Page 76 / 193 Scroll up to view Page 71 - 75
76
Authentication Algorithm
The authentication algorithm defines the method used
to determine whether a client station is allowed to
associate with an access point when static WEP is the
security mode.
Specify the authentication algorithm you want to use by
choosing one of the following from the drop-down
menu:
• Open System
• Shared Key
• Both
Open System
authentication allows any client station to
associate with the access point whether that client
station has the correct WEP key or not. This is algorithm
is also used in plaintext, IEEE 802.1x, and WPA modes.
When the authentication algorithm is set to “Open
System”, any client can associate with the access point.
Note that just because a client station is allowed to
associate
does not ensure it can exchange traffic with
an access point. A station must have the correct WEP
key to be able to successfully access and decrypt data
from an access point, and to transmit readable data to
the access point.
Shared Key
authentication requires the client station to
have the correct WEP key in order to associate with the
access point. When the authentication algorithm is set
to “Shared Key”, a station with an incorrect WEP key will
not be able to associate with the access point.
Both
is the default. When the authentication algorithm
is set to “Both”:
Field
Description
Configuring Security
Client stations configured to use WEP in
shared key mode must have a valid WEP key
in order to associate with the access point.
Client stations configured to use WEP as an
open system (shared key mode not enabled)
will be able to associate with the access point
even if they do not have the correct WEP key.
Page 77 / 193
77
Rules to Remember for Static WEP
All client stations must have the Wireless LAN (WLAN) security set to WEP and
all clients must have one of the WEP keys specified on the AP in order to decode
AP-to-station data transmissions.
The AP must have all keys used by clients for station-to-AP transmit so that it can
decode the station transmissions.
The same key must occupy the same slot on all nodes (AP and clients). For example
if the AP defines abc123
key as WEP key 3, then the client stations must define
that same string as WEP key 3.
On some wireless client software (like Funk Odyssey), you can configure multiple
WEP keys and define a client station “transfer key index”, and then set the stations
to encrypt the data they transmit using different keys. This ensures that neighboring
APs cannot decode each other’s transmissions.
Example of Using Static WEP
For a simple example, suppose you configure three WEP keys on the access point. In
our example, the Transfer Key Index for the AP is set to “3”. This means that the WEP
key in slot “3” is the key the access point will use to encrypt the data it sends.
You must then set all client stations to use WEP and provide each client with one of the
slot/key combinations you defined on the AP.
For this example, we’ll set WEP key 1 on a Windows client.
(Please see the next page.)
Setting the AP Transfer Key on the Access Point
Configuring Security
Page 78 / 193
78
Providing a Wireless Client with a WEP Key
If you have a second client
station, that station also
needs to have one of the
WEP keys defined on the
AP.
You could give it the same
WEP key you gave to the
first station. Or for a more
secure solution, you could
give the second station
a different WEP key (key
2, for example) so that
the two stations cannot
decrypt each other’s
transmissions.
Static WEP with Transfer Key
Indexes on Client Stations
Some wireless client
software (like Funk
Odyssey) lets you
configure multiple WEP
keys and set a transfer
index on the client
station, then you can
specify different keys to
be used for
station-to-
AP transmissions.
(The standard Windows wireless client software does not allow you to do this.)
To build on our example, using Funk Odyssey client software you could give each of
the clients WEP key 3 so that they can decode the AP transmissions with that key and
also give client 1 WEP key 1 and set this as its transfer key. You could then give client
2 WEP key 2 and set this as its transfer key index.
The figure on the next page illustrates the dynamics of the AP and two client stations
using multiple WEP keys and a transfer key index.
Configuring Security
Page 79 / 193
79
Example of Using Multiple WEP Keys and Transfer Key Index on Client Stations
IEEE 802.1x
IEEE 802.1x
is the standard defining port-based authentication and infrastructure for
doing key management. Extensible Authentication Protocol (
EAP
) messages sent
over an
IEEE 802.11
wireless network using a protocol called EAP Encapsulation
Over LANs (EAPOL). IEEE 802.1x provides dynamically-generated keys that are
periodically refreshed. An RC4 stream cipher is used to encrypt the frame body and
cyclic redundancy checking (CRC) of each 802.11 frame.
This mode requires the use of a
RADIUS
server to authenticate users, and configuration
of user accounts via the Cluster > Users tab.
The access point requires a RADIUS server capable of
EAP
, such as the Microsoft
Internet Authentication Server or the D-Link DWL-2210AP internal authentication server.
To work with Windows clients, the authentication server must support Protected EAP
(PEAP) and
MSCHAP V2
.
When configuring IEEE 802.1x mode, you have a choice of whether to use the embedded
RADIUS server or an external RADIUS server that you provide. The D-Link DWL-2210AP
embedded RADIUS server supports Protected
EAP
(PEAP) and MSCHAP V2.
If you use your own RADIUS server, you have the option of using any of a variety of
authentication methods that the IEEE 802.1x mode supports, including certificates,
Kerberos, and public key authentication. Keep in mind, however, that the client stations
must be configured to use the same authentication method being used by the access
point.
Configuring Security
Page 80 / 193
80
If you selected “IEEE 802.1x” Security Mode, provide the following:
Field
Description
Configuring Security
Click “Enable RADIUS Accounting” if you want to track and
measure the resources a particular user has consumed such system
time, amount of data transmitted and received, and so on.
Radius IP
Radius Key
Enable RADIUS
Accounting
Authentication Server
Built-in
- To use the authentication server provided with the
D-Link DWL-2210AP. If you choose this option, you do not have
to provide the Radius IP and Radius Key; they are automatically
provided.
External
- To use an external authentication server. If you choose
this option you must supply a Radius IP and Radius Key of the
server you want to use.
Note:
The RADIUS server is identified by its IP address and UDP port
numbers for the different services it provides. On the current release of
the D-Link DWL-2210AP, the RADIUS server User Datagram Protocol
(UDP) ports used by the access point are not configurable. (The D-Link
DWL-2210AP is hard-coded to use RADIUS server UDP port 1812
for authentication and port 1813 for accounting.)
Select one of the following from the drop-down menu:
Enter the Radius IP in the text box.
The
Radius IP
is the IP address of the
RADIUS
server.
(The D-Link DWL-2210AP internal authentication server is 127.0.0.1.)
For information on setting up user accounts, see “Managing User
Accounts” in this manual.
Enter the Radius Key in the text box.
The
Radius Key
is the shared secret key for the RADIUS server.
The text you enter will be displayed as “*” characters to prevent
others from seeing the RADIUS key as you type.
(The D-Link DWL-2210AP internal authentication server key is
secret.)
This value is never sent over the network.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top