Configuring Security

For a more detailed explanation of security concepts, including a comparison of the advantages and disadvantages of using different security modes and suggestions on which mode to use; see Understanding Security Issues on Wireless Networks in the Administrators Guide.

See also the related topic, Appendix A:"Configuring Security Settings on Wireless Clients" in the Administrator Guide.

The following configuration information explains how to configure security modes on the access point. Keep in mind that each wireless client that wants to exchange data with the access point must be configured with the same security mode and encryption key settings consistent with access point security.


Notes	Security modes other than Plain-text apply only to configuration of the "Internal" network. On the "Guest" network, you can use only Plain-text mode. (For more information about guest networks, see Setting up Guest Access.)

Broadcast SSID and Security Mode

To configure security on the access point, select a security mode and fill in the related fields as described in the following table. (Note you can also allow or prohibit the Broadcast SSID as an extra precaution as mentioned below.)


Field	Description
Broadcast SSID	Select the Broadcast SSID setting by clicking the "Allow" or "Prohibit" radio button. By default, the access point broadcasts (allows) the Service Set Identifier (SSID) in its beacon frames. You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point. When the AP's broadcast SSID is suppressed, the network name will not be displayed in the List of Available Networks on a client station. Instead, the client must have the exact network name configured in the supplicant before it will be able to connect.
Security Mode	Select the Security Mode. Select one of the following: Plain-text Static WEP IEEE 802.1x WPA with RADIUS WPA-PSK For a Guest network, only the "Plain-text" setting can be used. (For more information, see Setting up Guest Access.) Security modes other than Plain-text apply only to configuration of the "Internal" network; on the Guest network, you can use only Plain-text mode.

Plain-text

Plain Text means any data transferred to and from the D-Link DWL-2210AP is not encrypted.

There are no further options for "Plain-text" mode.

Guest Network

Plain text mode is the only mode in which you can run the Guest network, which is by definition an easily accessible, unsecure LAN always virtually or physically separated from any sensitive information on the Internal LAN. For example, the guest network might simply provide internet and printer access for day visitors.

The absence of security on the Guest AP is designed to make it as easy as possible for guests to get a connection without having to program any security settings in their clients.

For a minimum level of protection on a guest network, you can choose to suppress (prohibit) the broadcast of the SSID (network name) to discourage client stations from automatically discovering your access point. (See also Does Prohibiting the Broadcast SSID Enhance Security? in the Administrators Guide).

For more about the Guest network, see Setting up Guest Access.

Static WEP

Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and access points on the network are configured with a static 64-bit (40-bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret key + 24-bit IV) Shared Key for data encryption.

You cannot mix 64-bit and 128-bit WEP keys between the access point and its client stations.

If you selected "Static WEP" Security Mode, provide the following on the access point settings: .


Field	Description
Transfer Key Index	Select a key index from the drop-down menu. Key indexes 1 through 4 are available. The default is 1. The Transfer Key Index indicates which WEP key the access point will use to encrypt the data it transmits.
Key Length	Specify the length of the key by clicking one of the radio buttons: 64 bits 128 bits
Key Type	Select the key type by clicking one of the radio buttons: ASCII Hex
Characters Required	Indicates the number of characters required in the WEP key. The number of characters required updates automatically based on how you set Key Length and Key Type.
WEP Keys	You can specify up to four WEP keys. In each text box, enter a string of characters for each key. If you selected "ASCII", enter any combination of integers and letters `0-9`, `a-z`, and `A-Z`. If you selected "HEX", enter hexadecimal digits (any combination of `0-9` and `a-f` or `A-F`). Use the same number of characters for each key as specified in the "Characters Required" field. These are the RC4 WEP keys shared with the stations using the access point. Each client station must be configured to use one of these same WEP keys in the same slot as specified here on the AP. (See Rules to Remember for Static WEP.)
Authentication Algorithm	The authentication algorithm defines the method used to determine whether a client station is allowed to associate with an access point when static WEP is the security mode. Specify the authentication algorithm you want to use by choosing one of the following from the drop-down menu: Open System Shared Key Both Open System authentication allows any client station to associate with the access point whether that client station has the correct WEP key or not. This is algorithm is also used in plaintext, IEEE 802.1x, and WPA modes. When the authentication algorithm is set to "Open System", any client can associate with the access point. Note that just because a client station is allowed to associate does not ensure it can exchange traffic with an access point. A station must have the correct WEP key to be able to successfully access and decrypt data from an access point, and to transmit readable data to the access point. Shared Key authentication requires the client station to have the correct WEP key in order to associate with the access point. When the authentication algorithm is set to "Shared Key", a station with an incorrect WEP key will not be able to associate with the access point. Both is the default. When the authentication algorithm is set to "Both": Client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the access point. Client stations configured to use WEP as an open system (shared key mode not enabled) will be able to associate with the access point even if they do not have the correct WEP key.

Rules to Remember for Static WEP

All client stations must have the Wireless LAN (WLAN) security set to WEP and all clients must have one of the WEP keys specified on the AP in order to de-code AP-to-station data transmissions.

The AP must have all keys used by clients for station-to-AP transmit so that it can de-code the station transmissions.

The same key must occupy the same slot on all nodes (AP and clients). For example if the AP defines abc123 key as WEP key 3, then the client stations must define that same string as WEP key 3.

On some wireless client software (like Funk Odyssey), you can configure multiple WEP keys and define a client station "transfer key index", and then set the stations to encrypt the data they transmit using different keys. This ensures that neighboring APs cannot decode each other's transmissions.

IEEE 802.1x

IEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). IEEE 802.1x provides dynamically-generated keys that are periodically refreshed. An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.

This mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts via the Cluster > Users tab.

The access point requires a RADIUS server capable of EAP, such as the Microsoft Internet Authentication Server or the D-Link DWL-2210AP internal authentication server. To work with Windows clients, the authentication server must support Protected EAP (PEAP) and MSCHAP V2.

When configuring IEEE 802.1x mode, you have a choice of whether to use the embedded RADIUS server or an external RADIUS server that you provide. The D-Link DWL-2210AP embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.

If you use your own RADIUS server, you have the option of using any of a variety of authentication methods that the IEEE 802.1x mode supports, including certificates, Kerberos, and public key authentication. Keep in mind, however, that the client stations must be configured to use the same authentication method being used by the access point.

If you selected "IEEE 802.1x" Security Mode, provide the following:


Field	Description
Authentication Server	Select one of the following from the drop-down menu: Built-in - To use the authentication server provided with the D-Link DWL-2210AP. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided. External - To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use. Note: The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the D-Link DWL-2210AP, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The D-Link DWL-2210AP is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.
Radius IP	Enter the Radius IP in the text box. The Radius IP is the IP address of the RADIUS server. (The D-Link DWL-2210AP internal authentication server is `127.0.0.1`.) For information on setting up user accounts, see Managing User Accounts.
Radius Key	Enter the Radius Key in the text box. The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as "*" characters to prevent others from seeing the RADIUS key as you type. (The D-Link DWL-2210AP internal authentication server key is `secret`.) This value is never sent over the network.
Enable RADIUS Accounting	Click "Enable RADIUS Accounting" if you want to track and measure the resources a particular user has consumed such system time, amount of data transmitted and received, and so on.

WPA with RADIUS

Wi-Fi Protected Access (WPAWPA) with Remote Authentication Dial-In User Service (RADIUS) is a Wi-Fi Alliance subset of IEEE 802.11i, which includes Temporal Key Integrity Protocol (TKIP), Counter mode/CBC-MAC Protocol (CCMP), and Advanced Encryption Standard (AES) mechanisms. This mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts via the Cluster > Users tab.

When configuring WPA with RADIUS mode, you have a choice of whether to use the embedded RADIUS server or an external RADIUS server that you provide. The D-Link DWL-2210AP embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.

If you selected "WPA with RADIUS" Security Mode, provide the following:


Field	Description
Cipher Suites	Select the cipher you want to use from the drop-down menu: TKIP CCMP (AES) Both Temporal Key Integrity Protocol (TKIP) is the default. TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit "temporal key" shared by clients and access points. The temporal key is combined with the client's MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP uses RC4 to perform the encryption, which is the same as WEP. But TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network. Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity. When the authentication algorithm is set to "Both", both TKIP and AES clients can associate with the access point. Client stations configured to use WPA with RADIUS must have one of the following to be able to associate with the AP: A valid TKIP RADIUS IP address and valid shared Key A valid CCMP (AES) IP address and valid shared Key Clients not configured to use WPA with RADIUS will not be able to associate with AP. Both is the default. When the authentication algorithm is set to "Both", client stations configured to use WPA with RADIUS must have one of the following: A valid TKIP RADIUS IP address and RADIUS Key A valid CCMP (AES) IP address and RADIUS Key
Authentication Server	Select one of the following from the drop-down menu: Built-in - To use the authentication server provided with the D-Link DWL-2210AP. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided. External - To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use. Note: The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the D-Link DWL-2210AP, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The D-Link DWL-2210AP is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.
Radius IP	Enter the Radius IP in the text box. The Radius IP is the IP address of the RADIUS server. (The D-Link DWL-2210AP internal authentication server is `127.0.0.1`.) For information on setting up user accounts, see Managing User Accounts.
Radius Key	Enter the Radius Key in the text box. The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as "*" characters to prevent others from seeing the RADIUS key as you type. (The D-Link DWL-2210AP internal authentication server key is `secret`.) This value is never sent over the network.
Key Type	Select the key type by clicking one of the radio buttons: ASCII HEX
Enable RADIUS Accounting	Click "Enable RADIUS Accounting" if you want to enforce authentication for WPA client stations with user names and passwords for each station. See also Managing User Accounts.
Allow non-WPA Clients	Click the "Allow non-WPA clients" checkbox if you want to let non-WPA (802.11), un-authenticated client stations use this access point.

WPA-PSK

Wi-Fi Protected Access (WPA) with Pre-Shared Key (PSK) is a Wi-Fi Alliance subset of IEEE 802.11i, which includes Temporal Key Integrity Protocol (TKIP), Advanced Encryption Algorithm (AES), and Counter mode/CBC-MAC Protocol (CCMP) mechanisms. PSK employs a pre-shared key. This is used for an initial check of credentials only.

If you selected "WPA-PSK" Security Mode, provide the following:


Field	Description
Cipher Suites	Select the cipher you want to use from the drop-down menu: TKIP CCMP (AES) Both Temporal Key Integrity Protocol (TKIP) is the default. TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit "temporal key" shared by clients and access points. The temporal key is combined with the client's MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP uses RC4 to perform the encryption, which is the same as WEP. But TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network. Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity. When the authentication algorithm is set to "Both", both TKIP and AES clients can associate with the access point. WPA clients must have one of the following to be able to associate with the AP: A valid TKIP key A valid CCMP (AES) key Clients not configured to use WPA-PSK will not be able to associate with AP.
Key	The Pre-shared Key is the shared secret key for WPA-PSK. Enter a string of at least 8 characters to a maximum of 63 characters.

Updating Settings

To apply your changes, click Update.