65
How Do I Know Which Security Mode to Use?
In general, we recommend that on your Internal network you use the most robust
security mode that is feasible in your environment. When configuring security on
the access point, you first must choose the security mode, then in some modes an
authentication algorithm, and whether to allow clients not using the specified security
mode to associate.
Wi-Fi Protected Access
(
WPA
) with
Remote Authentication Dial-In User Service
(
RADIUS
) using the CCMP (AES) encryption algorithm provides the best data protection
available and is clearly the best choice if all client stations are equipped with WPA
supplicants. However, backward compatibility or interoperability issues with clients or
even with other access points may require that you configure WPA with RADIUS with a
different encryption algorithm or choose one of the other security modes.
That said, however, security may not be as much of a priority on some types of networks.
If you are simply providing internet and printer access, as on a guest network, plain text
mode (no security) may be the appropriate choice. To prevent clients from accidentally
discovering and connecting to your network, you can disable the broadcast SSID so
that your network name is not advertised. If the network is sufficiently isolated from
access to sensitive information, this may offer enough protection in some situations.
This level of protection is the only one offered for guest networks, and also may be the
right convenience trade-off for other scenarios where the priority is making it as easy
as possible for clients to connect. (See “Does Prohibiting the Broadcast SSID Enhance
Security?” in this manual.)
Following is a brief discussion of what factors make one mode more secure than another,
a description of each mode offered, and when to use each mode.
Comparison of Security Modes for Key Management, Authentication
and Encryption Algorithms
Three major factors that determine the effectiveness of a security protocol are:
• How the protocol manages keys
• Presence or absence of integrated user authentication in the protocol
• Encryption algorithm or formula the protocol uses to encode/decode the data
Configuring Security