Understanding Client Security

The access point supports several types of authentication methods that are used by clients to connect to the access point. Each of these methods and their associated parameters is configurable on a per virtual access point basis. By default, no security is in place on the access point, so any wireless client can associate with it and access your LAN. You configure secure wireless client access for each virtual access point on an access point.

The following sections describe the security you can configure for wireless clients.

• No Security
• Static WEP
• Dynamic WEP
• WPA Personal
• WPA Enterprise

No Security

No security (also referred to as plain text security) means that data transferred between clients and the access point is not encrypted. This method allows clients to associate with the access point without any authentication. This is generally not recommended but can be used in conjunction with a guest VLAN and a Web-based authentication server, or for debugging network problems.

Static WEP

Wired Equivalent Privacy (WEP) protocol is a data encryption standard for 802.11 wireless networks. You configure a static 64- or 128-bit preshared key for a virtual access point and its potential clients. Because of its well-documented vulnerabilities, static WEP is generally not recommended in networks that require high security. However, in Wi-Fi Protected Access (WPA) and other networks where clients do not support stronger security methods, static WEP is preferred over None.

Static WEP mode supports key lengths of 64 and 128 bits. The access point also supports the weak initialization vector avoidance to reduce the security constraints related to WEP.

For static WEP, you can also select open system and/or shared key authentication:

• Open system allows any client to associate with the access point. This method is also used with plain text, 802.1X and WPA modes. However, clients must have the correct WEP key configured to successfully decrypt data from the access point and transmit properly encrypted data to the access point.
• Shared key authentication requires the client to have the correct WEP key configured to associate with the access point.

Enabling both open system and shared key supports clients configured for either authentication mode. Clients configured to use WEP with open system are allowed to associate with the access point, but must have the correct key configured to pass traffic. Clients configured to use WEP with shared key must have the proper key configured to associate with the access point.

When using static WEP, follow these guidelines:

• All clients must have their WLAN security set to use WEP; clients must specify one of the WEP keys configured on the access point to decode data transmissions from the access point.
• The access point must be configured with all WEP keys used by clients to decode data transmissions from the clients.
• A specific WEP key must use the same index on both the access point and clients. For example, if the access point is configured with abc123 for WEP key 3, then the clients must use the same string for WEP key 3.
• Clients can use different keys to transmit data to the access point. Certain wireless client software allows you to configure multiple WEP keys and use a transfer key index to cause the client to encrypt transmitted data using different keys. This ensures that neighboring access points cannot decode each other’s transmissions.
• You cannot mix 64- and 128-bit WEP keys between the access point and clients.

Dynamic WEP

Dynamic WEP improves security over static WEP by utilizing 802.1X to distribute dynamically generated keys from the access point to its clients. A RADIUS server provides a WEP key for each client session and regenerates keys at each reauthentication interval.

This method requires a RADIUS server that uses the Extensible Authentication Protocol (EAP), such as the Microsoft Internet Authentication Server. To work with Windows clients, the RADIUS server must support Protected EAP (PEAP) and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2).

You can use any variety of authentication methods supported by IEEE 802.1x, including certificates, Kerberos, and public key authentication. Clients must be configured to use the same authentication method that the access point uses.

WPA Personal

Wi-Fi Protected Access (WPA) Personal is a Wi-Fi Alliance standard that uses preshared key authentication with Advanced Encryption Standard-Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP) and Temporal Key Integrity Protocol (TKIP) cipher suits. Both WPA and the newer WPA2 standards are supported. If you have both clients that support WPA2 and clients that only support WPA, you can configure the virtual access point to allow both types of clients to associate and authenticate.

WPA Enterprise

Wi-Fi Protected Access (WPA) Enterprise is a Wi-Fi Alliance standard that uses RADIUS server authentication with Advanced Encryption Standard-Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP) and Temporal Key Integrity Protocol (TKIP) cipher suits. This mode allows for use of high security encryption along with centrally managed used authentication. Both WPA and the newer WPA2 standards are supported. If you have both clients that support WPA t2 and clients that only support WPA, you can configure the virtual access point to allow both types of clients to associate and authenticate.

If WPA2 is selected, preauthentication can also be enabled. When a client preauthenticates to an access point, the following RADIUS attributes are stored in the access point’s preauthentication cache. These values are applied to the client’s session when the client roams to that access point:

• VLAN attributes:
  • Tunnel-type
  • Tunnel-medium-type
  • Tunnel-private-group-id
• Client QoS attributes:
  • Vendor-specific (26), WISPr-bandwidth-max-dn
  • Vendor-specific (26), WISPr-bandwidth-max-up
  • Vendor-specific (26), LVL7-wireless-client-ACL-dn
  • Vendor-specific (26), LVL7-wireless-client-ACL-up
  • Vendor-specific (26), LVL7-wireless-client-policy-dn
  • Vendor-specific (26), LVL7-wireless-client-policy-up
• Session timeout:
  • Session timeout

The session timeout and the system up time (sysUpTime) at the time the preauthentication was performed are stored to calculate and set the remaining session time correctly.

Related Topics

• Example: Configuring a Virtual Access Point for No Security and HTTP Redirect (CLI)
• Example: Configuring a Virtual Access Point for No Security and HTTP Redirect (J-Web)
• Example: Configuring a Virtual Access Point for WPA Enterprise and MAC Filtering (CLI)
• Example: Configuring a Virtual Access Point for WPA Enterprise and MAC Filtering (J-Web)