Home » ZyXEL Manuals » Networking » ZyXEL P-330W » Manual Viewer

ZyXEL P-330W User Guide - Page 59

Introduction to WPA

Get ZyXEL P-330W PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 59 highlights

ZyXEL P-330W User's Guide 5.7.4 Introduction to WPA Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences between WPA and WEP are user authentication and improved data encryption. 5.7.4.1 User Authentication WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. See later in this chapter and the appendices for more information on IEEE 802.1x, RADIUS and EAP. Your wireless client will need to be able to support 802.1x authentication to use RADIUS authentication. Therefore, if you don't have an external RADIUS server you should use WPA-PSK (WPA Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a client will be granted access to a WLAN. 5.7.4.2 Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network. The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it's still an improvement over WEP as it employs an easier-touse, consistent, single, alphanumeric password. 59 Chapter 5 Wireless

Section	Page
User’s Guide	1
Copyright	2
Disclaimer	2
Trademarks	2
Federal Communications Commission (FCC) Interference Statement	3
Notice 1	3
Certifications	3
ZyXEL Limited Warranty	4
Note	4
Safety Warnings	4
Customer Support	5
Table of Contents	6
List of Figures	12
List of Tables	16
Preface	18
About This User's Guide	18
Related Documentation	18
User Guide Feedback	18
Syntax Conventions	18
Graphics Icons Key	19
Getting to Know Your P-330W	20
1.1 P-330W Internet Security Gateway Overview	20
1.2 P-330W Features	20
1.2.1 Physical Features	20
1.2.1.1 10/100M Auto-negotiating Ethernet/Fast Ethernet Interface(s)	20
1.2.1.2 Auto-crossover 10/100 Mbps Ethernet Interface(s)	20
1.2.1.3 4-Port Switch	20
1.2.1.4 Time and Date	21
1.2.1.5 Reset Button	21
1.2.2 Removable Antenna	21
1.2.3 Non-Physical Features	21
1.2.3.1 Firewall	21
1.2.3.2 802.11b Wireless LAN Standard	21
1.2.3.3 802.11g Wireless LAN Standard	22
1.2.3.4 Packet Filtering	22
1.2.3.5 Universal Plug and Play (UPnP)	22
1.2.3.6 PPPoE	22
1.2.3.7 PPTP Encapsulation	22
1.2.3.8 Dynamic DNS Support	22
1.2.3.9 Network Address Translation (NAT)	23
1.2.3.10 Port Forwarding	23
1.2.3.11 DHCP (Dynamic Host Configuration Protocol)	23
1.2.3.12 Logging and Tracing	23
1.2.3.13 Wireless Association List	23
1.3 Applications for the P-330W	23
1.3.1 Secure Broadband Internet Access via Cable or DSL Modem	23
1.3.2 Internet Access Application	24
Introducing the Web Configurator	26
2.1 Web Configurator Overview	26
2.2 Accessing the P-330W Web Configurator	26
2.2.0.1 Resetting the P-330W	26
2.2.1 Navigating the P-330W Web Configurator	27
2.2.2 Navigation Panel	27
Wizard Setup	30
3.1 Wizard Setup Overview	30
3.2 Wizard Setup: Screen 2	30
3.2.1 DHCP Client	30
3.2.2 Static IP	30
3.2.3 PPPoE Encapsulation	31
3.2.4 PPTP Encapsulation	32
3.2.5 L2TP Encapsulation	33
3.3 Wizard Setup: Screen 3	34
3.4 Wizard Setup: Screen 4	35
3.4.1 No Encryption	36
3.4.2 WEP Encryption	36
3.4.3 WPA	37
3.4.4 WPA2 (AES)	37
3.4.5 WPA2 Mixed	38
3.5 Basic Setup Complete	39
System Screens	40
4.1 Setup Wizard	40
4.2 Operation Mode	40
4.3 LAN Overview	41
4.3.1 DHCP Setup	42
4.3.2 IP Pool Setup	42
4.3.3 System DNS Servers	42
4.3.4 LAN TCP/IP	42
4.3.5 Factory LAN Defaults	42
4.3.6 IP Address and Subnet Mask	42
4.3.7 Configuring IP	42
4.4 Configuring Password	44
4.5 Status Screen	44
Wireless	46
5.1 Wireless LAN Overview	46
5.1.1 IBSS	46
5.1.2 BSS	46
5.1.3 ESS	47
5.1.4 RTS/CTS	48
5.2 Configuring Wireless	49
5.3 Basic Settings	49
5.4 Wireless Advanced Settings	51
5.4.1 Authentication	51
5.4.2 Preamble Type	52
5.5 Site Survey	53
5.6 Wireless Security Overview	53
5.7 Security Parameters Summary	56
5.7.1 WEP Overview	56
5.7.2 Data Encryption	56
5.7.3 Configuring WEP Encryption	56
5.7.4 Introduction to WPA	59
5.7.4.1 User Authentication	59
5.7.4.2 Encryption	59
5.7.4.3 WPA-PSK Application Example	60
5.7.5 Introduction to WPA2	60
5.7.6 Configuring WPA-PSK Authentication	60
5.7.7 Introduction to RADIUS	62
5.7.7.1 Types of RADIUS Messages	62
5.7.7.2 Access-Challenge	62
5.7.7.3 Accounting-Request	62
5.7.7.4 Accounting-Response	62
5.7.7.5 EAP Authentication Overview	63
5.7.7.6 WPA with RADIUS Application Example	63
5.7.8 Configuring WPA Authentication	64
5.8 WDS Settings	66
5.9 Wireless Trusted Stations	67
Advanced Options	70
6.1 Access Control	70
6.2 Dynamic DNS	71
6.3 Configuring Dynamic DNS	72
6.4 DMZ	73
6.5 Virtual Servers (Port Forwarding)	73
6.5.0.1 Configuring Servers Behind SUA (Example)	74
6.5.1 Configuring Virtual Servers	75
6.6 Special Applications	76
6.7 WAN Port	77
6.7.1 Static IP Encapsulation	77
6.7.2 DHCP IP Encapsulation	79
6.7.3 PPPoE Encapsulation	80
6.7.4 PPTP Encapsulation	82
6.7.5 L2TP Encapsulation	84
6.8 Ping	86
6.9 DoS Setting	87
6.10 Diagnostics	88
Administrator Options	90
7.1 Remote Management	90
7.2 Configuration Screen	90
7.2.1 Backup Configuration	91
7.2.2 Restore Configuration	91
7.2.3 Back to Factory Defaults	92
7.3 Logs	92
7.4 IP Filtering	94
7.5 MAC Filtering	95
7.6 URL Filtering	95
7.7 Statistics	96
7.8 Time Zone Setting	96
7.9 Upgrade Firmware	97
Appendix A	100
PPPoE	100
PPPoE in Action	100
Benefits of PPPoE	100
Traditional Dial-up Scenario	100
How PPPoE Works	101
P-330W as a PPPoE Client	101
Appendix B	102
PPTP	102
What is PPTP?	102
How can we transport PPP frames from a computer to a broadband modem over Ethernet?	102
PPTP and the P-330W	102
PPTP Protocol Overview	103
Control & PPP Connections	103
Call Connection	103
PPP Data Connection	104
Appendix C	106
Setting up Your Computer’s IP Address	106
Windows 95/98/Me	106
Installing Components	107
Configuring	108
Verifying Settings	109
Windows 2000/NT/XP	109
Verifying Settings	113
Macintosh OS 8/9	114
Verifying Settings	115
Macintosh OS X	115
Verifying Settings	116
Appendix D	118
Wireless LAN and IEEE 802.11	118
Benefits of a Wireless LAN	118
IEEE 802.11	118
Ad-hoc Wireless LAN Configuration	119
Infrastructure Wireless LAN Configuration	119
Appendix E	122
Wireless LAN With IEEE 802.1x	122
Security Flaws with IEEE 802.11	122
Deployment Issues with IEEE 802.11	122
IEEE 802.1x	122
Advantages of the IEEE 802.1x	122
RADIUS Server Authentication Sequence	123
Appendix F	124
Types of EAP Authentication	124
EAP-MD5 (Message-Digest Algorithm 5)	124
EAP-TLS (Transport Layer Security)	124
EAP-TTLS (Tunneled Transport Layer Service)	124
PEAP (Protected EAP)	125
Appendix G	126
Antenna Selection and Positioning Recommendation	126
Antenna Characteristics	126
Frequency	126
Radiation Pattern	126
Antenna Gain	126
Types of Antennas For WLAN	126
Positioning Antennas	127
Appendix H	128
Open Saftware Announcements	128
This Product includes Zlib under Zlib License	128
Zlib License	128
ZLIB is third party library and has its own license.	128
This product includes pppd(includes radius) under BSD License, RSA Data Security, Inc. License and Roaring Penguin Software under GPL License	129
BSD	129
RSA Data Security, Inc License	130
This product include brctl, shell commands, hwclock, dnrd, gmp, iptables, Awk, MTD, ntpclient, pppd , pptp, udhcpd/ udhcpc, updated, libupnp/pseudo ICS, iwpriv, gcc, linux(kernal) and tiny under GPL License.	130
GNU GENERAL PUBLIC LICENSE	130
End-User License Agreement for “P-330W “	135
Index	140
A	140
B	140
C	140
D	140
E	140
F	140
G	140
H	140
I	140
L	141
M	141
N	141
P	141
R	141
S	141
U	141
V	141

Match case Limit results 1 per page

ZyXEL P-330W User’s Guide

Chapter 5 Wireless

5.7.4

Introduction to WPA

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft.

Key differences between WPA and WEP are user authentication and improved data

encryption.

5.7.4.1

User Authentication

WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate

wireless clients using an external RADIUS database. See later in this chapter and the

appendices for more information on IEEE 802.1x, RADIUS and EAP.

Your wireless client

will need to be able to support 802.1x authentication to use RADIUS authentication.

Therefore, if you don’t have an external RADIUS server you should use WPA-PSK (WPA -

Pre-Shared Key) that only requires a single (identical) password entered into each access

point, wireless gateway and wireless client. As long as the passwords match, a client will be

granted access to a WLAN.

5.7.4.2

Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message

Integrity Check (MIC) and IEEE 802.1x.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and

distributed by the authentication server. It includes a per-packet key mixing function, a

Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with

sequencing rules, and a re-keying mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is

never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the

AP that then sets up a key hierarchy and management system, using the pair-wise key to

dynamically generate unique data encryption keys to encrypt every data packet that is

wirelessly communicated between the AP and the wireless clients. This all happens in the

background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data

packets, altering them and resending them. The MIC provides a strong mathematical function

in which the receiver and the transmitter each compute and then compare the MIC. If they do

not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity

checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi

network than WEP, making it difficult for an intruder to break into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference

between the two is that WPA-PSK uses a simple common password, instead of user-specific

credentials. The common-password approach makes WPA-PSK susceptible to brute-force

password-guessing attacks but it’s still an improvement over WEP as it employs an easier-to-

use, consistent, single, alphanumeric password.