81

WPA with RADIUS

Wi-Fi Protected Access

(

WPA

) with

Remote Authentication Dial-In User Service

(

RADIUS

) is a Wi-Fi Alliance subset of IEEE

802.11i

, which includes

Temporal Key

Integrity Protocol

(

TKIP

),

Counter mode/ CBC-MAC Protocol

(

CCMP

), and

Advanced

Encryption Standard

(

AES

) mechanisms. This mode requires the use of a RADIUS server

to authenticate users, and configuration of user accounts via the Cluster > Users tab.

When configuring WPA with RADIUS mode, you have a choice of whether to use the

embedded RADIUS server or an external RADIUS server that you provide. The D-

Link DWL-2210AP embedded RADIUS server supports Protected

EAP

(PEAP) and

MSCHAP V2.

If you selected “WPA with RADIUS”

Security Mode

, provide the following:

Configuring Security

82

Select the cipher you want to use from the drop-down menu:

• TKIP

•

CCMP

(

AES

)

• Both

Temporal Key Integrity Protocol

(

TKIP

) is the default.

TKIP provides a more secure encryption solution than WEP keys. The

TKIP process more frequently changes the encryption key used and better

ensures that the same key will not be reused to encrypt data (a weakness

of WEP). TKIP uses a 128-bit “temporal key” shared by clients and access

points. The temporal key is combined with the client’s MAC address and a

16-octet initialization vector to produce the key that will encrypt the data. This

ensures that each client station uses a different key to encrypt data. TKIP

uses RC4 to perform the encryption, which is the same as WEP. But TKIP

changes temporal keys every 10,000 packets and distributes them, thereby

greatly improving the security of the network.

Counter mode/CBC-MAC Protocol

(

CCMP

) is an encryption method for IEEE

802.11i

that uses the

Advanced Encryption Algorithm

(

AES

). It uses a CCM

combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher

Block Chaining Message Authentication Code (CBC-MAC) for encryption

and message integrity.

When the authentication algorithm is set to “

Both

”, both TKIP and AES clients

can associate with the access point. Client stations configured to use WPA

with RADIUS must have one of the following to be able to associate with

the AP:

• A valid TKIP RADIUS IP address and valid shared Key

• A valid CCMP (AES) IP address and valid shared Key

Clients not configured to use WPA with RADIUS will not be able to associate

with AP.

Both

is the default. When the authentication algorithm is set to “Both”,

client stations configured to use WPA with RADIUS must have one of the

following:

• A valid TKIP RADIUS IP address and RADIUS Key

• A valid CCMP (AES) IP address and RADIUS Key

Cipher Suites

Field

Description

Configuring Security

83

Authentication Server

Select one of the following from the drop-down menu:

•

Built-in

- To use the authentication server provided with the D-

Link DWL-2210AP. If you choose this option, you do not have to

provide the Radius IP and Radius Key; they are automatically

provided.

•

External

- To use an external authentication server. If you

choose this option you must supply a Radius IP and Radius

Key of the server you want to use.

Note:

The RADIUS server is identified by its IP address and UDP

port numbers for the different services it provides. On the current

release of the D-Link DWL-2210AP, the RADIUS server User

Datagram Protocol (UDP) ports used by the access point are not

configurable. (The D-Link DWL-2210AP is hard-coded to use

RADIUS server UDP port 1812 for authentication and port 1813

for accounting.

Radius IP

Enter the Radius IP in the text box.

The

Radius IP

is the IP address of the

RADIUS

server.

(The D-Link DWL-2210AP internal authentication server is

127.0.0.1.)

For information on setting up user accounts, see “Managing User

Accounts” in this manual.

Radius Key

Enter the Radius Key in the text box.

The

Radius Key

is the shared secret key for the RADIUS server.

The text you enter will be displayed as “*” characters to prevent

others from seeing the RADIUS key as you type.

(The D-Link DWL-2210AP internal authentication server key is

secret.)

This value is never sent over the network.

Key Type

Select the key type by clicking one of the radio buttons:

• ASCII

• HEX

Click “Enable RADIUS Accounting” if you want to enforce

authentication for

WPA

client stations with user names and

passwords for each station.

See also “Managing User Accounts” in this manual.

Allow non-WPA Clients

Click the “Allow non-

WPA

clients” checkbox if you want to let non-

WPA (

802.11

), unauthenticated client stations use this access

point.

Enable

RADIUS Accounting

Field

Description

Configuring Security

84

WPA-PSK

Wi-Fi Protected Access

(

WPA

) with

Pre-Shared Key

(

PSK

) is a Wi-Fi Alliance subset

of IEEE

802.11i

, which includes

Temporal Key Integrity Protocol

(

TKIP

),

Advanced

Encryption Algorithm

(

AES

), and

Counter mode/CBC-MAC Protocol

(

CCMP

)

mechanisms. PSK employs a pre-shared key. This is used for an initial check of

credentials only. If you selected “

WPA

-PSK”

Security Mode

, provide the following:

Field

Description

Configuring Security

TKIP provides a more secure encryption solution than WEP keys. The TKIP

process more frequently changes the encryption key used and better ensures

that the same key will not be reused to encrypt data (a weakness of WEP).

TKIP uses a 128-bit “temporal key” shared by clients and access points. The

temporal key is combined with the client’s MAC address and a

1 6 - o c t e t

initialization vector to produce the key that will encrypt the data. This ensures

that each client station uses a different key to encrypt data. TKIP uses RC4

to perform the encryption, which is the same as WEP. But TKIP changes

temporal keys every 10,000 packets and distributes them, thereby greatly

improving the security of the network.

(

TKIP

)

is the default.

Protocol

(

CCMP

) is an encryption method for IEEE

802.11i

that uses the

Advanced Encryption Algorithm

(

AES

). It uses a CCM

combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher

Block Chaining Message Authentication Code (CBC-MAC) for encryption and

message integrity.

When the authentication algorithm is set to “

Both

”, both TKIP and AES clients

can associate with the access point. WPA clients must have one of the following

to be able to associate with the AP:

• A valid TKIP key

• A valid CCMP (AES) key

Key

Clients not configured to use WPA-PSK will not be able to associate with AP.

The

Pre-shared Key

is the shared secret key for

WPA

-PSK. Enter a string of

at least 8 characters to a maximum of 63 characters.

Cipher Suites

Select the cipher you want to use from the drop-down menu:

• TKIP

• CCMP (AES)

• Both

85

Configuring Radio Settings

The following sections describe how to configure Radio Settings on the D-Link DWL-

2210AP:

• Understanding Radio Settings

• Configuring Radio Settings

• Updating Settings

Understanding Radio Settings

Radio settings directly control the behavior of the radio device in the access point and its

interaction with the physical medium; that is, how/what type of electromagnetic waves the

AP emits. You can specify whether the radio is on or off, radio frequency (RF) broadcast

channel, beacon interval (amount of time between AP beacon transmissions), transmit

power, IEEE 802.11 mode in which the radio operates, and so on.

The D-Link DWL-2210AP is a single band access point with one radio capable of

broadcasting in either IEEE 802.11b or IEEE 802.11g mode.

The IEEE mode along with other radio settings are configured as described in “Navigating

to Radio Settings” and “Configuring Radio Settings” in this manual.

Updating Settings

To apply your changes, click

Update

.

Configuring Radio Settings