Zyxel P-660HN-F1Z Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

Zyxel

P-660HN-F1Z

Page 366 / 421 Scroll up to view Page 361 - 365

Appendix D Wireless LANs

P-660HN-FxZ Series User’s Guide

363

Determines the network services available to authenticated users once they are connected

to the network.

• Accounting

Keeps track of the client’s network activity.

RADIUS is a simple package exchange in which your AP acts as a message relay between the

wireless client and the network RADIUS server.

Types of RADIUS Messages

The following types of RADIUS messages are exchanged between the access point and the

RADIUS server for user authentication:

• Access-Request

Sent by an access point requesting authentication.

• Access-Reject

Sent by a RADIUS server rejecting access.

• Access-Accept

Sent by a RADIUS server allowing access.

• Access-Challenge

Sent by a RADIUS server requesting more information in order to allow access. The

access point sends a proper response from the user and then sends another Access-Request

message.

The following types of RADIUS messages are exchanged between the access point and the

RADIUS server for user accounting:

• Accounting-Request

Sent by the access point requesting accounting.

• Accounting-Response

Sent by the RADIUS server to indicate that it has started or stopped accounting.

In order to ensure network security, the access point and the RADIUS server use a shared

secret key, which is a password, they both know. The key is not sent over the network. In

addition to the shared key, password information exchanged is also encrypted to protect the

network from unauthorized access.

Types of EAP Authentication

This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS,

PEAP and LEAP. Your wireless LAN device may not support all authentication types.

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the

IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By

using EAP to interact with an EAP-compatible RADIUS server, an access point helps a

wireless station and a RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server and an intermediary AP(s)

that supports IEEE 802.1x. .

Page 367 / 421

Appendix D Wireless LANs

P-660HN-FxZ Series User’s Guide

364

For EAP-TLS authentication type, you must first have a wired connection to the network and

obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs)

can be used to authenticate users and a CA issues certificates and guarantees the identity of

each certificate owner.

EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server

sends a challenge to the wireless client. The wireless client ‘proves’ that it knows the password

by encrypting the password with the challenge and sends back the information. Password is

not sent in plain text.

However, MD5 authentication has some weaknesses. Since the authentication server needs to

get the plaintext passwords, the passwords must be stored. Thus someone other than the

authentication server may access the password file. In addition, it is possible to impersonate an

authentication server as MD5 authentication method does not perform mutual authentication.

Finally, MD5 authentication method does not support data encryption with dynamic session

key. You must configure WEP encryption keys for data encryption.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for

mutual authentication. The server presents a certificate to the client. After validating the

identity of the server, the client sends a different certificate to the server. The exchange of

certificates is done in the open before a secured tunnel is created. This makes user identity

vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the

sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to

handle certificates, which imposes a management overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the

server-side authentications to establish a secure connection. Client authentication is then done

by sending username and password through the secure connection, thus client identity is

protected. For client authentication, EAP-TTLS supports EAP methods and legacy

authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection,

then use simple username and password methods through the secured connection to

authenticate the clients, thus hiding client identity. However, PEAP only supports EAP

methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card),

for client authentication. EAP-GTC is implemented only by Cisco.

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE

802.1x.

Page 368 / 421

Appendix D Wireless LANs

P-660HN-FxZ Series User’s Guide

365

Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when

the wireless connection times out, disconnects or reauthentication times out. A new WEP key

is generated each time reauthentication is performed.

If this feature is enabled, it is not necessary to configure a default encryption key in the

wireless security configuration screen. You may still configure and store keys, but they will

not be used while dynamic WEP is enabled.

EAP-MD5 cannot be used with Dynamic WEP Key Exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use

dynamic keys for data encryption. They are often deployed in corporate environments, but for

public deployment, a simple user name and password pair is more practical. The following

table is a comparison of the features of authentication types.

WPA and WPA2

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE

802.11i) is a wireless security standard that defines stronger encryption, authentication and

key management than WPA.

Key differences between WPA or WPA2 and WEP are improved data encryption and user

authentication.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS

server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server,

you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical)

password entered into each access point, wireless gateway and wireless client. As long as the

passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending

on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is

less secure than WPA or WPA2.

Table 144

Comparison of EAP Authentication Types

EAP-MD5

EAP-TLS

EAP-TTLS

PEAP

LEAP

Mutual Authentication

Yes

Certificate – Client

Yes

Optional

Certificate – Server

Yes

Dynamic Key Exchange

Yes

Credential Integrity

None

Strong

Moderate

Deployment Difficulty

Easy

Hard

Moderate

Client Identity Protection

Yes

Page 369 / 421

Appendix D Wireless LANs

P-660HN-FxZ Series User’s Guide

366

Encryption

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol

(TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced

Encryption Standard (AES) in the Counter mode with Cipher block chaining Message

authentication code Protocol (CCMP) to offer stronger encryption than TKIP.

TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication

server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit

mathematical algorithm called Rijndael. They both include a per-packet key mixing function,

a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with

sequencing rules, and a re-keying mechanism.

WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption

key is never used twice.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up

a key hierarchy and management system, using the PMK to dynamically generate unique data

encryption keys to encrypt every data packet that is wirelessly communicated between the AP

and the wireless clients. This all happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data

packets, altering them and resending them. The MIC provides a strong mathematical function

in which the receiver and the transmitter each compute and then compare the MIC. If they do

not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity

checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi

network than WEP and difficult for an intruder to break into the network.

The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only

difference between the two is that WPA(2)-PSK uses a simple common password, instead of

user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to

brute-force password-guessing attacks but it’s still an improvement over WEP as it employs a

consistent, single, alphanumeric password to derive a PMK which is used to generate unique

temporal encryption keys. This prevent all wireless devices sharing the same encryption keys.

(a weakness of WEP)

User Authentication

WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to

authenticate wireless clients using an external RADIUS database. WPA2 reduces the number

of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time

required to connect to a network. Other WPA2 authentication features that are different from

WPA include key caching and pre-authentication. These two features are optional and may not

be supported in all wireless devices.

Key caching allows a wireless client to store the PMK it derived through a successful

authentication with an AP. The wireless client uses the PMK when it tries to connect to the

same AP and does not need to go with the authentication process again.

Pre-authentication enables fast roaming by allowing the wireless client (already connecting to

an AP) to perform IEEE 802.1x authentication with another AP before connecting to it.

Page 370 / 421

Appendix D Wireless LANs

P-660HN-FxZ Series User’s Guide

367

Wireless Client WPA Supplicants

A wireless client supplicant is the software that runs on an operating system instructing the

wireless client how to use WPA. At the time of writing, the most widely available supplicant is

the

WPA patch for Windows XP, Funk Software's Odyssey client.

The Windows XP patch is a free download that adds WPA capability to Windows XP's built-

in "Zero Configuration" wireless client. However, you must run Windows XP to use it.

WPA(2) with RADIUS Application Example

To set up WPA(2), you need the IP address of the RADIUS server, its port number (default is

1812), and the RADIUS shared secret. A WPA(2) application example with an external

RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system.

The AP passes the wireless client's authentication request to the RADIUS server.

The RADIUS server then checks the user's identification against its database and grants

or denies network access accordingly.

A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the

RADIUS server and the client.

The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy

and management system, using the PMK to dynamically generate unique data encryption

keys. The keys are used to encrypt every data packet that is wirelessly communicated

between the AP and the wireless clients.

Figure 237

WPA(2) with RADIUS Application Example

WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key

(PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters

(including spaces and symbols).

The AP checks each wireless client's password and allows it to join the network only if

the password matches.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share