Client access authentication – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 355
334
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP provides
advantages over WEP, and provides more secure protection for WLAN, as follows:
TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP
encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24 bits
to 48 bits.
TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single
static key with a base key generated by an authentication server. TKIP dynamic keys cannot be
easily deciphered.
TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the
data might be tampered, and the system might be attacked. If two packets fail the MIC in a
specific period, the AP automatically takes countermeasures. It will not provide services to
prevent attacks while it takes countermeasures.
•
AES-CCMP encryption.
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The
AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP
contains a dynamic key negotiation and management method, so that each wireless client can
dynamically negotiate a key suite, which can be updated periodically to further enhance the
security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit
packet number (PN) to make sure each encrypted packet uses a different PN, which improves
security.
Client access authentication
•
PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key
configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.
•
802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device connected to an 802.1X-enabled port of a WLAN access control device
can access the resources on the WLAN only after passing authentication.
The administrators of access devices can select to use RADIUS or local authentication to cooperate
with 802.1X for authenticating users. For more information about remote/local 802.1X
authentication, see "
•
MAC authentication
MAC authentication provides a method to authenticate users based on ports and MAC addresses.
You can configure permitted MAC address lists to filter MAC addresses of clients. However, the
efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is
applicable to environments without high security requirements, for example, SOHO and small
offices.
MAC authentication includes the following modes:
Local MAC authentication—When this authentication mode is used, you need to configure a
permitted MAC address list on the device. If the MAC address of a client is not in the list, its
access request will be denied.