ZyXEL Communications ZyXEL AG-120 WPA and WPA2, Encryption

ZyXEL AG-120 User’s Guide

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.

Table 32 Comparison of EAP Authentication Types

	EAP-MD5	EAP-TLS	EAP-TTLS	PEAP	LEAP

Mutual Authentication	No	Yes	Yes	Yes	Yes

Certificate – Client	No	Yes	Optional	Optional	No

Certificate – Server	No	Yes	Yes	Yes	No

Dynamic Key Exchange	No	Yes	Yes	Yes	Yes

Credential Integrity	None	Strong	Strong	Strong	Moderate

Deployment Difficulty	Easy	Hard	Moderate	Moderate	Moderate

Client Identity Protection	No	No	Yes	Yes	No

WPA and WPA2

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA.

Key differences between WPA(2) and WEP are improved data encryption and user authentication.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.

Encryption

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.

Appendix D Wireless Security

101

Contents

User’s Guide Page Copyright Disclaimer Trademarks Certifications Federal Communications Commission (FCC) Interference Statement FCC Radiation Exposure Statement Notices Viewing Certifications ZyXEL Limited Warranty Note Online Registration Safety Warnings Customer Support Page Page Table of Contents Wireless Station Mode Configuration Appendix A Appendix B Appendix C Appendix D Appendix E Page List of Figures Page Page Page List of Tables Page Preface About This User's Guide Related Documentation User Guide Feedback Syntax Conventions Graphics Icons Key Getting Started 1.1 About Your AG-120 1.2 Application Overview 1.2.1.1 Infrastructure 1.2.1.2 Ad-Hoc 1.2.2 Access Point Mode Note: 1.2.3 Changing AG-120Mode Station Mode AP Mode 1.3 AG-120Hardware and Utility Installation 1.4 Configuration Methods Use Windows to configure my wireless network settings (All) Programs ZyXEL 1.4.2 Accessing the ZyXEL Utility Page Tutorial 2.1 Connecting to a Wireless LAN Scan Available Network List SSID_Examples3 Confirm New Settings 2.2Creating and Using a Profile Add Add New Profile Scan Info Select Activate Now Activate Later Profile List 2.3 Configuring the AG-120as an AP Configuration Page Wireless LAN Network 3.1 Wireless LAN Overview 3.2Wireless LAN Security 3.2.3.1 WEP 3.2.3.2IEEE 3.2.3.3 WPA and WPA2 3.3 Introduction to OTIST 3.3.1.1 AP 3.3.1.2 Wireless Client 3.3.3Notes on OTIST Page Wireless Station Mode Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Access Point Mode Page Page Page Page Page Page Page Maintenance 6.1 The About Screen 6.2 Uninstalling the ZyXEL Utility 6.3 Upgrading the ZyXEL Utility Page Page Troubleshooting 7.1 Problems Starting the ZyXEL Utility 7.2 Problem Connecting to an Access Point 7.3 Problem with the Link Quality 7.4 Problems Communicating With Other Computers Product Specifications Page Access Point Mode Setup Example Configuring the Computer on Which You Install the AG-120 Sharing Enable Internet Connection Sharing for this connection Configuring the Wireless Station Computer Page Activating Wireless Zero Configuration Page Connecting to a Wireless Network Wireless Network Connection Status View Wireless Networks Wireless Network Connection Wireless Networks Wireless Network Connection Properties Refresh network list Refresh Available networks Configure Preferred Wireless Network Connection Security Settings Association Authentication Authentication Properties Smart Card or other Certificate Properties Ordering the Preferred Networks Wireless Networks Move up Move down Remove Page Wireless Security Types of EAP Authentication Dynamic WEP Key Exchange WPA and WPA2 User Authentication WPA(2)-PSKApplication Example WPA(2) with RADIUS Application Example Security Parameters Summary Setting up Your Computer’s IP Address Windows 95/98/Me Installing Components Protocol Microsoft manufacturers TCP/IP Configuring IP Address Obtain an IP address automatically Specify an IP address Subnet Mask Windows 2000/NT/XP Network Connections Network and Dial-up Connections 3Right-click Local Area Connection and then click Properties Internet Protocol (TCP/IP) General Use the following IP Address IP address Subnet mask Default gateway IP Settings Macintosh OS 8/9 2Select Ethernet built-in from the Connect via list Using DHCP Server Configure: Macintosh OS Apply Now Page Index