179
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring User Encryption
179
D-Link Systems, Inc.
• If the recalculated MIC does not match the MIC received with the frame, the frame fails
the integrity check. This condition is called a MIC failure. The access point or client
discards the frame and also starts a 60-second timer. If another MIC failure does not
occur within 60 seconds, the timer expires. However, if another MIC failure occurs
before the timer expires, the device takes the following actions:
• An DWL-8200AP access point that receives another frame with an invalid
MIC ends its sessions with all TKIP and WEP clients by disassociating from
the clients. This includes both WPA WEP clients and non-WPA WEP clients.
The access point also temporarily shuts down the network by refusing
all association or reassociation requests from TKIP and WEP clients. In
addition, MSS generates an SNMP trap that indicates the swich port and
radio that received frames with the two MIC failures as well as the source and
destination MAC addresses in the frames.
• A client that receives another frame with an invalid MIC disassociates from its
access point and does not send or accept any frames encrypted with TKIP or
WEP.
The DWL-8200AP access point or client refuses to send or receive traffic encrypted with
TKIP or WEP for the duration of the countermeasures timer, which is 60,000 milliseconds
(60 seconds) by default. When the countermeasures timer expires, the access point allows
associations and reassociations and generates new session keys for them. You can set the
countermeasures timer for DWL-8200AP access point radios to a value from 0 to 60,000
milliseconds (ms). If you specify 0 ms, the radios do not use countermeasures but instead
continue to accept and forward encrypted traffic following a second MIC failure. However,
MSS still generates an SNMP trap to inform you of the MIC failure.
The MIC used by CCMP, CBC-MAC, is even stronger than Michael and does not require
or provide countermeasures. WEP does not use a MIC. Instead, WEP performs a cyclic
redundancy check (CRC) on the frame and generates an integrity check value (ICV).
WPA Authentication Methods
You can configure an SSID to support one or both of the following authentication methods for
WPA clients:
• 802.1X - The DWL-8200AP access point and client use an Extensible Authentication
Protocol (EAP) method to authenticate one another, then use the resulting key in a
handshake to derive a unique key for the session. The 802.1X authentication method
requires user information to be configured on AAA servers or in the switch’s local
database. This is the default WPA authentication method.
• Preshared key (PSK) - An DWL-8200AP radio and a client authenticate one another
based on a key that is statically configured on both devices. The devices then use the
key in a handshake to derive a unique key for the session. For a given service profile,
you can globally configure a PSK for use with all clients. You can configure the key by
entering an ASCII passphrase or by entering the key itself in raw (hexadecimal) form.