76

Authentication Algorithm

The authentication algorithm defines the method used

to determine whether a client station is allowed to

associate with an access point when static WEP is the

security mode.

Specify the authentication algorithm you want to use by

choosing one of the following from the drop-down

menu:

• Open System

• Shared Key

• Both

Open System

authentication allows any client station to

associate with the access point whether that client

station has the correct WEP key or not. This is algorithm

is also used in plaintext, IEEE 802.1x, and WPA modes.

When the authentication algorithm is set to “Open

System”, any client can associate with the access point.

Note that just because a client station is allowed to

associate

does not ensure it can exchange traffic with

an access point. A station must have the correct WEP

key to be able to successfully access and decrypt data

from an access point, and to transmit readable data to

the access point.

Shared Key

authentication requires the client station to

have the correct WEP key in order to associate with the

access point. When the authentication algorithm is set

to “Shared Key”, a station with an incorrect WEP key will

not be able to associate with the access point.

Both

is the default. When the authentication algorithm

is set to “Both”:

Field

Description

Configuring Security

Client stations configured to use WEP in

shared key mode must have a valid WEP key

in order to associate with the access point.

Client stations configured to use WEP as an

open system (shared key mode not enabled)

will be able to associate with the access point

even if they do not have the correct WEP key.

•

•

77

Rules to Remember for Static WEP

All client stations must have the Wireless LAN (WLAN) security set to WEP and

all clients must have one of the WEP keys specified on the AP in order to decode

AP-to-station data transmissions.

The AP must have all keys used by clients for station-to-AP transmit so that it can

decode the station transmissions.

The same key must occupy the same slot on all nodes (AP and clients). For example

if the AP defines abc123

key as WEP key 3, then the client stations must define

that same string as WEP key 3.

On some wireless client software (like Funk Odyssey), you can configure multiple

WEP keys and define a client station “transfer key index”, and then set the stations

to encrypt the data they transmit using different keys. This ensures that neighboring

APs cannot decode each other’s transmissions.

•

•

•

•

Example of Using Static WEP

For a simple example, suppose you configure three WEP keys on the access point. In

our example, the Transfer Key Index for the AP is set to “3”. This means that the WEP

key in slot “3” is the key the access point will use to encrypt the data it sends.

You must then set all client stations to use WEP and provide each client with one of the

slot/key combinations you defined on the AP.

For this example, we’ll set WEP key 1 on a Windows client.

(Please see the next page.)

Setting the AP Transfer Key on the Access Point

Configuring Security

78

Providing a Wireless Client with a WEP Key

If you have a second client

station, that station also

needs to have one of the

WEP keys defined on the

AP.

You could give it the same

WEP key you gave to the

first station. Or for a more

secure solution, you could

give the second station

a different WEP key (key

2, for example) so that

the two stations cannot

decrypt each other’s

transmissions.

Static WEP with Transfer Key

Indexes on Client Stations

Some wireless client

software (like Funk

Odyssey) lets you

configure multiple WEP

keys and set a transfer

index on the client

station, then you can

specify different keys to

be used for

station-to-

AP transmissions.

(The standard Windows wireless client software does not allow you to do this.)

To build on our example, using Funk Odyssey client software you could give each of

the clients WEP key 3 so that they can decode the AP transmissions with that key and

also give client 1 WEP key 1 and set this as its transfer key. You could then give client

2 WEP key 2 and set this as its transfer key index.

The figure on the next page illustrates the dynamics of the AP and two client stations

using multiple WEP keys and a transfer key index.

Configuring Security

79

Example of Using Multiple WEP Keys and Transfer Key Index on Client Stations

IEEE 802.1x

IEEE 802.1x

is the standard defining port-based authentication and infrastructure for

doing key management. Extensible Authentication Protocol (

EAP

) messages sent

over an

IEEE 802.11

wireless network using a protocol called EAP Encapsulation

Over LANs (EAPOL). IEEE 802.1x provides dynamically-generated keys that are

periodically refreshed. An RC4 stream cipher is used to encrypt the frame body and

cyclic redundancy checking (CRC) of each 802.11 frame.

This mode requires the use of a

RADIUS

server to authenticate users, and configuration

of user accounts via the Cluster > Users tab.

The access point requires a RADIUS server capable of

EAP

, such as the Microsoft

Internet Authentication Server or the D-Link DWL-2210AP internal authentication server.

To work with Windows clients, the authentication server must support Protected EAP

(PEAP) and

MSCHAP V2

.

When configuring IEEE 802.1x mode, you have a choice of whether to use the embedded

RADIUS server or an external RADIUS server that you provide. The D-Link DWL-2210AP

embedded RADIUS server supports Protected

EAP

(PEAP) and MSCHAP V2.

If you use your own RADIUS server, you have the option of using any of a variety of

authentication methods that the IEEE 802.1x mode supports, including certificates,

Kerberos, and public key authentication. Keep in mind, however, that the client stations

must be configured to use the same authentication method being used by the access

point.

Configuring Security

80

If you selected “IEEE 802.1x” Security Mode, provide the following:

Field

Description

Configuring Security

Click “Enable RADIUS Accounting” if you want to track and

measure the resources a particular user has consumed such system

time, amount of data transmitted and received, and so on.

Radius IP

Radius Key

Enable RADIUS

Accounting

Authentication Server

Built-in

- To use the authentication server provided with the

D-Link DWL-2210AP. If you choose this option, you do not have

to provide the Radius IP and Radius Key; they are automatically

provided.

•

External

- To use an external authentication server. If you choose

this option you must supply a Radius IP and Radius Key of the

server you want to use.

Note:

The RADIUS server is identified by its IP address and UDP port

numbers for the different services it provides. On the current release of

the D-Link DWL-2210AP, the RADIUS server User Datagram Protocol

(UDP) ports used by the access point are not configurable. (The D-Link

DWL-2210AP is hard-coded to use RADIUS server UDP port 1812

for authentication and port 1813 for accounting.)

Select one of the following from the drop-down menu:

Enter the Radius IP in the text box.

The

Radius IP

is the IP address of the

RADIUS

server.

For information on setting up user accounts, see “Managing User

Accounts” in this manual.

Enter the Radius Key in the text box.

The

Radius Key

is the shared secret key for the RADIUS server.

The text you enter will be displayed as “*” characters to prevent

others from seeing the RADIUS key as you type.

(The D-Link DWL-2210AP internal authentication server key is

secret.)

This value is never sent over the network.

•