Zyxel P-660HN-T1A Router Manual PDF (Setup & Configuration Guide)

Page 301 / 324 Scroll up to view Page 296 - 300

Appendix D Wireless LANs

P-660HN-TxA User’s Guide

301

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK

depending on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2.

WEP is less secure than WPA or WPA2.

Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP),

Message Integrity Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when

required for compatibility reasons, but offers stronger encryption than TKIP with

Advanced Encryption Standard (AES) in the Counter mode with Cipher block

chaining Message authentication code Protocol (CCMP).

TKIP uses 128-bit keys that are dynamically generated and distributed by the

authentication server. AES (Advanced Encryption Standard) is a block cipher that

uses a 256-bit mathematical algorithm called Rijndael. They both include a per-

packet key mixing function, a Message Integrity Check (MIC) named Michael, an

extended initialization vector (IV) with sequencing rules, and a re-keying

mechanism.

WPA and WPA2 regularly change and rotate the encryption keys so that the same

encryption key is never used twice.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that

then sets up a key hierarchy and management system, using the PMK to

dynamically generate unique data encryption keys to encrypt every data packet

that is wirelessly communicated between the AP and the wireless clients. This all

happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from

capturing data packets, altering them and resending them. The MIC provides a

strong mathematical function in which the receiver and the transmitter each

compute and then compare the MIC. If they do not match, it is assumed that the

data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating

an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to

decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break

into the network.

The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The

only difference between the two is that WPA(2)-PSK uses a simple common

password, instead of user-specific credentials. The common-password approach

makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it’s

still an improvement over WEP as it employs a consistent, single, alphanumeric

password to derive a PMK which is used to generate unique temporal encryption

Page 302 / 324

Appendix D Wireless LANs

P-660HN-TxA User’s Guide

302

keys. This prevent all wireless devices sharing the same encryption keys. (a

weakness of WEP)

User Authentication

WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to

authenticate wireless clients using an external RADIUS database. WPA2 reduces

the number of key exchange messages from six to four (CCMP 4-way handshake)

and shortens the time required to connect to a network. Other WPA2

authentication features that are different from WPA include key caching and pre-

authentication. These two features are optional and may not be supported in all

wireless devices.

Key caching allows a wireless client to store the PMK it derived through a

successful authentication with an AP. The wireless client uses the PMK when it tries

to connect to the same AP and does not need to go with the authentication

process again.

Pre-authentication enables fast roaming by allowing the wireless client (already

connecting to an AP) to perform IEEE 802.1x authentication with another AP

before connecting to it.

Wireless Client WPA Supplicants

A wireless client supplicant is the software that runs on an operating system

instructing the wireless client how to use WPA. At the time of writing, the most

widely available supplicant is the

WPA patch for Windows XP, Funk Software's

Odyssey client.

The Windows XP patch is a free download that adds WPA capability to Windows

XP's built-in "Zero Configuration" wireless client. However, you must run Windows

XP to use it.

WPA(2) with RADIUS Application Example

To set up WPA(2), you need the IP address of the RADIUS server, its port number

(default is 1812), and the RADIUS shared secret. A WPA(2) application example

with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is

the distribution system.

1

The AP passes the wireless client's authentication request to the RADIUS server.

2

The RADIUS server then checks the user's identification against its database and

grants or denies network access accordingly.

3

A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by

the RADIUS server and the client.

Page 303 / 324

Appendix D Wireless LANs

P-660HN-TxA User’s Guide

303

4

The RADIUS server distributes the PMK to the AP. The AP then sets up a key

hierarchy and management system, using the PMK to dynamically generate

unique data encryption keys. The keys are used to encrypt every data packet that

is wirelessly communicated between the AP and the wireless clients.

Figure 164

WPA(2) with RADIUS Application Example

WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

1

First enter identical passwords into the AP and all wireless clients. The Pre-Shared

Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal

characters (including spaces and symbols).

2

The AP checks each wireless client's password and allows it to join the network

only if the password matches.

3

The AP and wireless clients generate a common PMK (Pairwise Master Key). The

key itself is not sent over the network, but is derived from the PSK and the SSID.

Page 304 / 324

Appendix D Wireless LANs

P-660HN-TxA User’s Guide

304

4

The AP and wireless clients use the TKIP or AES encryption process, the PMK and

information exchanged in a handshake to create temporal encryption keys. They

use these keys to encrypt data exchanged between them.

Figure 165

WPA(2)-PSK Authentication

Security Parameters Summary

Refer to this table to see what other security parameters you should configure for

each authentication method or key management protocol type. MAC address

filters are not dependent on how you configure these security features.

Table 113

Wireless Security Relational Matrix

AUTHENTICATION

METHOD/ KEY

MANAGEMENT

PROTOCOL

ENCRYPTIO

N METHOD

ENTER

MANUAL KEY

IEEE 802.1X

Open

None

No

Disable

Enable without Dynamic WEP

Key

Open

WEP

No

Enable with Dynamic WEP Key

Yes

Enable without Dynamic WEP

Key

Yes

Disable

Shared

WEP

No

Enable with Dynamic WEP Key

Yes

Enable without Dynamic WEP

Key

Yes

Disable

WPA

TKIP/AES

No

Enable

WPA-PSK

TKIP/AES

Yes

Disable

WPA2

TKIP/AES

No

Enable

WPA2-PSK

TKIP/AES

Yes

Disable

Page 305 / 324

Appendix D Wireless LANs

P-660HN-TxA User’s Guide

305

Antenna Overview

An antenna couples RF signals onto air. A transmitter within a wireless device

sends an RF signal to the antenna, which propagates the signal through the air.

The antenna also operates in reverse by capturing RF signals from the air.

Positioning the antennas properly increases the range and coverage area of a

wireless LAN.

Antenna Characteristics

Frequency

An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz

(IEEE 802.11a) is needed to communicate efficiently in a wireless LAN

Radiation Pattern

A radiation pattern is a diagram that allows you to visualize the shape of the

antenna’s coverage area.

Antenna Gain

Antenna gain, measured in dB (decibel), is the increase in coverage within the RF

beam width. Higher antenna gain improves the range of the signal for better

communications.

For an indoor site, each 1 dB increase in antenna gain results in a range increase

of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in

gain results in a range increase of approximately 5%. Actual results may vary

depending on the network environment.

Antenna gain is sometimes specified in dBi, which is how much the antenna

increases the signal power compared to using an isotropic antenna. An isotropic

antenna is a theoretical perfect antenna that sends out radio signals equally well

in all directions. dBi represents the true gain that the antenna provides.

Types of Antennas for WLAN

There are two types of antennas used for wireless LAN applications.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share