ZyXEL NWA1123-NI User Guide - Page 196

Appendix E Wireless LANs

NWA1120 Series User’s Guide

196

Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity

Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when required for compatibility reasons, but

offers stronger encryption than TKIP with Advanced Encryption Standard (AES) in the Counter

mode with Cipher block chaining Message authentication code Protocol (CCMP).

TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server.

AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm

called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check

(MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying

mechanism.

WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is

never used twice.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key

hierarchy and management system, using the PMK to dynamically generate unique data encryption

keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless

clients. This all happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets,

altering them and resending them. The MIC provides a strong mathematical function in which the

receiver and the transmitter each compute and then compare the MIC. If they do not match, it is

assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity

checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi

network than WEP and difficult for an intruder to break into the network.

The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference

between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific

credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force

password-guessing attacks but it’s still an improvement over WEP as it employs a consistent,

single, alphanumeric password to derive a PMK which is used to generate unique temporal

encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of

WEP)

User Authentication

WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate

wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange

messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a

network. Other WPA2 authentication features that are different from WPA include key caching and

pre-authentication. These two features are optional and may not be supported in all wireless

devices.

Key caching allows a wireless client to store the PMK it derived through a successful authentication

with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not

need to go with the authentication process again.

Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an

AP) to perform IEEE 802.1x authentication with another AP before connecting to it.

Section	Page
NWA1120 Series	1
Contents Overview	3
Table of Contents	5
User’s Guide	9
Introducing the NWA	11
1.1 Introducing the NWA	11
1.1.1 Dual-Band	12
1.2 Wireless Modes	12
1.2.1 MBSSID	12
1.2.2 Wireless Client	13
1.2.3 Root AP	15
1.2.4 Repeater	15
1.3 Ways to Manage the NWA	16
1.4 Configuring Your NWA’s Security Features	17
1.4.1 Control Access to Your Device	17
1.4.2 Wireless Security	17
1.5 Good Habits for Managing the NWA	17
1.6 Hardware Connections	18
1.7 LED	18
Introducing the Web Configurator	19
2.1 Accessing the Web Configurator	19
2.2 Resetting the NWA	20
2.2.1 Methods of Restoring Factory-Defaults	21
2.3 Navigating the Web Configurator	22
2.3.1 Title Bar	22
2.3.2 Navigation Panel	23
2.3.3 Main Window	24
Dashboard	25
3.1 The Dashboard Screen	25
Tutorial	29
4.1 How to Configure the Wireless LAN	29
4.1.1 Choosing the Wireless Mode	29
4.1.2 Further Reading	29
4.2 How to Configure Multiple Wireless Networks	29
4.2.1 Configure the SSID Profiles	31
4.2.2 Configure the Standard Network	33
4.2.3 Configure the VoIP Network	34
4.2.4 Configure the Guest Network	36
4.2.5 Testing the Wireless Networks	38
4.3 NWA Setup in AP and Wireless Client Modes	38
4.3.1 Scenario	38
4.3.2 Configuring the NWA in MBSSID or Root AP Mode	39
4.3.3 Configuring the NWA in Wireless Client Mode	42
4.3.4 MAC Filter Setup	44
4.3.5 Testing the Connection and Troubleshooting	45
Technical Reference	47
Monitor	49
5.1 Overview	49
5.2 What You Can Do	49
5.3 View Logs	49
5.4 Statistics	50
5.5 Association List	51
5.6 Channel Usage	52
Wireless LAN	55
6.1 Overview	55
6.2 What You Can Do in this Chapter	55
6.3 What You Need To Know	56
6.4 Wireless Settings Screen	60
6.4.1 Root AP Mode	61
6.4.2 Repeater Mode	65
6.4.3 Wireless Client Mode	68
6.4.4 MBSSID Mode	71
6.5 SSID Screen	74
6.5.1 Configuring SSID	75
6.6 Wireless Security Screen	76
6.6.1 Security: WEP	78
6.6.2 Security: WPA, WPA2, WPA2-MIX	79
6.6.3 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX	81
6.7 RADIUS Screen	82
6.8 Layer-2 Isolation	84
6.8.1 Layer-2 Isolation Screen	85
6.9 MAC Filter Screen	86
6.10 Technical Reference	88
6.10.1 Additional Wireless Terms	89
6.10.2 WMM QoS	89
6.10.3 Security Mode Guideline	90
LAN	91
7.1 Overview	91
7.2 What You Can Do in this Chapter	91
7.3 What You Need to Know	91
7.4 LAN IP Screen	93
VLAN	95
8.1 Overview	95
8.1.1 What You Can Do in This Chapter	95
8.2 What You Need to Know	95
8.3 VLAN Screen	96
System	97
9.1 Overview	97
9.2 What You Can Do in this Chapter	97
9.3 What You Need To Know	98
9.4 WWW Screen	100
9.5 Certificates Screen	101
9.6 Telnet Screen	102
9.7 SNMP Screen	104
9.8 FTP Screen	106
9.9 Technical Reference	107
9.9.1 MIB	107
9.9.2 Supported MIBs	108
9.9.3 Private-Public Certificates	108
9.9.4 Certification Authorities	108
9.9.5 Checking the Fingerprint of a Certificate on Your Computer	109
Log Settings	111
10.1 Overview	111
10.2 What You Can Do in this Chapter	111
10.3 What You Need To Know	112
10.4 Log Settings Screen	112
Maintenance	115
11.1 Overview	115
11.2 What You Can Do in this Chapter	115
11.3 What You Need To Know	116
11.4 General Screen	116
11.5 Password Screen	117
11.6 Time Screen	118
11.7 Firmware Upgrade Screen	119
11.8 Configuration File Screen	120
11.8.1 Backup Configuration	120
11.8.2 Restore Configuration	120
11.8.3 Back to Factory Defaults	121
11.9 Restart Screen	121
Troubleshooting	123
12.1 Power, Hardware Connections, and LEDs	123
12.2 NWA Access and Login	124
12.3 Internet Access	125
12.4 Wireless LAN	126
Setting Up Your Computer’s IP Address	129
Pop-up Windows, JavaScript and Java Permissions	157
IP Addresses and Subnetting	169
IPv6	177
Wireless LANs	187
Legal Information	201

ZyXEL NWA1123-NI User Guide - Page 196

Encryption, User Authentication

Page 196 highlights