D-Link DWL-2210AP Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

D-Link

DWL-2210AP

Page 66 / 193 Scroll up to view Page 61 - 65

Following is a list of the security modes available on the D-Link DWL-2210AP along

with a description of the key management, authentication, and encryption algorithms

used in each mode. We include some suggestions as to when one mode might be more

appropriate than another.

• When to Use Plain Text

• When to Use Static WEP

• When to Use IEEE 802.1x

• When to Use WPA with RADIUS

• When to Use WPA-PSK

When to Use Plain Text

Plain text mode by deﬁnition provides no security. In this mode, the data is not encrypted

but rather sent as “plain text” across the network. No key management, data encryption

or user authentication is used.

Recommendations

Plain text mode is

not recommended

for regular use on the Internal network because it

is not secure.

Plain text mode is the only mode in which you can run the Guest network, which is by

deﬁnition an unsecure

LAN

always virtually or physically separated from any sensitive

information on the Internal LAN.

Therefore, use plain text mode on the Guest network, and on the Internal network for

initial setup, testing, or problem solving only.

See Also

For information on how to conﬁgure plain text mode, see “Plaintext”

under “Conﬁguring

Security Settings” in this manual.

When to Use Static WEP

Static

Wired Equivalent Privacy

(

WEP

) is a data encryption protocol for 802.11 wireless

networks. All wireless stations and access points on the network are conﬁgured with a

static 64-bit (40-bit secret key + 24-bit initialization vector (IV) or 128-bit (104-bit secret

key + 24-bit IV) Shared Key for data encryption.

Conﬁguring Security

Page 67 / 193

If you set the Authentication

Algorithm to Shared Key, this

protocol provides a rudimentary

form of user authentication.

However, if the Authentication

Algorithm is set to “Open

System”, no authentication is

performed.

If the algorithm is set to

“Both”, only WEP clients are

authenticated.

Static

WEP

uses a ﬁxed key that

is provided by the administrator.

WEP keys are indexed in different

slots (up to four on the D-Link

DWL -2210AP).

The client stations must have the

same key indexed in the same

slot to access data on the access

point.

RC4

stream cipher

is used to encrypt the

frame body and

cyclic

redundancy checking

(CRC) of each 802.11

frame.

Key Management

Encryption Algorithm

User Authentication

Recommendations

Static WEP was designed to provide the security equivalent of sending unencrypted

data through an Ethernet connection, however it has major ﬂaws and it does not provide

even this intended level of security.

Therefore,

Static WEP is not recommended

as a secure mode. The only time to use Static

WEP is when interoperability issues make it the only option available to you and you

are not concerned with the potential of exposing the data on your network.

See Also

For information on how to conﬁgure Static WEP security mode, see “Static WEP”

under “Conﬁguring Security Settings” in this manual.

When to Use IEEE 802.1x

IEEE

802.1x

is the standard for passing the Extensible Authentication Protocol (

EAP

)

over an 802.11 wireless network using a protocol called EAP Encapsulation Over

LANs (EAPOL). This is a newer, more secure standard than static WEP.

Conﬁguring Security

Page 68 / 193

IEEE 802.1x mode supports

a variety of authentication

methods, like certificates,

Kerberos, and public key

authentication with a RADIUS

server.

You have a choice of using the

D-Link DWL-2210AP

embedded RADIUS server or

an external RADIUS server.

The embedded RADIUS server

supports Protected

EAP

(PEAP) and MSCHAP V2.

IEEE 802.1x provides

dynamically-

generated keys that

are periodically

refreshed.

There are different

Unicast

keys for

each station.

RC4

stream cipher is used to

encrypt the frame body and

cyclic

redundancy checking

(CRC) of

each 802.11 frame.

Key Management Encryption Algorithm

User Authentication

Recommendations

IEEE 802.1x mode is a better choice than Static WEP because keys are dynamically

generated and changed periodically. However, the encryption algorithm used is the same

as that of Static WEP and is therefore not as reliable as the more advanced encryption

methods such as

TKIP

and

CCMP

(

AES

) used in

Wi-Fi Protected Access

(

WPA

Additionally, compatibility issues may be cumbersome because of the variety of

authentication methods supported and the lack of a standard implementation

method.

Therefore, IEEE 802.1x mode is not as secure a solution as

Wi-Fi Protected Access

(

WPA

). If, you cannot use

WPA

because some of your client stations do not have WPA,

then a better solution than using IEEE 802.1x mode is to

use WPA with RADIUS mode

instead and check the “Allow non-WPA IEEE 802.1x clients” checkbox

to allow non-WPA

clients. This way, you get the beneﬁt of IEEE 802.1x key management for non-WPA

clients along with even better data protection of TKIP and CCMP (AES) key management

and encryption algorithms for your WPA clients.

See Also

For information on how to conﬁgure IEEE 802.1x security mode, see “IEEE 802.1x”

under “Conﬁguring Security Settings” in this manual.

When to Use WPA with RADIUS

Wi-Fi Protected Access

(

WPA

) with

Remote Authentication Dial-In User Service

(

RADIUS

) is a Wi-Fi Alliance subset of IEEE

802.11i

, which includes

Temporal Key

Integrity Protocol

(

TKIP

Counter mode/CBC-MAC Protocol

(

CCMP

), and

Advanced

Encryption Standard

(

AES

) mechanisms. This mode requires the use of a RADIUS

server to authenticate users. WPA with RADIUS provides the best security available

for wireless networks.

Conﬁguring Security

Page 69 / 193

Keentication

Remote Authentication Dial-In

User Service

(

RADIUS

You have a choice of using

the D-Link DWL-2210AP

embedded RADIUS server or

an external RADIUS server.

The embedded RADIUS server

supports Protected

EAP

(PEAP) and MSCHAP V2.

Key Management Encryption Algorithm

User Authentication

WPA with RADIUS

provides dynamically

generated keys that

are periodically

refreshed.

There are different

Unicast

keys for

each station.

•

Temporal Key Integrity

Protocol

(

TKIP

)

•

Counter mode/CBC-MAC

Protocol

(

CCMP

)

Advanced

Encryption Standard

(

AES

)

Recommendations

WPA

with

RADIUS

mode is the

recommended mode

. The

CCMP

(

AES

) and

TKIP

encryption algorithms used with WPA modes are far superior to the

RC4

algorithm used

for Static

WEP

or IEEE 802.1x modes. Therefore, CCMP (AES) or TKIP should be used

whenever possible. All WPA modes allow you to use these encryption schemes, so WPA

security modes are recommended above the others when using WPA is an option.

Additionally, this mode (WPA with RADIUS) incorporates a RADIUS server for user

authentication which gives it an edge over WPA-PSK.

Use the following guidelines for choosing options within the WPA with RADIUS security

mode:

The best security you can have to date on a wireless network is WPA with RADIUS

using CCMP (AES) encryption algorithm. AES is a symmetric 128-bit block data

encryption technique that works on multiple layers of the network. It is the most effective

encryption system currently available for wireless networks. If all clients or other APs

on the network are WPA/CCMP compatible, use this encryption algorithm.

The second best choice is WPA with RADIUS with the encryption algorithm set to

“Both” (that is, both TKIP and CCMP). This lets WPA client stations without CCMP

associate, uses TKIP for encrypting

Multicast

and

Broadcast

frames, and allows clients

to select whether to use CCMP or TKIP for

Unicast

(AP-to-single-station) frames. This

WPA conﬁguration allows more interoperability, at the expense of some security. Client

stations that support CCMP can use it for their

Unicast

frames. If you encounter AP-

to-station interoperability problems with the “Both” encryption algorithm setting, then

you will need to select TKIP instead.

The third best choice is WPA with RADIUS with the encryption algorithm set to

TKIP

Some clients have interoperability issues with CCMP and TKIP enabled at the same

time. If you encounter this problem, then choose TKIP as the encryption algorithm.

This is the standard WPA mode, and most interoperable mode with client Wireless

software security features. TKIP is the only encryption algorithm that is being tested

Wi-Fi WPA

certiﬁcation.

Conﬁguring Security

Page 70 / 193

See Also

For information on how to conﬁgure WPA with RADIUS security mode, see “WPA with

RADIUS”

under “Conﬁguring Security Settings” in this manual.

When to Use WPA-PSK

Wi-Fi Protected Access

(

WPA

) with

Pre-Shared Key

(

PSK

) is a Wi-Fi Alliance subset

of IEEE

802.11i

, which includes

Temporal Key Integrity Protocol

(

TKIP

)

Advanced

Encryption Algorithm

(

AES

), and

Counter mode/CBC-MAC Protocol

(CCMP)

mechanisms. This mode offers the same encryption algorithms as WPA with RADIUS

but without the ability to integrate a RADIUS server for user authentication.

WPA-PSK provides

dynamically-generated

keys that are periodically

refreshed.

There are different

Unicast

keys for

each station.

•

Temporal Key Integrity

Protocol

(

TKIP

)

•

Counter mode/CBC-MAC

Protocol

(

CCMP

)

Advanced

Encryption Standard

(

AES

)

The use of a Pre-Shared (

PSK

)

key provides user authentication

similar to that of shared keys in

WEP

Key Management

Encryption Algorithm

User Authentication

If there are older client stations on your network that do not support WPA, you can conﬁgure

WPA with RADIUS (with Both, CCMP, or TKIP) and check the “Allow non-WPA IEEE 802.1x

clients” checkbox to allow non-WPA clients. This way, you get the beneﬁt of IEEE 802.1x

key management for non-WPA clients along with even better data protection of TKIP and

CCMP (AES) key management and encryption algorithms for your WPA clients.

A typical scenario is that one is upgrading a current 802.1x network to use WPA. You might

have a mix of clients; some new clients that support WPA and some older ones that do

not support WPA. You might even have other access points on the network that support

only 802.1x and some that support WPA with RADIUS. For as long as this mix persists,

use the “Allow non-WPA IEEE 802.1x clients” option.

When all the stations have been upgraded to use WPA, you should disable the “Allow

non-WPA IEEE 802.1x clients” option.

Conﬁguring Security

Rate

Popular D-Link Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share