Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

117

Stratix 5100 Device Manager Parameter Definitions

Chapter 4

Client Authentication Settings and
Methods Accepted

Specifies the Layer 3 mobility network identification number for the SSID.
Open Authentication
Choose Open Authentication by checking the check box.
This enables any device to authenticate and then attempt to communicate with the access point.
• If the access point is using WEP and the other device is not, the other device does not attempt to authenticate.
• If the other device is using WEP but its WEP keys do not match the keys on the access point, the other device authenticates with the access

point but does not pass data through it.

After you choose Open Authentication, you can select the additional method to use from the pull-down menu. Theses are the options in the
pull-down menu:
• MAC authentication
• EAP
• MAC authentication and EAP
• MAC authentication or EAP, or with optional EAP.
To fully enable EAP, EAP Authentication Servers must be set on this page or in the Server Manager page. To fully enable MAC Authentication, you
must either enter the MAC address locally or select the Authentication Server Only option on the Advanced Security page. Choose Optional EAP
to allow both clients and optional EAP clients to associate and become authenticated with either authentication method.
Although an access point can use Open Authentication with EAP method to authenticate a wireless client device, an access point cannot use EAP
to authenticate another access point. In other words, access points must authenticate each other using either open, shared, or Network EAP
authentication methods.
Shared Authentication
Choose shared authentication by checking the Shared Authentication check box.
The access point sends an unencrypted challenge string to any device attempting to communicate with the access point. The device requesting
authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point
enables the requesting device to authenticate.
Both the unencrypted challenge and the encrypted challenge can be monitored; however, this leaves the access point open to attack from an
intruder who guesses the WEP key by comparing the unencrypted and encrypted text strings. Because of this weakness, shared key
authentication can be less secure than open authentication. Only one SSID can use shared authentication. After you choose Shared
Authentication, you can select the method to use from the pull-down menu. The choices are MAC Authentication, EAP, or MAC Authentication
and EAP.
Network EAP
Choose network EAP by checking the Network EAP check box. The device uses the Extensible Authentication Protocol (EAP) to interact with an
EAP-compatible RADIUS server on your network to provide authentication for wireless client devices. Client devices use dynamic WEP keys to
authenticate to the network.After you choose Network EAP, you can select MAC Authentication.
To fully enable MAC authentication, you must either enter the MAC address locally or select the Authentication Server Only option on the
Advanced Security page. In the case of Authentication Server Only option, MAC Authentication Servers must be set in this page or in the Server
Manager page. EAP Authentication Servers must be set in this page or in the Server Manager page.

Server Priorities

Determine how you are going to use specific RADIUS servers on this SSID. In the EAP and MAC Authentication Server sections, you can choose to
use the defaults or customize the priority by using the pull-down menu. If you click to enable the use of the defaults, click the Define Defaults
link to move into the Server Manager page.

Authenticated Key Management

WPA and CCKM are the new authenticated key management solutions. Wi-Fi Protected Access (WPA) is the new interim solution from the
Wireless Ethernet Compatibility Alliance (WECA). WPA, mostly synonymous to Simple Security Network (SSN), relies on the interim version of
IEEE standard 802.11i. WPA supports TKIP and WEP encryption algorithms as well as 802.1X and EAP for simple integration with existing
authentication system. WPA key management uses a combination of encryption methods to protect communication between client devices
and the access point.
Currently, WPA key management supports two mutually exclusive authenticated key management: WPA and WPA-PSK.If authentication key
management is WPA, the client and authentication server authenticate to each other using an EAP authentication method (such as EAP-TLS)
and generate a Pairwise Master Key (PMK). If authentication key management is WPA-PSK, the pre-shared key is used directly as the
PMK.Using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one access point to another without any
perceptible delay during reassociation. An access point on your network acts as a wireless domain service (WDS) and creates a cache of security
credentials for CCKM-enabled client devices on the subnet.
The WDS cache of credentials dramatically reduces the time required for reassociation when a CCKM-enabled client device roams to a new
access point.To enable CCKM for an SSID, you must also enable network-EAP authentication. When CCKM and Network EAP are enabled for an
SSID, client devices using LEAP, EAP-FAST, PEAP/GTC, MSPEAP, and EAP-TLS can authenticate using the SSID.To enable WPA for an SSID, you must
also enable Open authentication or Network-EAP or both. Before you can enable CCKM or WPA, you must set the encryption mode for the SSIDs
VLAN to one of the cipher suite options.

Key Management

Use the pull-down menu to indicate if you want key management to be mandatory or optional. You can select CCKM and WPA authentication
key management at the same time for radio 802.11b or 802.11g. For radio 802.11a, only one key management can be selected.

WPA Pre-shared Key

To support client devices using static WEP keys and WPA key management, you must configure a pre-shared key on the access point. Enter the
key and specify if you are entering hexadecimal or ASCII character.
If you use hexadecimal, you must enter 64 hexadecimal character to complete the 256-bit key. If you use ASCII, you must enter a minimum of 8
letters, numbers, or symbols, and the access point expands the key for you. You can enter a maximum of 63 ASCII characters.

Table 32 - SSID Manager Parameter Descriptions (Continued)

Parameter

Description