Page 196 / 244 Scroll up to view Page 191 - 195
Appendix D Wireless LANs
NBG-416N User’s Guide
196
wireless gateway, but out-of-range of each other, so they cannot "hear" each
other, that is they do not know if the channel is currently being used. Therefore,
they are considered hidden from each other.
Figure 132
RTS/CTS
When station A sends data to the AP, it might not know that the station B is
already using the channel. If these two stations send data at the same time,
collisions may occur when both sets of data arrive at the AP at the same time,
resulting in a loss of messages for both stations.
RTS/CTS
is designed to prevent collisions due to hidden nodes. An
RTS/CTS
defines the biggest size data frame you can send before an RTS (Request To
Send)/CTS (Clear to Send) handshake is invoked.
When a data frame exceeds the
RTS/CTS
value you set (between 0 to 2432
bytes), the station that wants to transmit this frame must first send an RTS
(Request To Send) message to the AP for permission to send it. The AP then
responds with a CTS (Clear to Send) message to all other stations within its range
to notify them to defer their transmission. It also reserves and confirms with the
requesting station the time frame for the requested transmission.
Stations can send frames smaller than the specified
RTS/CTS
directly to the AP
without the RTS (Request To Send)/CTS (Clear to Send) handshake.
You should only configure
RTS/CTS
if the possibility of hidden nodes exists on
your network and the "cost" of resending large frames is more than the extra
network overhead involved in the RTS (Request To Send)/CTS (Clear to Send)
handshake.
If the
RTS/CTS
value is greater than the
Fragmentation Threshold
value (see
next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never
occur as data frames will be fragmented before they reach
RTS/CTS
size.
Note: Enabling the RTS Threshold causes redundant network overhead that could
negatively affect the throughput performance instead of providing a remedy.
Page 197 / 244
Appendix D Wireless LANs
NBG-416N User’s Guide
197
Fragmentation Threshold
A
Fragmentation Threshold
is the maximum data fragment size (between 256
and 2432 bytes) that can be sent in the wireless network before the AP will
fragment the packet into smaller data frames.
A large
Fragmentation Threshold
is recommended for networks not prone to
interference while you should set a smaller threshold for busy networks or
networks that are prone to interference.
If the
Fragmentation Threshold
value is smaller than the
RTS/CTS
value (see
previously) you set then the RTS (Request To Send)/CTS (Clear to Send)
handshake will never occur as data frames will be fragmented before they reach
RTS/CTS
size.
Preamble Type
A preamble is used to synchronize the transmission timing in your wireless
network. There are two preamble modes:
Long
and
Short
.
Short preamble takes less time to process and minimizes overhead, so it should
be used in a good wireless network environment when all wireless stations
support it.
Select
Long
if you have a ‘noisy’ network or are unsure of what preamble mode
your wireless stations support as all IEEE 802.11b compliant wireless adapters
must support long preamble. However, not all wireless adapters support short
preamble. Use long preamble if you are unsure what preamble mode the wireless
adapters support, to ensure interpretability between the AP and the wireless
stations and to provide more reliable communication in ‘noisy’ networks.
Select
Dynamic
to have the AP automatically use short preamble when all
wireless stations support it, otherwise the AP uses long preamble.
Note: The AP and the wireless stations MUST
use the same preamble mode in order
to communicate.
IEEE 802.11g Wireless LAN
IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an
IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point
(and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has
Page 198 / 244
Appendix D Wireless LANs
NBG-416N User’s Guide
198
several intermediate rate steps between the maximum and minimum data rates.
The IEEE 802.11g data rate and modulation are as follows:
IEEE 802.1x
In June 2001, the IEEE 802.1x standard was designed to extend the features of
IEEE 802.11 to support extended authentication as well as providing additional
accounting and control features. It is supported by Windows XP and a number of
network devices. Some advantages of IEEE 802.1x are:
User based identification that allows for roaming.
Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138,
2139) for centralized user profile and accounting management on a network
RADIUS server.
Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows
additional authentication methods to be deployed with no changes to the access
point or the wireless stations.
RADIUS
RADIUS is based on a client-server model that supports authentication,
authorization and accounting. The access point is the client and the server is the
RADIUS server. The RADIUS server handles the following tasks:
• Authentication
Determines the identity of the users.
• Authorization
Determines the network services available to authenticated users once they are
connected to the network.
• Accounting
Keeps track of the client’s network activity.
RADIUS is a simple package exchange in which your AP acts as a message relay
between the wireless station and the network RADIUS server.
Table 66
IEEE 802.11g
DATA RATE
(MBPS)
MODULATION
1
DBPSK (Differential Binary Phase Shift Keyed)
2
DQPSK (Differential Quadrature Phase Shift Keying)
5.5 / 11
CCK (Complementary Code Keying)
6/9/12/18/24/36/
48/54
OFDM (Orthogonal Frequency Division Multiplexing)
Page 199 / 244
Appendix D Wireless LANs
NBG-416N User’s Guide
199
Types of RADIUS Messages
The following types of RADIUS messages are exchanged between the access point
and the RADIUS server for user authentication:
• Access-Request
Sent by an access point requesting authentication.
• Access-Reject
Sent by a RADIUS server rejecting access.
• Access-Accept
Sent by a RADIUS server allowing access.
• Access-Challenge
Sent by a RADIUS server requesting more information in order to allow access.
The access point sends a proper response from the user and then sends another
Access-Request message.
The following types of RADIUS messages are exchanged between the access point
and the RADIUS server for user accounting:
• Accounting-Request
Sent by the access point requesting accounting.
• Accounting-Response
Sent by the RADIUS server to indicate that it has started or stopped accounting.
In order to ensure network security, the access point and the RADIUS server use a
shared secret key, which is a password, they both know. The key is not sent over
the network. In addition to the shared key, password information exchanged is
also encrypted to protect the network from unauthorized access.
Types of Authentication
This appendix discusses some popular authentication types:
EAP-MD5
,
EAP-TLS
,
EAP-TTLS
,
PEAP
and
LEAP
.
The type of authentication you use depends on the RADIUS server or the AP.
Consult your network administrator for more information.
EAP-MD5 (Message-Digest Algorithm 5)
MD5 authentication is the simplest one-way authentication method. The
authentication server sends a challenge to the wireless station. The wireless
station ‘proves’ that it knows the password by encrypting the password with the
challenge and sends back the information. Password is not sent in plain text.
Page 200 / 244
Appendix D Wireless LANs
NBG-416N User’s Guide
200
However, MD5 authentication has some weaknesses. Since the authentication
server needs to get the plaintext passwords, the passwords must be stored. Thus
someone other than the authentication server may access the password file. In
addition, it is possible to impersonate an authentication server as MD5
authentication method does not perform mutual authentication. Finally, MD5
authentication method does not support data encryption with dynamic session
key. You must configure WEP encryption keys for data encryption.
EAP-TLS (Transport Layer Security)
With EAP-TLS, digital certifications are needed by both the server and the wireless
stations for mutual authentication. The server presents a certificate to the client.
After validating the identity of the server, the client sends a different certificate to
the server. The exchange of certificates is done in the open before a secured
tunnel is created. This makes user identity vulnerable to passive attacks. A digital
certificate is an electronic ID card that authenticates the sender’s identity.
However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle
certificates, which imposes a management overhead.
EAP-TTLS (Tunneled Transport Layer Service)
EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for
only the server-side authentications to establish a secure connection. Client
authentication is then done by sending username and password through the
secure connection, thus client identity is protected. For client authentication, EAP-
TTLS supports EAP methods and legacy authentication methods such as PAP,
CHAP, MS-CHAP and MS-CHAP v2.
PEAP (Protected EAP)
Like EAP-TTLS, server-side certificate authentication is used to establish a secure
connection, then use simple username and password methods through the
secured connection to authenticate the clients, thus hiding client identity.
However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2
and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is
implemented only by Cisco.
LEAP
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of
IEEE 802.1x.
Dynamic WEP Key Exchange
The AP maps a unique key that is generated with the RADIUS server. This key
expires when the wireless connection times out, disconnects or reauthentication
times out. A new WEP key is generated each time reauthentication is performed.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top