Bridge GUI Guide: Network Configuration
85
peer and at least one CA (Certificate Authority) certificate must
be present in the local certificate store. Refer to Section 6.2.1
for guidance on configuring an EAP-TLS key pair and digital
certificate.
On the
Add Station Mode
screen, these additional settings
apply to
WPA
,
WPA2
and
WPA2-Mixed
selections:
Rekey Period
- specifies the interval at which new pair-wise
transient keys (PTKs) are negotiated or
0
(zero), which
disables the rekeying function: the interface will use the
same key for the duration of each session seconds. Specify
a new interval in whole seconds between
0
and
2147483647
, inclusive. No
Rekey Period
is specified by
default.
NOTE:
Unlike
Suite B
Key Estab-
lishment
the
Suite B
TLS Cipher
option is available re-
gardless of whether
Suite B is licensed on the
Bridge (Section 6.3).
TLS Cipher
- specifies the list of supported cipher suites,
the sets of encryption and integrity algorithms, that the
Bridge will send to the 802.1X authentication server:
All
- the default, supports both
Legacy
and
Suite B
cipher
suites (as described in the next two items)
Legacy
- supports Diffie-Hellman with RSA keys
(
DHE-RSA-AES128-SHA and DHE-RSA-AES256-SHA
)
Suite B
- supports Diffie-Hellman with ECC keys
(
ECDHE-ECDSA-AES128-SHA and ECDHE-ECDSA-
AES256-SHA
)
In EAP-TLS, the authentication server selects the cipher
suite to use from the list of supported suites sent by the
client device (or rejects the authentication request if none of
the proposed suites are acceptable).
Subject Match
- optionally provides a character string to
check against the subject Distinguished Name (DN) of the
authentication server certificate. Each RDN (Relative
Distinguished Name) in the sequence comprising the
certificate DN is compared to the corresponding RDN in the
string provided. Wildcard characters cannot be used.
Certificate Hash
- optionally provides a 64-character hash
value to check against the hash value of the authentication
server certificate. When the
Certificate Hash
field is empty,
the default, no hash value check is performed.
WPA Strict Check
- optionally enables strict checking of key
usage and extended key usage extensions in the
authentication server certificate. Strict key usage checking
is
Enabled
by default.
You can configure
TLS Cipher
,
Certificate Hash
,
Subject Match
and
WPA Strict Check
only in Advanced View.
WPA-PSK, WPA2-PSK and WPA2-Mixed-PSK Security
WPA-PSK (Wi-Fi Protected Access) and WPA2-PSK are the
pre-shared key
modes of WPA (as distinguished from the
enterprise
modes described above). You can specify that
WPA-