2 mu authentication, Mu authentication, Wpa2 – Motorola Series Switch WS5100 User Manual

Overview

1-19

WPA

WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user;
however, it can also be used in a less secure pre-shared key (PSK) mode, where every user is given the same
passphrase.

WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used.
When combined with the much larger Initialization Vector, it defeats well-known key recovery attacks on
WEP. For information on configuring WPA for a WLAN, see Configuring WPA/WPA2 using TKIP and CCMP
on page 4-43.

WPA2

WPA2 uses a sophisticated key hierarchy that generates new encryption keys each time a MU associates
with an access point. Protocols including 802.1X, EAP and Radius are used for strong authentication. WPA2
also supports the TKIP and AES-CCMP encryption protocols. For information on configuring WPA for a WLAN,
see Configuring WPA/WPA2 using TKIP and CCMP on page 4-43.

Keyguard-WEP

KeyGuard is Motorola’s proprietary dynamic WEP solution. Motorola (upon hearing of the vulnerabilities of
WEP) developed a non standard method of rotating keys to prevent compromises. Basically, KeyGuard is TKIP
without the message integrity check MIC. KeyGuard is proprietary to Motorola MUs only. For information on
configuring KeyGuard for a WLAN, see Configuring WEP 128 / KeyGuard on page 4-41.

1.2.5.2 MU Authentication

The switch uses the following authentication schemes for MU association:

•

Kerberos

•

802.1x EAP

•

MAC ACL

Refer to

Editing the WLAN Configuration on page 4-22

to WLAN MU authentication.

Kerberos

Kerberos allows for mutual authentication and end-to-end encryption. All traffic is encrypted and security
keys are generated on a per-client basis. Keys are never shared or reused, and are automatically distributed
in a secure manner. For information on configuring Kerberos for a WLAN, see Configuring Kerboros on page
4-27.

802.1x EAP

802.1x EAP is the most secure authentication mechanism for wireless networks and includes
EAP-TLS, EAP-TTLS and PEAP. The switch is a proxy for Radius packets. An MU does a full 802.11
authentication and association and begins transferring data frames. The switch realizes the MU needs to
authenticate with a Radius server and denies any traffic not Radius related. Once Radius completes its
authentication process, the MU is allowed to send other data traffic. You can use either an onboard Radius
server or internal Radius Server for authentication purpose. For information on configuring 802.1x EAP for a
WLAN, see Configuring 802.1x EAP on page 4-26.

MAC ACL

The MAC ACL feature is basically a dynamic MAC ACL where MUs are allowed/denied access to the network
based on their configuration on the Radius server. The switch allows 802.11 authentication and association,
then checks with the Radius server to see if the MAC address is allowed on the network. The Radius packet