Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring SSID Authentication and Encryption

    Each SSID can use specific authentication and encryption settings, enabling you to configure differing levels of security for different resources. By default, the authentication/encryption is set to none; we strongly recommend that you select one of the supported authentication/encryption methods. The NetScreen-5GT Wireless device supports WEP and WPA authentication and encryption methods; to ensure the highest level of security we recommend that you select WPA as your authentication/encryption method.

    The Wired Equivalent Privacy (WEP) uses the Rivest Cipher 4 (RC4) stream cipher algorithm to encrypt and decrypt data as it travels over the wireless link. You can store WEP keys locally on the security device or externally on an external authentication server. Wireless network users store one or more of the same keys on their systems and identify them with the same ID numbers. For details on configuring WEP, see Configuring Wired Equivalent Privacy.

    The Wi-Fi Protected Access (WPA) method patches many of the security vulnerabilities found in WEP, greatly enhancing payload integrity checks and the key exchange process. You can use WPA in one of the following modes:

    • WPA Mode—In this mode, also known as Enterprise Mode, the device uses the Extensible Authentication Protocol (EAP) for authentication through an 802.1X-compliant RADIUS server (such as the OAC RADIUS server and the Microsoft IAS RADIUS server). When handling wireless traffic, the device forwards authentication requests and replies between the wireless clients and the RADIUS server; after successfully authenticating a client, the RADIUS server sends an encryption key to both the client and to the device. The device itself manages the encryption process using Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES).
    • WPA-PSK—In this mode, also known as Personal Mode, the device uses preshared keys (PSKs) or a passphrase for authentication and encryption. Keys are stored on the device and on all wireless clients; you do not need to configure a separate authentication server.

    Note: For details about TKIP, see the IEEE standard 802.11. For details about AES, see RFC 3268, “ Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS).“

    For details on configuring WPA, see Using Wi-Fi Protected Access.

    Configuring Wired Equivalent Privacy

    Although you can configure WEP for all the basic service sets (BSSs), the NetScreen-5GT Wireless device intentionally restricts its use to only one BSS at a time.

    • Auto—When selected, the device automatically negotiates with wireless clients whether or not the client authenticates itself with a WEP shared key (device accepts both open encryption or shared-key authentication). Use this option to improve compatibility between the WAP and wireless devices using various operating systems that support different implementations of WEP.
    • Open—When selected, a wireless client must provide the SSID to the device before the device authenticates the client. For encryption, select one of the following:
      • None—When selected, no encryption is performed.
      • WEP—When enabled, an authenticated wireless client must provide a WEP key to the device before the client can encrypt and decrypt communication over the WLAN. Because the Open option is insecure (especially if the device is configured to broadcast the SSID), we recommend that you also enable WEP encryption.

    When using WEP encryption, you must also select a key source, which specifies the location of the WEP key:

    • None or Local—The key is stored on the security device. This is the default key-source when None is selected. When enabled, you must configure a default WEP key on the security device.
      • Server—The key is stored on a RADIUS authentication server. When enabled, you must configure a RADIUS authentication server to handle WEP key requests (you do not need to configure or use a WEP key on the security device).
        • Both—The key is stored on the security device and on the RADIUS authentication server. When enabled, you must configure a RADIUS authentication server to handle WEP key requests and configure a default WEP key on the security device.
    • Shared Key—When selected, both the device and the wireless clients use the same key for authentication and encryption/decryption. You must configure a default WEP key on the security device.

      During a shared key exchange:

    1. The wireless client contacts the device.
    2. The device responds to the client with a clear-text challenge text string that the client must then encrypt with the correct WEP key and return to the device.
    3. The device receives the encrypted string from the client, decrypts it, and compares it with the original. If the strings match, authentication is successful; if the strings do not match or the client does not respond, authentication fails.

      Although this method uses WEP keys for encryption, an attacker might be able to intercept both the clear-text challenge and the same challenge encrypted with a WEP key, and potentially decipher the WEP key.

    Configuring WEP Keys

    You can define WEP keys on the security device for BSS use. The security device, acting as a wireless access point (WAP), uses WEP keys for authenticating wireless clients in that BSS, and for encrypting and decrypting traffic sent between itself and the clients.

    You can define one to four WEP keys for each BSS on the security device. Using multiple keys enables you to adjust the level of security for different wireless clients within the same BSS; you can use longer keys to provide greater security for some traffic and smaller keys to reduce processing overhead for other, less critical traffic.

    When you define only one WEP key on the security device, that key is the default key and handles all encryption, authentication, and decryption. When you define multiple keys on the security device, you can designate non default keys to handle authentication and decryption (the default key always handles encryption). If you do not specify a default key, the first key you define automatically becomes the default key.

    Wireless clients can use a static WEP key stored on the device, or a dynamic key on an external RADIUS server.

    • When clients use a unique, dynamic WEP key from an external RADIUS server, the security device also uses this unique key—which it also receives from the RADIUS server—for bidirectional communication.
    • When clients use static WEP keys stored locally on the security device, the device uses the default key to encrypt all transmitted wireless traffic. Clients must also have the default key loaded to decrypt traffic from the device.

    The Key ID enables WEP key configuration and sets the WEP identification value. When all WEP keys are stored on the security device, you can assign the default key ID as 1, 2, 3, or 4.

    However:

    • When using WEP keys stored on the security device and dynamic WEP keys created by an external RADIUS server (RADIUS dynamically creates and distributes a different key per session for each wireless client), the ID for the default WEP key on the security device cannot be 1 because the RADIUS server uses 1 as the ID for all its keys. The security device can use a default WEP key with key ID 2, 3, or 4 for encryption, and a different WEP key with ID 1, 2, 3, or 4 for authentication and decryption.
    • When all WEP keys are on an external RADIUS server, the server uses a key ID of 1 for all its keys (RADIUS dynamically creates and distributes a different key per session for each wireless client).

    An encryption key length specifies the length of the key in bits. Juniper Networks supports two WEP key lengths: 40 and 104 bits. Because the keys are concatenated with a 24-bit initialization vector (IV), the resulting lengths are 64 and 128 bits.

    Longer keys are more secure than shorter keys, but longer keys take longer to process and can reduce throughput speeds. Select the key length that is appropriate to the importance of the wireless traffic you want to protect:

    • 40-bit—A 40-bit encryption length enables you to enter 10 hexadecimal digits or 5 ASCII characters.
    • 104-bit—A 104-bit encryption length enables you to enter 26 hexadecimal digits or 13 ASCII characters.

    The encryption method defines the string type (ASCII or hexadecimal) for the WEP key:

    • ASCII—Plain text string.
      • When using 40-bit length and ASCII method, enter 5 ASCII characters.
      • When using a 104-bit length and ASCII method, enter 13 ASCII characters.
    • Hexadecimal (default)—A hexadecimal string uses only A-F characters and 0-9 numbers. For example, 662ADC918DDD662ADC918DDD66 is a valid hexadecimal string but CADETS01234567890123456789 is not; the T and S are outside the valid hexadecimal range. The number of hexadecimal characters you enter depends on the specified key length:
      • When using 40-bit length and hexadecimal method, enter 10 hexadecimal characters.
      • When using a 104-bit length and hexadecimal method, enter 26 hexadecimal characters.

    When using a single key on the security device for encryption, decryption, and authentication, you must define the default WEP key.

    You can specify a static, non default WEP key that the security device uses for authenticating and decrypting traffic received from wireless clients. However, each client must also load the WEP key (and ID) before they can authenticate themselves and send encrypted traffic to the security device. If a client does not supply a key ID, the security device attempts to use the default WEP key to authenticate the client and decrypt its traffic.

    Using Wi-Fi Protected Access

    You can configure the SSID to use WPA enterprise mode or WPA personal mode.

    WPA (Enterprise Mode) authentication uses an external RADIUS auth server for authentication. When using WPA, you must also configure the rekey interface and encryption method. The WPA enterprise mode settings are displayed in Table 1.

    Table 1: WPA Enterprise Mode Settings

    Parameters

    Description

    Encryption

    The encryption setting specifies the encryption method used between the security device and wireless clients in the subnetwork. Select one of the following:

    • AES—The Advanced Encryption Standard (AES) is used by WPA 2 devices. AES uses the Robust Security Network (RSN) cipher for encryption. This complex encryption mechanism is a block cipher (operates on 128 bit data blocks).
    • TKIP—The Temporal Key Integrity Protocol (TKIP) is used by WPA 1 devices. TKIP is a key management protocol that handles key generation and key synchronization; TKIP uses the RC4 algorithm for encryption.
    • Auto—When enabled, the device uses the encryption method (AES or TKIP) used by the client.

    rekey-interval

    The rekey interval defines the number of seconds between group key updates. To enable key updates, select Value; the default interval is 1800 seconds and the acceptable range is 30-42949672 seconds. To disable key updates, select Disabled.

    WPA-PSK (Personal Mode) authentication uses a passphrase or pre shared key on the security device to permit access to the SSID. When using WPA, you must also configure the WPA-PSK authentication and encryption methods. The WPA personal mode settings are displayed in Table 2.

    Table 2: WPA Personal Mode Settings

    Parameters

    Description

    Authentication (WSA-PSK)

    The authentication setting specifies the authentication methods for wireless clients attempting to access the SSID:

    • Passphrase—When enabled, you must configure a passphrase (8-63 ASCII characters) that permits access to the SSID.
    • PSK—When enabled, you must enter a pre shared key (256 bit/64characters hexadecimal) that permits access to the SSID.

    Encryption

    The encryption setting specifies the encryption method used between the security device and wireless clients in the subnetwork. Select one of the following:

    • AES—The Advanced Encryption Standard (AES) is used by WPA 2 devices. AES uses the Robust Security Network (RSN) cipher for encryption. This complex encryption mechanism is a block cipher (operates on 128 bit data blocks).
    • TKIP—The Temporal Key Integrity Protocol (TKIP) is used by WPA 1 devices. TKIP is a key management protocol that handles key generation and key synchronization; TKIP uses the RC4 algorithm for encryption.
    • Auto—When enabled, the device uses the encryption method (AES or TKIP) used by the client.

    Published: 2013-01-02