Introduction
1-9
1.2.6.3 About WPA2 (CCMP) Security
WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access
(WPA) and WEP. CCMP is the security standard used by the Advanced Encryption Standard (AES). AES serves
the same function TKIP does for WPA-TKIP. CCMP (Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol) is the preferred encryption protocol in the 802.11i standard. CCMP computes a
Message Integrity Check (MIC) using the proven Cipher Block Message Authentication Code (CBC-MAC)
technique. Changing just one bit in a message produces a totally different result.
WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys
with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other
keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. For detailed steps on
configuring WPA2 for the CB3000, see Configuring WPA2 (CCMP) Security Settings.
1.2.6.4 About Secure 802.1x Security
The Secure 802.1x security option feature provides the CB3000 and its associated clients an additional
measure of security for data transmitted over the wireless network. Secure 802.1x uses the Extensible
Authentication Protocol (EAP) as an authentication mechanism between devices achieved through the
exchange and verification of certificates.
The IEEE 802.1x standard ties the 802.1x EAP authentication protocol to both wired and wireless LAN
applications. EAP provides an effective authentication scheme with or without IEEE 802.1x Wired Equivalent
Privacy (WEP) encryption. EAP supports multiple authentication measures, allowing the authentication server
to exercise full control.
The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an
authenticator (in this case, the CB3000). The CB3000 passes EAP packets from the client to an authentication
server on the wired side of the CB3000. All other packet types are blocked until the authentication server
(typically, a RADIUS server) verifies the MU’s identity.
Using Secure 802.1x, a user requests device connection through the CB3000. The CB3000 then requests the
identity of the user and transmits that identity to an authentication server. The server prompts the CB3000 for
proof of identity (supplied to the CB3000 by the user) and then transmits the user data back to the server to
complete the authentication. A client should not be able to access the network if not authenticated.
For detailed steps on configuring 802.1x for the CB3000, see Configuring Secure 802.1x Security Settings.
To Next Page
Loading...
