Configuring SSID Authentication and Encryption

Each SSID can use specific authentication and encryption settings, enabling you to configure differing levels of security for different resources. By default, the authentication/encryption is set to none; we strongly recommend that you select one of the supported authentication/encryption methods. The NetScreen-5GT Wireless device supports WEP and WPA authentication and encryption methods; to ensure the highest level of security we recommend that you select WPA as your authentication/encryption method.

The Wired Equivalent Privacy (WEP) uses the Rivest Cipher 4 (RC4) stream cipher algorithm to encrypt and decrypt data as it travels over the wireless link. You can store WEP keys locally on the security device or externally on an external authentication server. Wireless network users store one or more of the same keys on their systems and identify them with the same ID numbers. For details on configuring WEP, see Configuring Wired Equivalent Privacy.

The Wi-Fi Protected Access (WPA) method patches many of the security vulnerabilities found in WEP, greatly enhancing payload integrity checks and the key exchange process. You can use WPA in one of the following modes:

Note: For details about TKIP, see the IEEE standard 802.11. For details about AES, see RFC 3268, “ Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS).“

For details on configuring WPA, see Using Wi-Fi Protected Access.

Configuring Wired Equivalent Privacy

Although you can configure WEP for all the basic service sets (BSSs), the NetScreen-5GT Wireless device intentionally restricts its use to only one BSS at a time.

When using WEP encryption, you must also select a key source, which specifies the location of the WEP key:

  1. The wireless client contacts the device.
  2. The device responds to the client with a clear-text challenge text string that the client must then encrypt with the correct WEP key and return to the device.
  3. The device receives the encrypted string from the client, decrypts it, and compares it with the original. If the strings match, authentication is successful; if the strings do not match or the client does not respond, authentication fails.

    Although this method uses WEP keys for encryption, an attacker might be able to intercept both the clear-text challenge and the same challenge encrypted with a WEP key, and potentially decipher the WEP key.

Configuring WEP Keys

You can define WEP keys on the security device for BSS use. The security device, acting as a wireless access point (WAP), uses WEP keys for authenticating wireless clients in that BSS, and for encrypting and decrypting traffic sent between itself and the clients.

You can define one to four WEP keys for each BSS on the security device. Using multiple keys enables you to adjust the level of security for different wireless clients within the same BSS; you can use longer keys to provide greater security for some traffic and smaller keys to reduce processing overhead for other, less critical traffic.

When you define only one WEP key on the security device, that key is the default key and handles all encryption, authentication, and decryption. When you define multiple keys on the security device, you can designate non default keys to handle authentication and decryption (the default key always handles encryption). If you do not specify a default key, the first key you define automatically becomes the default key.

Wireless clients can use a static WEP key stored on the device, or a dynamic key on an external RADIUS server.

The Key ID enables WEP key configuration and sets the WEP identification value. When all WEP keys are stored on the security device, you can assign the default key ID as 1, 2, 3, or 4.

However:

An encryption key length specifies the length of the key in bits. Juniper Networks supports two WEP key lengths: 40 and 104 bits. Because the keys are concatenated with a 24-bit initialization vector (IV), the resulting lengths are 64 and 128 bits.

Longer keys are more secure than shorter keys, but longer keys take longer to process and can reduce throughput speeds. Select the key length that is appropriate to the importance of the wireless traffic you want to protect:

The encryption method defines the string type (ASCII or hexadecimal) for the WEP key:

When using a single key on the security device for encryption, decryption, and authentication, you must define the default WEP key.

You can specify a static, non default WEP key that the security device uses for authenticating and decrypting traffic received from wireless clients. However, each client must also load the WEP key (and ID) before they can authenticate themselves and send encrypted traffic to the security device. If a client does not supply a key ID, the security device attempts to use the default WEP key to authenticate the client and decrypt its traffic.

Using Wi-Fi Protected Access

You can configure the SSID to use WPA enterprise mode or WPA personal mode.

WPA (Enterprise Mode) authentication uses an external RADIUS auth server for authentication. When using WPA, you must also configure the rekey interface and encryption method. The WPA enterprise mode settings are displayed in Table 89.

Table 89: WPA Enterprise Mode Settings

Parameters

Description

Encryption

The encryption setting specifies the encryption method used between the security device and wireless clients in the subnetwork. Select one of the following:

  • AES—The Advanced Encryption Standard (AES) is used by WPA 2 devices. AES uses the Robust Security Network (RSN) cipher for encryption. This complex encryption mechanism is a block cipher (operates on 128 bit data blocks).
  • TKIP—The Temporal Key Integrity Protocol (TKIP) is used by WPA 1 devices. TKIP is a key management protocol that handles key generation and key synchronization; TKIP uses the RC4 algorithm for encryption.
  • Auto—When enabled, the device uses the encryption method (AES or TKIP) used by the client.

rekey-interval

The rekey interval defines the number of seconds between group key updates. To enable key updates, select Value; the default interval is 1800 seconds and the acceptable range is 30-42949672 seconds. To disable key updates, select Disabled.

WPA-PSK (Personal Mode) authentication uses a passphrase or pre shared key on the security device to permit access to the SSID. When using WPA, you must also configure the WPA-PSK authentication and encryption methods. The WPA personal mode settings are displayed in Table 90.

Table 90: WPA Personal Mode Settings

Parameters

Description

Authentication (WSA-PSK)

The authentication setting specifies the authentication methods for wireless clients attempting to access the SSID:

  • Passphrase—When enabled, you must configure a passphrase (8-63 ASCII characters) that permits access to the SSID.
  • PSK—When enabled, you must enter a pre shared key (256 bit/64characters hexadecimal) that permits access to the SSID.

Encryption

The encryption setting specifies the encryption method used between the security device and wireless clients in the subnetwork. Select one of the following:

  • AES—The Advanced Encryption Standard (AES) is used by WPA 2 devices. AES uses the Robust Security Network (RSN) cipher for encryption. This complex encryption mechanism is a block cipher (operates on 128 bit data blocks).
  • TKIP—The Temporal Key Integrity Protocol (TKIP) is used by WPA 1 devices. TKIP is a key management protocol that handles key generation and key synchronization; TKIP uses the RC4 algorithm for encryption.
  • Auto—When enabled, the device uses the encryption method (AES or TKIP) used by the client.

Related Documentation