Client access authentication – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 66
54
{
Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP
replaces a single static key with a base key generated by an authentication server. TKIP
dynamic keys cannot be easily deciphered.
{
Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the
MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC
in a certain period, the AP automatically takes countermeasures. It will not provide services in
a certain period to prevent attacks.
4.
CCMP encryption
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The
AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP
contains a dynamic key negotiation and management method, so that each wireless client can
dynamically negotiate a key suite, which can be updated periodically to further enhance the
security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit
packet number (PN) to make sure each encrypted packet uses a different PN, improving the
security to a certain extent.
Client access authentication
1.
PSK authentication
To implement pre-shared key (PSK) authentication, the client and the authenticator must have the
same shared key configured. Otherwise, the client cannot pass pre-shared key (PSK)
authentication.
2.
802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device connected to an 802.1X-enabled port of a WLAN access control device
can access the resources on the WLAN only after passing authentication.
3.
MAC authentication
MAC address authentication does not require any client software. The MAC address of a client is
compared against a predefined list of allowed MAC addresses. If a match is found, the client can
pass the authentication and access the WLAN; if not, the authentication fails and access is denied.
The entire process does not require the user to enter a username or password. This type of
authentication is suited to small networks (such as families and small offices) with fixed clients.
MAC address authentication can be done locally or through a RADIUS server.
{
Local MAC address authentication—A list of usernames and passwords (the MAC addresses of
allowed clients) is created on the wireless access device to authenticate the clients. Only clients
whose MAC addresses are included in the list can pass the authentication and access the
WLAN.
{
MAC address authentication through RADIUS server—The wireless access device serves as the
RADIUS client and sends the MAC address of each requesting client to the RADIUS server. If the
client passes the authentication on the RADIUS server, the client can access the WLAN within
the authorization assigned by the RADIUS server. In this authentication mode, if different
domains are defined, authentication information of different SSIDs are sent to different RADIUS
servers based on their domains.