Appendix A Wireless LANs
WAP6906 User’s Guide
78
simple user name and password pair is more practical. The following table is a comparison of the
features of authentication types.
WPA and WPA2
WiFi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless
security standard that defines stronger encryption, authentication and key management than WPA.
Key differences between WPA or WPA2 and WEP are improved data encryption and user
authentication.
If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2
for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK
(WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point,
wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted
access to a WLAN.
If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether
you have an external RADIUS server or not.
Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure
than WPA or WPA2.
Encryption
WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check
(MIC) and IEEE 802.1x. WPA2 also uses TKIP when required for compatibility reasons, but offers stronger
encryption than TKIP with Advanced Encryption Standard (AES) in the Counter mode with Cipher block
chaining Message authentication code Protocol (CCMP).
TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES
(Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called
Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named
Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.
WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is
never used twice.
The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy
and management system, using the PMK to dynamically generate unique data encryption keys to
Table 28 Comparison of EAP Authentication Types
EAP-MD5
EAP-TLS
EAP-TTLS
PEAP
LEAP
Mutual Authentication
No
Yes
Yes
Yes
Yes
Certificate – Client
No
Yes
Optional
Optional
No
Certificate – Server
No
Yes
Yes
Yes
No
Dynamic Key Exchange
No
Yes
Yes
Yes
Yes
Credential Integrity
None
Strong
Strong
Strong
Moderate
Deployment Difficulty
Easy
Hard
Moderate
Moderate
Moderate
Client Identity Protection
No
No
Yes
Yes
No