AuthenticatedInterface Station Bridge-port Basic-rate Priority BssPath-cost Description StatusRadio Beacon-interface Dtim-period MacMax-stations Ignore-broadcast-ssid Channel-planner Open-system-authenticationCluster Cluster-member Default ConfigNo-external-updates Debug Field Description Detected-ap Capability Beacon-interval Type Erp Dhcp-clientBeacons Last-beacon Host Dot11Debug Dot11d Domain Dns-12Static-dns-12 Static-domain Mask Interface Type Rx-errorsStatic-ip Static-mask Rx-compressed Tx-errorsRx-multicast Tx-packets Ip-route Kickstartd JvmLog Gateway Depth Log-entryNumber Time Ntp Mac-aclMessage Server Welcome-screen-text PortalWelcome-screen Max-bss Max-bss Tx-powerChannel-policy Mode Rts-threshold WmewifinoacktestFragmentation-threshold Load-balance-disassociation-utilization Serial Radius-userSnmp Ro-community Supported-rate SshSystem Rw-community Encrypted-password PasswordPassword-initialized Telnet Queue Tx-queueCommunity Wme-queue Web-ui Possible Solution Professional Access Point Detection Utility does not find Cannot access the Web User Interface Access point My wireless device cannot find the wireless network Possible Solution Am experiencing poor wireless link quality Wireless Distribution System WDS Problems and Solutions Reboot or Reset Access Point Cluster Recovery Click Stop Clustering Stop Clustering and Reset Each Access Point in the Cluster Professional Access Point Administrator Guide Country Webmail Voice Support Information UAE Detachable Antenna Information Declaration of ConformityFCC Radiation Exposure Statement Radio and Television Interference UL Listing/CUL Listing For Canadian UsersIndustry Canada IC Declaration of Conformity CE Compliance EU Detachable Antenna Information Regulatory Channel FrequencyEU Health Protection Professional Access Point Administrator Guide Professional Access Point Administrator Guide Robotics Corporation Two 2 Year Limited Warranty Obtaining Warranty Service Limitations Disclaimer 802.1x 802802.2 802.3 802.11d 802.11b802.11e 802.11f AES Bridge BeaconBroadcast Broadcast Address Ccmp BssidCGI CSMA/CA Dhcp DCFDNS DOM Edcf EAPESS Ethernet Gateway FrameHtml Http Ibss Infrastructure ModeIeee Intrusion Detection ISP IPSecJitter Latency Ldap LANLLC MAC NIC NATNTP OSI Packet Loss PacketPHY PID PSK PPP RC4 RadiusRssi RTP STP SnmpSsid TCP Supported Rate SetTCP/IP Tkip Unicast UDPURL Vlan WDS WANWEP Wins WPA2 WMM WPAWrap XML Index DCF Ieee Snmp WDS Index-328