ZyWALL 5/35/70 Series User’s Guide

If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless Card screen (see Section 9.16.4 on page 192). You may still configure and store keys here, but they will not be used while dynamic WEP is enabled.

To use dynamic WEP, enable and configure dynamic WEP key exchange in the Wireless Card screen and configure RADIUS server settings in the AUTH SERVER RADIUS screen (see Section 21.3 on page 368). Ensure that the wireless station's EAP type is configured to one of the following:

EAP-TLS

EAP-TTLS

PEAP

Note: EAP-MD5 cannot be used with dynamic WEP key exchange.

9.11 Introduction to WPA

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences between WPA and WEP are user authentication and improved data encryption.

9.11.1 User Authentication

WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. You can't use the ZyWALL's Local User Database for WPA authentication purposes since the Local User Database uses EAP-MD5 which cannot be used to generate keys. See later in this chapter and the appendices for more information on IEEE 802.1x, RADIUS and EAP.

If you don't have an external RADIUS server you should use WPA-PSK (WPA -Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a client will be granted access to

aWLAN.

9.11.2Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

183

Chapter 9 Wireless LAN