71

Recommendations

WPA w/PSK not recommended for use with the D-Link DWL-2210AP when WPA with

RADIUS is an option.

We recommend that you use WPA with RADIUS mode instead, unless you have

interoperability issues that prevent you from using this mode.

For example, some devices on your network may not support WPA with

EAP

talking

to a

RADIUS

server. Embedded printer servers or other small client devices with

very limited space for implementation may not support RADIUS. For such cases, we

recommend that you use WPA-PSK.

See Also

For information on how to configure WPA-PSK security mode, see “WPA-PSK” under

“Configuring Security Settings” in this manual.

Does Prohibiting the Broadcast SSID Enhance Security?

You can suppress (prohibit) this broadcast to discourage stations from automatically

discovering your access point. When the AP’s broadcast SSID is suppressed, the network

name will not be displayed in the List of Available Networks on a client station. Instead,

the client must have the exact network name configured in the supplicant before it will

be able to connect.

Disabling the broadcast SSID is sufficient to prevent clients from accidentally connecting

to your network, but it will not prevent even the simplest of attempts by a hacker to

connect, or monitor plain text traffic.

This offers a very minimal level of protection on an otherwise exposed network (such

as a guest network) where the priority is making it easy for clients to get a connection

and where no sensitive information is available.

(See also “Guest Network” in this manual.)

Configuring Security

72

Navigating to Security Settings

To set the security mode, navigate to the

Advanced > Security

tab, and update the

fields as described below.

Configuring Security Settings

The following configuration information explains how to configure security modes on

the access point. Keep in mind that each wireless client that wants to exchange data

with the access point must be configured with the same security mode and encryption

key settings consistent with access point security.

On a two-radio AP, these security settings apply to both radios.

Broadcast SSID and Security Mode

To configure security on the access point, select a security mode and fill in the related

fields as described in the following table. (Note you can also allow or prohibit the

Broadcast SSID as an extra precaution as mentioned below.)

Security modes other than Plaintext apply only to configuration of the “Internal” network.

On the “Guest” network, you can use only Plaintext mode. (For more information about

guest networks, see “Setting up Guest Access” in this manual.)

Configuring Security

73

Broadcast SSID

Select the

Broadcast SSID

setting by clicking the “Allow” or “Prohibit”

radio button.

By default, the access point broadcasts (allows) the

Service Set

Identifier

(SSID) in its beacon frames.

You can suppress (prohibit) this broadcast to discourage stations

from automatically discovering your access point. When the AP’s

broadcast SSID is suppressed, the network name will not be

displayed in the List of Available Networks on a client station.

Instead, the client must have the exact network name configured

in the supplicant before it will be able to connect.

Security Mode

Select the

Security Mode

. Select one of the following:

• Plaintext

• Static WEP

• IEEE 802.1x

• WPA with RADIUS

• WPA-PSK

For a Guest network, only the “Plaintext” setting can be used. (For

more information, see “Setting up Guest Access” in this manual.)

Security modes other than Plaintext apply only to configuration of

the “Internal” network; on the Guest network, you can use only

Plaintext mode.

Field

Description

Plaintext

Plain Text

means any data transferred to and from the D-Link DWL-2210AP is not

encrypted.

There are no further options for “Plaintext” mode.

Plain text mode can be useful during initial network configuration or for problem solving,

but it is not recommended for regular use on the Internal network because it is not

secure.

Guest Network

Plain text mode is the only mode in which you can run the Guest network, which is by

definition an easily accessible, unsecure

LAN

always virtually or physically separated

from any sensitive information on the Internal LAN. For example, the guest network

might simply provide internet and printer access for day visitors.

Configuring Security

74

Static WEP

Wired Equivalent Privacy

(

WEP

) is a data encryption protocol for 802.11 wireless

networks. All wireless stations and access points on the network are configured with a

static 64-bit (40-bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret

key + 24-bit IV) Shared Key for data encryption.

You cannot mix 64-bit and 128-bit WEP keys between the access point and its client

stations. Static WEP is not the most secure mode available, but it offers more protection

than plaintext mode as it does prevent an outsider from easily sniffing out unencrypted

wireless traffic. (For more secure modes, see the sections on “IEEE 802.1x,” “WPA

with RADIUS,” or “WPA-PSK” in this manual. WEP encrypts data moving across the

wireless network based on a static key. (The encryption algorithm is a “stream” cipher

called RC4.)

The access point uses a key to transmit data to the client stations. Each client station

must use that same key to decrypt data it receives from the access point.

Client stations can use different keys to transmit data to the access point. (Or they can

all use the same key, but this is less secure because it means one station can decrypt

the data being sent by another.)

If you selected “Static WEP” Security Mode, provide the following on the access point

settings:

For a minimum level of protection on a guest network, you can choose to suppress

(prohibit) the broadcast of the SSID (network name) to discourage client stations from

automatically discovering your access point. (See also “Does Prohibiting the Broadcast

SSID Enhance Security?” in this manual). For more about the Guest network, see

“Setting up Guest Access” in this manual.

The absence of security on the Guest AP is designed to make it as easy as possible

for guests to get a connection without having to program any security settings in their

clients.

Configuring Security

75

Field

Description

Transfer Key Index

Select a key index from the drop-down menu. Key indexes 1

through 4 are available. The default is 1.

The Transfer Key Index indicates which WEP key the access

point will use to encrypt the data it transmits.

Key Length

Specify the length of the key by clicking one of the radio buttons:

• 64-bits

• 128-bits

Key Type

Select the key type by clicking one of the radio buttons:

• ASCII

• Hex

Characters Required

Indicates the number of characters required in the WEP key.

The number of characters required updates automatically based

on how you set Key Length and Key Type.

WEP Keys

You can specify up to four WEP keys. In each text box, enter a

string of characters for each key.

If you selected “ASCII”, enter any combination of integers and

letters

0-9

,

a-z

, and

A-Z

. If you selected “HEX”, enter

hexadecimal digits (any combination of

0-9

and

a-f

or

A-F

).

Use the same number of characters for each key as specified in

the “Characters Required” field. These are the RC4 WEP keys

shared with the stations using the access point.

Each client station must be configured to use one of these

same WEP keys in the same slot as specified here on the AP.

(See “Rules to Remember for Static WEP” in this manual.)

Configuring Security