WPA Versions, Cipher Suites | USRobotics Instant802 APSDK instruction

Professional Access Point Administrator Guide

Field

Description

WPA Versions	Select the types of clients you want to support:
	•	WPA—If all clients on the network support the original WPA, but none support the newer
		WPA2, then select WPA
	•	WPA2—If all clients on the network support WPA2, USRobotics suggests using WPA2,
		which provides the best security per the IEEE 802.11i standard.
	•	Both—If you have a mix of clients, some of which support WPA2 and others which sup-
		port only the original WPA, select Both. This option lets both WPA and WPA2 clients
		associate and authenticate, but uses the more robust WPA2 for clients who support it.
		This WPA configuration allows more interoperability, at the expense of some security.

Cipher Suites	Select the cipher you want to use from the list:
	•	TKIP—TKIP(Temporal Key Integrity Protocol) is the default.
		TKIP provides a more secure encryption solution than WEP keys. The TKIP
		process more frequently changes the encryption key used and better ensures
		that the same key will not be reused to encrypt data (a weakness of WEP). TKIP
		uses a 128-bit temporal key shared by clients and access points. The temporal
		key is combined with the client's MAC address and a 16-octet initialization vector
		to produce the key that will encrypt the data. This ensures that each client uses a
		different key to encrypt data. TKIP uses RC4 to perform the encryption, which is
		the same as WEP. But TKIP changes temporal keys every 10,000 packets and
		distributes them, thereby greatly improving the security of the network.
	•	CCMP (AES)—Countermode/CBC-MAC Protocol (CCMP) is an encryption method for
		IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM
		combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chain-
		ing Message Authentication Code (CBC-MAC) for encryption and message integrity.
	•	Both—When the authentication algorithm is set to Both, both TKIP and AES cli-
		ents can associate with the access point. WPA clients must have one of the fol-
		lowing to be able to associate with the access point:
		• A valid TKIP key
		• A valid CCMP (AES) key
	Clients not configured to use a WPA-PSK will not be able to associate with the
	access point.

Security - 116

Image 116

USRobotics Instant802 APSDK manual WPA Versions, Cipher Suites

Contents

Professional Access Point Administrator Guide R46.1224.00 rev 2.0 07/06Page Professional Access Point Administrator Guide USA Professional Access Point Administrator Guide Contents Class Structure, Commands, and Examples AdvancedClass and Field Reference Support Information Robotics Corporation Two 2 Year Limited Warranty Viii Administrator Audience Online Help Features Recommended Settings, Notes and Cautions Typographical Conventions Getting Started Features and Benefits Ieee Standards Support and Wi-Fi ComplianceWireless Features Security Features Networking Guest InterfaceClustering and Auto-Management Maintainability What’s Next?Snmp Support Professional Access Point Default Settings for the Professional Access Point Option Default Settings Related Information Ieee 802.11 Mode Transmit PowerSecurity Mode None Authentication Type Required Software or Component Description Administrator’s ComputerWhat the Access Point Does Not Provide Wireless Client Computers Required Component Description Required Component How Does the Access Point Obtain an IP Address at Startup?Dynamic IP Addressing Recovering an IP Address Static IP Addressing Professional Access Point Administrator Guide What’s inside the Access Point? Unpack the access pointAccess Point Hardware and Ports Connect the access point to network and power UK Users Hardware Connections for a Guest Vlan Professional Access Point Administrator Guide Professional Access Point Administrator Guide Professional Access Point Administrator Guide Viewing Basic Settings for Access Points Field Default SettingLog on to the Web User Interface Username Configure Basic Settings and start the wireless network Default Configuration Wall Mounting the Access Point Make Sure the Access Point is Connected to the LAN Test LAN Connectivity with Wireless Clients Web User Interface Navigating to Basic Settings Review / Describe the Access Point Field DescriptionMAC Address Firmware Version Provide Administrator Password and Wireless Network Name Administrator PasswordAdministrator Password again Wireless Network Name Ssid Field Set Configuration Policy for New Access PointsNew Access Points Update Basic Settings Summary of Settings Icon Description Basic Settings for a Standalone Access PointYour Network at a Glance Understanding Indicator Icons Professional Access Point Administrator Guide Access Points Cluster Navigating to Access Points Management Understanding Clustering What Kinds of APs Can Cluster? What is a Cluster?How Many APs Can a Cluster Support? Settings Not Shared by the Cluster Cluster Formation Cluster ModeStandalone Mode Understanding Access Point Settings Auto-Synchronization of Cluster ConfigurationCluster Size and Membership Intra-Cluster Security Removing an Access Point from the Cluster Modifying the Location Description Adding an Access Point to a Cluster Http//IPAddressOfAccessPoint Professional Access Point Administrator Guide Professional Access Point Administrator Guide User Management Adding a User Navigating to User Management for Clustered Access PointsViewing User Accounts Editing a User Account Enabling and Disabling User AccountsEnabling a User Account Real Name Restoring a User Database from a Backup File Removing a User AccountBacking Up and Restoring a User Database Disabling a User Account Professional Access Point Administrator Guide Professional Access Point Administrator Guide Sessions Navigating to Session Monitoring Understanding Session Monitoring Information User AP Location User MAC Idle Rate Viewing Session Information for Access Points Signal Utilization Rx Total Tx Total Error RateSorting Session Information Refreshing Session Information Professional Access Point Administrator Guide Channel Management Navigating to Channel Management Understanding Channel ManagementHow it Works Overview Overlapping Channels Background Information Configuring and Viewing Channel Management Settings Example a Network before and after Channel Management Stopping/Starting Automatic Channel Assignment Viewing Current Channel Assignments and Setting Locks Viewing Last Proposed Set of ChangesIP Address Band Current Locked IP Address Current Proposed Use these channels when applying channel assignments AdvancedChange channels if interference is reduced by at least Determine if there is better set of channels every Apply channel modifications even when the network is busy Professional Access Point Administrator Guide Wireless Neighborhood Navigating to Wireless Neighborhood Understanding Wireless Neighbourhood Information Cluster Viewing Wireless NeighborhoodDisplay neighboring APs Neighbors Viewing Details for a Cluster Member Details for a Cluster Member AP Beacon Age SignalChannel Status Interfaces Ethernet Wired Settings Wireless Settings Events Log Relay Host for Kernel Messages Setting Up the Log Relay Host Understanding Remote LoggingSYSLOGD=-r Tmp/APsyslog Log Relay Host Enabled EnabledEtc/init.d/sysklogd restart Relay Host Transmit/Receive Statistics Events Log Errors Client AssociationsName Ssid Total Packets What is the Difference Between an Association and a Session? Link Integrity Monitoring Neighboring Access Points Select AP Detection Enabled Privacy Beacon IntType Rates # of BeaconsLast Beacon Professional Access Point Administrator Guide Ethernet Wired Settings Advanced Navigating to Ethernet Wired Settings Setting the DNS Name Managing Guest AccessConfiguring an Internal LAN and a Guest Network Enabling and Disabling Guest Access Specifying a Virtual Guest Network Guest AccessFor Guest access, use Configuring Internal Interface Ethernet Settings Virtual Wireless Networks DNS Nameservers Default GatewayStatic IP Address Subnet Configuring Guest Interface Ethernet Wired SettingsUpdating Settings Professional Access Point Administrator Guide Wireless Settings Navigating to Wireless Settings Configuring 802.11d Regulatory Domain Support 802.11d Regulatory Domain Support Mode Channel Configuring the Radio InterfaceConfiguring Internal LAN Wireless Settings Configuring Guest Network Wireless Settings Read-only field Security Understanding Security Issues on Wireless NetworksHow Do I Know Which Security Mode to Use? When to Use No Security Encryption Algorithm User AuthenticationKey Management Encryption Algorithms When to Use WPA/WPA2 Enterprise Radius Does Prohibiting the Broadcast of Ssid Enhance Security? How Does Station Isolation Protect the Network? Broadcast SSID, Station Isolation, and Security Mode Navigating to Security SettingsConfiguring Security Settings None Static WEP Professional Access Point Administrator Guide Transfer Key Index Key LengthBits Key Type Authentication Algorithm Open System Shared Key Both Example of Using Static WEP Static WEP with Transfer KEY Indexes on Client Devices Ieee Authentication Server Enable Radius AccountingWPA/WPA2 Personal PSK Radius IP WPA Versions Cipher Suites WPA/WPA2 Enterprise Radius Key Enable pre-authentication Improving the security of the network Enter the Radius IP Professional Access Point Administrator Guide Configuring a Guest Network on a Virtual LAN Guest LoginConfiguring Guest Access Using Virtual LANs DSL/T1 Configuring the Welcome Screen Captive Portal Using the Guest Network Configuring Guest Access without Virtual LANs Configuring a Guest Network on a Dedicated Access Point Virtual Wireless Networks Navigating to Virtual Wireless Network Settings Configuring VLANs Virtual Wireless NetworkOne Two Ton Professional Access Point Administrator Guide Understanding Radio Settings Radio Status On/Off Navigating to Radio SettingsConfiguring Radio Settings Super G ModeIeee 802.11b Maximum Stations Rate Sets Broadcast a subset of its supported rate sets Professional Access Point Administrator Guide Navigating to MAC Filtering Settings MAC Filtering Using MAC Filtering Filter Stations List Professional Access Point Administrator Guide Specifying Limits for Utilization and Client Associations Load BalancingUnderstanding Load Balancing Load Balancing and QoS Navigating to Load Balancing SettingsConfiguring Load Balancing Utilization for No New Associations Utilization for DisassociationStations Threshold for Disassocia Tion To apply your changes, click Update Settings Quality of Service Understanding QoSQoS and Load Balancing 802.11e and WMM Standards Support QoS Queues and Parameters to Coordinate Traffic Flow Professional Access Point Administrator Guide Random Backoff and Minimum / Maximum Contention Windows Navigating to QoS Settings Configuring QoS Queues Configuring AP Edca Parameters Enabling/Disabling Wi-Fi Multimedia Configuring Station Edca Parameters Data 0 Voice Txop Limit Transmission Opportunity Limit Professional Access Point Administrator Guide Using WDS to Bridge Distant Wired LANs Wireless Distribution SystemUnderstanding the Wireless Distribution System Backup Links and Unwanted Loops in WDS Bridges LAN Segment Navigating to WDS Settings Security Considerations Related to WDS Bridges Configuring WDS Settings Local Address Remote AddressBridge with Internal Network WEP Key Example of Configuring a WDS LinkDisabled Local Address Professional Access Point Administrator Guide Navigating to Time Protocol Settings Time Protocol Enabling and Disabling a Network Time Protocol NTP Server NTP Server Professional Access Point Administrator Guide Snmp Understanding Snmp Navigating to Simple Network Management Protocol Enable Snmp Read-only Community Name entireAllow Snmp SET Requests Read-write community name for per Source hostname or subnet Configuring Your Network Management SystemRebooting and Upgrading Your Access Point Using Snmp Rebooting Your Access Point Using Snmp Upgrading your Access PointFtp//testuser1testuser1@192.168.1.9922/54531.1.23.tar Ftp//192.168.1.100/54531.1.24.tar Professional Access Point Administrator Guide Reboot Reset Configuration Upgrade Professional Access Point Administrator Guide Backup/Restore Navigating to Backup and Restore Settings Backing up Configuration Setting for an Access Point Restoring Access Point Settings to a Previous Configuration Professional Access Point Administrator Guide Command Line Interface Professional Access Point Administrator Guide Basic Settings Yes Described in Backup/Restore on How to Access the CLI for an Access Point Telnet Connection to the Access PointUSR5453-AP login Password USR5453-AP login admin Password Enter help for help SSH2 Connection to the Access Point Telnet Function Telnet CommandStatus Status Down Login as USR5453-AP# Quick View of Commands and How to Get Help Commands and SyntaxSSH Function SSH Command Set ssh Status Command Get logGet log-entry Get bss wlan0bssInternal Command Description Add radius-user wally Getting Help on Commands at the CLI Remove radius-user wally Command Usage and Configuration Examples Ready to Get Started? Professional Access Point Administrator Guide Understanding Interfaces as Presented in the CLI Interface DescriptionWlan0vwn1 Vlan1234 Get interface vlan1234 role Saving Configuration ChangesGet interface vlanVLANID role Basic Setting Example Get the MAC Address for an Access Point Get Both the IP Address and MAC Address Wlan0wds1 Wds Down Wlan0wds2 Wlan0wds3 USR5453-AP# Get the Firmware Version for the Access Point Get the Location of the Access PointSet the Location for an Access Point Get the Current Password Access Point and Cluster Settings Cluster Command ExampleGet MAC Addresses for all Access Points in the Cluster User Accounts USR5453-AP#get radius-user all name name User Account Command ExampleGet All User Accounts USR5453-AP#set radius-user samantha password westport USR5453-AP#set radius-user samantha disabledAdd Users USR5453-AP#add radius-user samantha username samantha Status Command Example Remove a User AccountUSR5453-AP#remove radius-user wally Larry samantha endora darren USR5453-AP#get interface br0 Get Current Settings for the Ethernet Wired Guest Interface Get Current Wireless Radio Settings USR5453-AP# get radio wlan0 detail Get Status on EventsUSR5453-AP# get log-entry Priority Daemon USR5453-AP#set log relay-enabled USR5453-AP#set log relay-host USR5453-AP#set log relay-host myserverUSR5453-AP#set log relay-port USR5453-AP# get log Get Client Associations Get neighbouring Access PointsGet Transmit / Receive Statistics USR5453-AP#get detected-ap USR5453-AP# get detected-ap Ethernet Wired Interface Wired Interface Command Example Get Wired Internal Interface Settings Get Wired Guest Interface SettingsSet Up Guest Access Get Summary View of Internal and Guest Interfaces USR5453-AP# get bss USR5453-AP#get interface brguest status downUSR5453-AP#remove bridge-port br0 interface eth0 USR5453-AP# get interface brguest USR5453-AP#get interface brguest status upUSR5453-AP#get bridge-port brguest USR5453-AP#get bridge-port br0 Name Interface Get/Change the Connection Type Dhcp or Static IP USR5453-AP#get dhcp-client status upUSR5453-AP#set dhcp-client status up USR5453-AP#get interface br0 detail Re-Configure Static IP Addressing Values USR5453-AP#get interface br0 static-ipUSR5453-AP#set interface br0 static-ip USR5453-AP#get interface br0 static-mask Wireless Interface Security Security Command Example Get the Current Security ModeGet Detailed Description of Current Security Settings USR5453-AP#get interface wlan0 security none Enable / Disable Station Isolation Set the Broadcast Ssid Allow or Prohibit Set Security to None USR5453-AP#set interface wlan0 security noneSet Security to Static WEP USR5453-AP#set interface wlan0 security static-wep Set bss wlan0bssInternal open-system-authentication on Set bss wlan0bssInternal shared-key-authentication offSet bss wlan0bssInternal shared-key-authentication on USR5453-AP#set interface wlan0 wep-key-ascii yes USR5453-AP#get interface wlan0 detail Set Security to Ieee USR5453-AP#set interface wlan0 security dot1xRadius Option Example USR5453-AP#set bss wlan0bssInternal radius-ip USR5453-AP#set bss wlan0bssInternal radius-key secret Set BssUSR5453-AP#set bss wlan0bssInternal radius-accounting off USR5453-AP#get interface wlan0 security dot1x WPA Option Example Set Security to WPA/WPA2 Personal PSKUSR5453-AP#set interface wlan0 security wpa-personal Cipher Suite Option Example Set bss wlan0bssInternal wpa-cipher-tkip onSet bss wlan0bssInternal wpa-cipher-ccmp off Set bss wlan0bssInternal wpa-cipher-tkip off USR5453-AP#get interface wlan0 security wpa-personal Set Security to WPA/WPA2 Enterprise Radius USR5453-AP#set interface wlan0 security wpa-enterprise Enable Pre-Authentication Cipher Suite Option USR5453-AP#set bss wlan0bssInternal radius-key KeepSecret USR5453-AP#set bss wlan0bssInternal radius-accounting on USR5453-AP#get interface wlan0 security wpa-enterprise Enable/Configure Guest Login Welcome View Guest Login SettingsEnable/Disable the Guest Welcome Set Guest Welcome Page Text Configuring Multiple BSSIDs on Virtual Wireless Networks Review Guest Login SettingsConfiguring Virtual Wireless Network One on Radio One Set interface wlan0vwn1 security wpa-enterprise Radio Settings Radio Setting Command ExampleGet Ieee 802.11 Radio Mode Creating VWN Two on Radio One with WPA security Get Radio Channel Get Basic Radio SettingsGet All Radio Settings Configure Radio Settings Get Supported Rate SetUSR5453-AP#get supported-rate Get Basic Rate Set USR5453-AP#set radio wlan0 mode g USR5453-AP#set radio wlan0 beacon-intervalUSR5453-AP#set bss wlan0bssInternal dtim-period USR5453-AP#get bss wlan0bssInternal dtim-period USR5453-AP#set radio wlan0 fragmentation-threshold USR5453-AP#set radio wlan0 rts-thresholdUSR5453-AP#add basic-rate wlan0 rate USR5453-AP#add supported-rate wlan0 rate MAC Filtering USR5453-AP#get supported-rate wlan0 rate Add MAC Addresses of Client Stations to the Filtering List Specify an Accept or Deny ListSet bss wlan0bssGuest mac-acl-name Guest Get Current MAC Filtering Settings USR5453-AP#remove mac-acl Guest macGet bss interface mac-acl-mode USR5453-AP#get bss wlan0bssGuest mac-acl-mode accept-list Load Balancing Quality of ServiceQoS Command QoS Command Example Enable/Disable Wi-Fi Multimedia Data Access Point Station About Access Point and Station Edca ParametersUnderstanding the Queues for Access Point and Station Get QoS Settings on the Access Point Get QoS Settings on the Client StationUSR5453-AP#get wme-queue Set Arbirtation Interframe Spaces Aifs USR5453-AP#set wme-queue wlan0 with queue vo to aifs Setting Minimum and Maximum Contention Windows cwmin, cwmaxSet wme-queue wlan0 with queue QueueName to aifs AIFSValue Set tx-queue wlan0 with queue QueueName to burst burstValue Set the Maximum Burst Length burst on the Access PointUSR5453-AP#set wme-queue wlan0 with queue vi cwmin 7 cwmax USR5453-AP#set tx-queue wlan0 with queue data2 to burst USR5453-AP#set wme-queue wlan0 with queue vo to txop-limit Wireless Distribution System Configuring a WDS LinkGetting Details on a WDS Configuration USR5453-AP#set interface wlan0wds0 remote-mac 00E0B8761B14 USR5453-AP#get ntp detail Time ProtocolSet ntp server ntp.instant802.com Reboot the Access Point Reset the Access Point to Factory DefaultsUSR5453-AP#factory-reset Keyboard Shortcuts and Tab Completion Help Action on CLI Keyboard Shortcut Keyboard ShortcutsTab Completion and Help USR5453-AP#get system v USR5453-AP#get system version CLI Class and Field Overview USR5453-AP# set mac-acl Field Reference on Has name? \ # of instances? One Multiple CLI Class Relationships Class Description Class IndexAssociation Authenticated Field IndexInterface Station Basic-rate Bridge-port Priority BssPath-cost Status DescriptionRadio Beacon-interface Mac Dtim-periodMax-stations Ignore-broadcast-ssid Open-system-authentication Channel-plannerCluster Cluster-member Config DefaultNo-external-updates Debug Detected-ap Field Description Beacon-interval Capability Type Dhcp-client ErpBeacons Last-beacon Dot11 HostDebug Dot11d Dns-12 DomainStatic-dns-12 Static-domain Interface Mask Rx-errors TypeStatic-ip Static-mask Tx-errors Rx-compressedRx-multicast Tx-packets Ip-route Jvm KickstartdLog Gateway Log-entry DepthNumber Time Mac-acl NtpMessage Server Welcome-screen-text PortalWelcome-screen Max-bss Tx-power Max-bssChannel-policy Mode Wmewifinoacktest Rts-thresholdFragmentation-threshold Load-balance-disassociation-utilization Radius-user SerialSnmp Ro-community Ssh Supported-rateSystem Rw-community Password Encrypted-passwordPassword-initialized Telnet Queue Tx-queueCommunity Web-ui Wme-queue Professional Access Point Detection Utility does not find Possible Solution Access point Cannot access the Web User Interface My wireless device cannot find the wireless network Possible Solution Wireless Distribution System WDS Problems and Solutions Am experiencing poor wireless link quality Cluster Recovery Reboot or Reset Access Point Stop Clustering and Reset Each Access Point in the Cluster Click Stop Clustering Professional Access Point Administrator Guide Support Information Country Webmail Voice UAE Declaration of Conformity Detachable Antenna InformationFCC Radiation Exposure Statement Radio and Television Interference UL Listing/CUL Listing For Canadian UsersIndustry Canada IC CE Compliance Declaration of Conformity EU Detachable Antenna Information Regulatory Channel FrequencyEU Health Protection Professional Access Point Administrator Guide Professional Access Point Administrator Guide Robotics Corporation Two 2 Year Limited Warranty Obtaining Warranty Service Limitations Disclaimer 802 802.1x802.2 802.3 802.11b 802.11d802.11e 802.11f AES Beacon BridgeBroadcast Broadcast Address Bssid CcmpCGI CSMA/CA DCF DhcpDNS DOM EAP EdcfESS Ethernet Frame GatewayHtml Http Infrastructure Mode IbssIeee Intrusion Detection IPSec ISPJitter Latency LAN LdapLLC MAC NAT NICNTP OSI Packet Packet LossPHY PID PPP PSK Radius RC4Rssi RTP STP SnmpSsid Supported Rate Set TCPTCP/IP Tkip UDP UnicastURL Vlan WAN WDSWEP Wins WMM WPA WPA2Wrap XML Index DCF Ieee Snmp WDS Index-328