3Com 8760 User Guide - Page 98

CHAPTER 4: SYSTEM CONFIGURATION for WPA2. However, the computational intensive operations of AES-CCMP requires hardware support on client devices. Therefore to implement WPA2 in the network, wireless clients must be upgraded to WPA2-compliant hardware. „ WPA2 Mixed-Mode: WPA2 defines a transitional mode of operation for networks moving from WPA security to WPA2. WPA2 Mixed Mode allows both WPA and WPA2 clients to associate to a common SSID interface. In mixed mode, the unicast encryption cipher (TKIP or AES-CCMP) is negotiated for each client. The access point advertises its supported encryption ciphers in beacon frames and probe responses. WPA and WPA2 clients select the cipher they support and return the choice in the association request to the access point. For mixed-mode operation, the cipher used for broadcast frames is always TKIP. WEP encryption is not allowed. „ Key Caching: WPA2 provides fast roaming for authenticated clients by retaining keys and other security information in a cache, so that if a client roams away from an access point and then returns, re-authentication is not required. When a WPA2 client is first authenticated, it receives a Pairwise Master Key (PMK) that is used to generate other keys for unicast data encryption. This key and other client information form a Security Association that the access point names and holds in a cache. „ Preauthentication: Each time a client roams to another access point it has to be fully re-authenticated. This authentication process is time consuming and can disrupt applications running over the network. WPA2 includes a mechanism, known as pre-authentication, that allows clients to roam to a new access point and be quickly associated. The first time a client is authenticated to a wireless network it has to be fully authenticated. When the client is about to roam to another access point in the network, the access point sends pre-authentication messages to the new access point that include the client's security association information. Then when the client sends an association request to the new access point, the client is known to be already authenticated, so it proceeds directly to key exchange and association. The configuration settings for WPA are summarized below: Table 7 WPA Configuration Settings WPA and WPA2 pre-shared key only WPA and WPA2 over 802.1X Encryption: Enabled Authentication Setup: WPA-PSK, WPA2-PSK, or WPA-WPA2-mixed Cipher Suite: WEP/TKIP/AES-CCMP WPA Pre-shared Key Type: Hex/ASCII Encryption: Enabled Authentication Setup: WPA, WPA2, WPA-WPA2-mixed Cipher Suite: WEP/TKIP/AES-CCMP (requires RADIUS server to be specified) 1: You must enable data encryption in order to enable all types of encryption in the access point. 2: Select TKIP when any WPA clients do not support AES. Select AES only if all clients support AES. 4-58