BackForwardTable of ContentsPreviousNext


Configuring Security

For a more detailed explanation of security concepts, including a comparison of the advantages and disadvantages of using different security modes and suggestions on which mode to use; see Understanding Security Issues on Wireless Networks in the Administrators Guide.

See also the related topic, Appendix A:"Configuring Security Settings on Wireless Clients" in the Administrator Guide.

The following configuration information explains how to configure security modes on the access point. Keep in mind that each wireless client that wants to exchange data with the access point must be configured with the same security mode and encryption key settings consistent with access point security.

Notes

Security modes other than Plain-text apply only to configuration of the "Internal" network. On the "Guest" network, you can use only Plain-text mode. (For more information about guest networks, see Setting up Guest Access.)

Broadcast SSID and Security Mode

To configure security on the access point, select a security mode and fill in the related fields as described in the following table. (Note you can also allow or prohibit the Broadcast SSID as an extra precaution as mentioned below.)

Field
Description
Broadcast SSID
Select the Broadcast SSID setting by clicking the "Allow" or "Prohibit" radio button.
By default, the access point broadcasts (allows) the Service Set Identifier (SSID) in its beacon frames.
You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point. When the AP's broadcast SSID is suppressed, the network name will not be displayed in the List of Available Networks on a client station. Instead, the client must have the exact network name configured in the supplicant before it will be able to connect.
Security Mode
Select the Security Mode. Select one of the following:
For a Guest network, only the "Plain-text" setting can be used. (For more information, see Setting up Guest Access.)
Security modes other than Plain-text apply only to configuration of the "Internal" network; on the Guest network, you can use only Plain-text mode.

Plain-text

Plain Text means any data transferred to and from the D-Link DWL-2210AP is not encrypted.

There are no further options for "Plain-text" mode.

Guest Network

Plain text mode is the only mode in which you can run the Guest network, which is by definition an easily accessible, unsecure LAN always virtually or physically separated from any sensitive information on the Internal LAN. For example, the guest network might simply provide internet and printer access for day visitors.

The absence of security on the Guest AP is designed to make it as easy as possible for guests to get a connection without having to program any security settings in their clients.

For a minimum level of protection on a guest network, you can choose to suppress (prohibit) the broadcast of the SSID (network name) to discourage client stations from automatically discovering your access point. (See also Does Prohibiting the Broadcast SSID Enhance Security? in the Administrators Guide).

For more about the Guest network, see Setting up Guest Access.

Static WEP

Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and access points on the network are configured with a static 64-bit (40-bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret key + 24-bit IV) Shared Key for data encryption.

You cannot mix 64-bit and 128-bit WEP keys between the access point and its client stations.

If you selected "Static WEP" Security Mode, provide the following on the access point settings: .

Field
Description
Transfer Key Index
Select a key index from the drop-down menu. Key indexes 1 through 4 are available. The default is 1.
The Transfer Key Index indicates which WEP key the access point will use to encrypt the data it transmits.
Key Length
Specify the length of the key by clicking one of the radio buttons:
  • 64 bits
  • 128 bits
Key Type
Select the key type by clicking one of the radio buttons:
  • ASCII
  • Hex
Characters Required
Indicates the number of characters required in the WEP key.
The number of characters required updates automatically based on how you set Key Length and Key Type.
WEP Keys
You can specify up to four WEP keys. In each text box, enter a string of characters for each key.
If you selected "ASCII", enter any combination of integers and letters 0-9, a-z, and A-Z. If you selected "HEX", enter hexadecimal digits (any combination of 0-9 and a-f or A-F).
Use the same number of characters for each key as specified in the "Characters Required" field. These are the RC4 WEP keys shared with the stations using the access point.
Each client station must be configured to use one of these same WEP keys in the same slot as specified here on the AP. (See Rules to Remember for Static WEP.)
Authentication Algorithm
The authentication algorithm defines the method used to determine whether a client station is allowed to associate with an access point when static WEP is the security mode.
Specify the authentication algorithm you want to use by choosing one of the following from the drop-down menu:
  • Open System
  • Shared Key
  • Both
Open System authentication allows any client station to associate with the access point whether that client station has the correct WEP key or not. This is algorithm is also used in plaintext, IEEE 802.1x, and WPA modes. When the authentication algorithm is set to "Open System", any client can associate with the access point.
Note that just because a client station is allowed to associate does not ensure it can exchange traffic with an access point. A station must have the correct WEP key to be able to successfully access and decrypt data from an access point, and to transmit readable data to the access point.
Shared Key authentication requires the client station to have the correct WEP key in order to associate with the access point. When the authentication algorithm is set to "Shared Key", a station with an incorrect WEP key will not be able to associate with the access point.
Both is the default. When the authentication algorithm is set to "Both":
  • Client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the access point.
  • Client stations configured to use WEP as an open system (shared key mode not enabled) will be able to associate with the access point even if they do not have the correct WEP key.

Rules to Remember for Static WEP

IEEE 802.1x

IEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). IEEE 802.1x provides dynamically-generated keys that are periodically refreshed. An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.

This mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts via the Cluster > Users tab.

The access point requires a RADIUS server capable of EAP, such as the Microsoft Internet Authentication Server or the D-Link DWL-2210AP internal authentication server. To work with Windows clients, the authentication server must support Protected EAP (PEAP) and MSCHAP V2.

When configuring IEEE 802.1x mode, you have a choice of whether to use the embedded RADIUS server or an external RADIUS server that you provide. The D-Link DWL-2210AP embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.

If you use your own RADIUS server, you have the option of using any of a variety of authentication methods that the IEEE 802.1x mode supports, including certificates, Kerberos, and public key authentication. Keep in mind, however, that the client stations must be configured to use the same authentication method being used by the access point.

If you selected "IEEE 802.1x" Security Mode, provide the following:

Field
Description
Authentication Server
Select one of the following from the drop-down menu:
  • Built-in - To use the authentication server provided with the D-Link DWL-2210AP. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided.
  • External - To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use.
Note: The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the D-Link DWL-2210AP, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The D-Link DWL-2210AP is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.
Radius IP
Enter the Radius IP in the text box.
The Radius IP is the IP address of the RADIUS server.
(The D-Link DWL-2210AP internal authentication server is 127.0.0.1.)
For information on setting up user accounts, see Managing User Accounts.
Radius Key
Enter the Radius Key in the text box.
The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as "*" characters to prevent others from seeing the RADIUS key as you type.
(The D-Link DWL-2210AP internal authentication server key is secret.)
This value is never sent over the network.
Enable RADIUS Accounting
Click "Enable RADIUS Accounting" if you want to track and measure the resources a particular user has consumed such system time, amount of data transmitted and received, and so on.

WPA with RADIUS

Wi-Fi Protected Access (WPAWPA) with Remote Authentication Dial-In User Service (RADIUS) is a Wi-Fi Alliance subset of IEEE 802.11i, which includes Temporal Key Integrity Protocol (TKIP), Counter mode/CBC-MAC Protocol (CCMP), and Advanced Encryption Standard (AES) mechanisms. This mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts via the Cluster > Users tab.

When configuring WPA with RADIUS mode, you have a choice of whether to use the embedded RADIUS server or an external RADIUS server that you provide. The D-Link DWL-2210AP embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.

If you selected "WPA with RADIUS" Security Mode, provide the following:

Field
Description
Cipher Suites
Select the cipher you want to use from the drop-down menu:
Temporal Key Integrity Protocol (TKIP) is the default.
TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit "temporal key" shared by clients and access points. The temporal key is combined with the client's MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP uses RC4 to perform the encryption, which is the same as WEP. But TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network.
Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity.
When the authentication algorithm is set to "Both", both TKIP and AES clients can associate with the access point. Client stations configured to use WPA with RADIUS must have one of the following to be able to associate with the AP:
  • A valid TKIP RADIUS IP address and valid shared Key
  • A valid CCMP (AES) IP address and valid shared Key
Clients not configured to use WPA with RADIUS will not be able to associate with AP.
Both is the default. When the authentication algorithm is set to "Both", client stations configured to use WPA with RADIUS must have one of the following:
  • A valid TKIP RADIUS IP address and RADIUS Key
  • A valid CCMP (AES) IP address and RADIUS Key
Authentication Server
Select one of the following from the drop-down menu:
  • Built-in - To use the authentication server provided with the D-Link DWL-2210AP. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided.
  • External - To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use.
Note: The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the D-Link DWL-2210AP, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The D-Link DWL-2210AP is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.
Radius IP
Enter the Radius IP in the text box.
The Radius IP is the IP address of the RADIUS server.
(The D-Link DWL-2210AP internal authentication server is 127.0.0.1.)
For information on setting up user accounts, see Managing User Accounts.
Radius Key
Enter the Radius Key in the text box.
The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as "*" characters to prevent others from seeing the RADIUS key as you type.
(The D-Link DWL-2210AP internal authentication server key is secret.)
This value is never sent over the network.
Key Type
Select the key type by clicking one of the radio buttons:
  • ASCII
  • HEX
Enable RADIUS Accounting
Click "Enable RADIUS Accounting" if you want to enforce authentication for WPA client stations with user names and passwords for each station.
Allow non-WPA Clients
Click the "Allow non-WPA clients" checkbox if you want to let non-WPA (802.11), un-authenticated client stations use this access point.

WPA-PSK

Wi-Fi Protected Access (WPA) with Pre-Shared Key (PSK) is a Wi-Fi Alliance subset of IEEE 802.11i, which includes Temporal Key Integrity Protocol (TKIP), Advanced Encryption Algorithm (AES), and Counter mode/CBC-MAC Protocol (CCMP) mechanisms. PSK employs a pre-shared key. This is used for an initial check of credentials only.

If you selected "WPA-PSK" Security Mode, provide the following:

Field
Description
Cipher Suites
Select the cipher you want to use from the drop-down menu:
  • TKIP
  • CCMP (AES)
  • Both
Temporal Key Integrity Protocol (TKIP) is the default.
TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit "temporal key" shared by clients and access points. The temporal key is combined with the client's MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP uses RC4 to perform the encryption, which is the same as WEP. But TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network.
Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity.
When the authentication algorithm is set to "Both", both TKIP and AES clients can associate with the access point. WPA clients must have one of the following to be able to associate with the AP:
  • A valid TKIP key
  • A valid CCMP (AES) key
Clients not configured to use WPA-PSK will not be able to associate with AP.
Key
The Pre-shared Key is the shared secret key for WPA-PSK. Enter a string of at least 8 characters to a maximum of 63 characters.

Updating Settings

To apply your changes, click Update.

BackForwardTable of ContentsPreviousNext


Copyright © 2004 D-Link Systems, Inc.   All Rights Reserved.      About this Help

Glossary