Wireless Security Screen. ZyXEL nwa1100-n, NWA1100 N, 802.11b/g/n poe access point
Below you will find brief information for Access Point NWA1100 N. The NWA1100 N extends the range of your existing wired network without additional wiring, providing easy network access to mobile users. It controls network access with MAC address filtering and RADIUS server authentication. The NWA1100 N provides a high level of network traffic security, supporting IEEE 802.1x, Wi-Fi Protected Access (WPA), WPA2 and WEP data encryption. Its Quality of Service (QoS) features allow you to prioritize time-sensitive or highly important applications such as VoIP.
Advertisement
Advertisement
C H A P T E R 7
Wireless Security Screen
7.1 Overview
This chapter describes how to use the Wireless Security screen. This screen allows you to configure the security mode for your NWA.
Wireless security is vital to your network. It protects communications between wireless stations, access points and the wired network.
Figure 28
Securing the Wireless Network
In the figure above, the NWA checks the identity of devices before giving them access to the network. In this scenario, Computer A is denied access to the network, while Computer B is granted connectivity.
The NWA secure communications via data encryption, wireless client authentication and MAC address filtering. It can also hide its identity in the network.
7.2 What You Can Do in this Chapter
).
71 NWA1100-N User’s Guide
Chapter 7 Wireless Security Screen
7.3 What You Need To Know
User Authentication
Authentication is the process of verifying whether a wireless device is allowed to use the wireless network. You can make every user log in to the wireless network before they can use it. However, every device in the wireless network has to support IEEE 802.1x to do this.
For wireless networks, you can store the user names and passwords for each user in a RADIUS server. This is a server used in businesses more than in homes. If you do not have a RADIUS server, you cannot set up user names and passwords for your users.
Unauthorized wireless devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network.
The following table shows the relative effectiveness of wireless security methods:.
Table 12
Wireless Security Levels
SECURITY
LEVEL
SECURITY TYPE
Least
Secure
Most Secure
Unique SSID (Default)
Unique SSID with Hide SSID Enabled
MAC Address Filtering
WEP Encryption
IEEE802.1x EAP with RADIUS Server Authentication
Wi-Fi Protected Access (WPA)
WPA2
The available security modes in your NWA are as follows:
• None. No data encryption.
• WEP. Wired Equivalent Privacy (WEP) encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private.
• 802.1x-Only. This is a standard that extends the features of IEEE 802.11 to support extended authentication. It provides additional accounting and control features. This option does not support data encryption.
• 802.1x-Static64. This provides 802.1x-Only authentication with a static 64bit WEP key and an authentication server.
• 802.1x-Static128. This provides 802.1x-Only authentication with a static 128bit WEP key and an authentication server.
• 802.1x-Static152. This provides 802.1x-Only authentication with a static 152bit WEP key and an authentication server.
• WPA. Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard.
• WPA2. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA.
• WPA2-MIX. This commands the NWA to use either WPA2 or WPA depending on which security mode the wireless client uses.
72 NWA1100-N User’s Guide
Chapter 7 Wireless Security Screen
• WPA2-PSK. This adds a pre-shared key on top of WPA2 standard.
• WPA2-PSK-MIX. This commands the NWA to use either WPA-PSK or WPA2-PSK depending on which security mode the wireless client uses.
Note: In Bridge/Repeater and AP+Bridge operating modes, the only available security modes are WEP, WPA-PSK, and WPA2-PSK.
Note: To guarantee 802.11n wireless speed, please only use WPA2 or WPA2-PSK security mode. Other security modes may degrate the wireless speed performance to
802.11g.
Passphrase
A passphrase functions like a password. In WEP security mode, it is further converted by the NWA into a complicated string that is referred to as the “key”. This key is requested from all devices wishing to connect to a wireless network.
PSK
The Pre-Shared Key (PSK) is a password shared by a wireless access point and a client during a previous secure connection. The key can then be used to establish a connection between the two parties.
Encryption
Wireless networks can use encryption to protect the information that is sent in the wireless network. Encryption is like a secret code. If you do not know the secret code, you cannot understand the message. Encryption is the process of converting data into unreadable text. This secures information in network communications. The intended recipient of the data can “unlock” it with a pre-assigned key, making the information readable only to him. The NWA when used as a wireless client employs Temporal Key Integrity Protocol (TKIP) data encryption.
EAP
Extensible Authentication Protocol (EAP) is a protocol used by a wireless client, an access point and an authentication server to negotiate a connection.
The EAP methods employed by the NWA when in Wireless Client operating mode are Transport
Layer Security (TLS), Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible
Authentication Protocol (LEAP) and Tunneled Transport Layer Security (TTLS). The authentication protocol may either be Microsoft Challenge Handshake Authentication Protocol Version 2
(MSCHAPv2) or Generic Token Card (GTC).
Further information on these terms can be found in Appendix D on page 177
.
7.4 The Security Screen
Use this screen to choose the security mode for your NWA.
NWA1100-N User’s Guide 73
Chapter 7 Wireless Security Screen
Click Wireless > Security. Select the profile that you want to configure and click Edit.
Figure 29
Wireless > Security
The Security Settings screen varies depending upon the security mode you select.
Figure 30
Security: None
Note that some screens display differently depending on the operating mode selected in the
Wireless > Wireless Settings screen.
Note: You must enable the same wireless security settings on the NWA and on all wireless clients that you want to associate with it.
74 NWA1100-N User’s Guide
Chapter 7 Wireless Security Screen
7.4.1 Security: WEP
Use this screen to use WEP as the security mode for your NWA. Select WEP in the Security Mode field to display the following screen.
Figure 31
Security: WEP
The following table describes the labels in this screen.
Table 13
Security: WEP
LABEL DESCRIPTION
Profile Name This is the name that identifying this profile.
Security Mode Choose WEP in this field.
Authentication Type Select Open or Shared from the drop-down list box.
Data Encryption
Passphrase
Generate
Key 1 to
Key 4
Select 64-bit WEP, 128-bit WEP or 152-bit WEP to enable data encryption.
Enter the passphrase or string of text used for automatic WEP key generation on wireless client adapters.
Click this to get the keys from the Passphrase you entered.
The WEP keys are used to encrypt data. Both the NWA and the wireless clients or the wireless device to which the NWA is connecting must use the same WEP key for data transmission.
If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F").
Apply
If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F").
If you chose 152-bit WEP, then enter 16 ASCII characters or 32 hexadecimal characters ("0-9", "A-F").
You must configure all four keys, but only one key can be activated at any one time.
Click Apply to save your changes.
NWA1100-N User’s Guide 75
Chapter 7 Wireless Security Screen
Table 13
Security: WEP (continued)
LABEL
Reset
Back
DESCRIPTION
Click Reset to begin configuring this screen afresh.
Click Back to return to the previous screen.
7.4.2 Security: 802.1x Only
This screen varies depending on whether you select Access Point, Multi SSID or Wireless Client in the Wireless > Wireless Settings screen.
7.4.2.1 Access Point or Multi SSID
Use this screen to use 802.1x authentication with no data encryption for your NWA that is in
Access Point or Multi SSID operating mode. Select 802.1X in the Security Mode field to display the following screen.
Figure 32
Security: 802.1x for Access Point or Multi SSID
The following table describes the labels in this screen.
Table 14
Security: 802.1x for Access Point or Multi SSID
LABEL
Security Settings
Profile Name
Security Mode
Apply
Reset
Back
DESCRIPTION
This is the name that identifying this profile.
Choose 802.1X in this field.
Click Apply to save your changes.
Click Reset to begin configuring this screen afresh.
Click Back to return to the previous screen.
76 NWA1100-N User’s Guide
Chapter 7 Wireless Security Screen
7.4.2.2 Wireless Client
Use this screen to use 802.1x authentication with no data encryption for your NWA that is in
Wireless Client operating mode. Select 802.1x in the Security Mode field to display the following screen.
Figure 33
Security: 802.1x for Wireless Client
The following table describes the labels in this screen.
Table 15
Security: 802.1x for Wireless Client
LABEL
Security Settings
Profile Name
Security Mode
Data Encryption
DESCRIPTION
This is the name that identifying this profile.
Choose the same security mode used by the AP.
Select None to use 802.1x authentication with no data encryption.
Select 64-bit WEP, 128-bit WEP or 152-bit WEP to use 802.1x authentication with a static WEP key. Refer to
for information on using static WEP.
IEEE802.1x Authentication
EAP Type The options on the left refer to EAP methods. You can choose either TLS, LEAP, PEAP or
TTLS.
The options on the right refer to authentication protocols. You can choose between
MSCHAPv2 and GTC.
User Information
Username
Password
Apply
Reset
Back
Supply the username of the account created in the RADIUS server.
Supply the password of the account created in the RADIUS server.
Click Apply to save your changes.
Click Reset to begin configuring this screen afresh.
Click Back to return to the previous screen.
NWA1100-N User’s Guide 77
Chapter 7 Wireless Security Screen
7.4.3 Security: 802.1x + Static WEP
This screen varies depending on whether you select Access Point, Multi SSID or Wireless Client in the Wireless > Wireless Settings screen.
7.4.3.1 Access Point or Multi SSID
Use this screen to use 802.1x authentication with a static WEP key for your NWA that is in Access
Point or Multi SSID operating mode. Select 802.1X-Static64, 802.1X-Static128, or 802.1X-
Static152 in the Security Mode field to display the following screen.
Figure 34
Security: 802.1x + Static WEP (AP mode)
78
The following table describes the labels in this screen.
Table 16
Security: 802.1x + Static WEP (AP mode)
LABEL
Security Settings
Profile Name
Security Mode
Passphrase
Generate
Key 1 to Key 4
DESCRIPTION
This is the name that identifying this profile.
Choose 802.1X-Static64, 802.1X-Static128, or 802.1X-Static152 in this field.
Enter the passphrase or string of text used for automatic WEP key generation.
Click this to get the keys from the Passphrase you entered.
If you chose 802.1X-Static64, then enter any 5 characters (ASCII string) or 10 hexadecimal characters ("0-9", "A-F").
If you chose 802.1X-Static128, then enter 13 characters (ASCII string) or 26 hexadecimal characters ("0-9", "A-F").
If you chose 802.1X-Static152, then enter 16 characters (ASCII string) or 32 hexadecimal characters ("0-9", "A-F").
There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users. The values for the keys must be set up exactly the same on the access points as they are on the wireless clients.
NWA1100-N User’s Guide
Chapter 7 Wireless Security Screen
Table 16
Security: 802.1x + Static WEP (AP mode) (continued)
LABEL
Rekey Options
ReAuthentication
Timer
DESCRIPTION
Specify how often wireless stations have to resend user names and passwords in order to stay connected.
Enter a time interval between 10 and 9999 seconds. Alternatively, enter “0” to turn reauthentication off.
Group-Key
Update
Apply
Reset
Back
Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
The NWA automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed.
Click Apply to save your changes.
Click Reset to begin configuring this screen afresh.
Click Back to return to the previous screen.
7.4.3.2 Wireless Client
Use this screen to use 802.1x authentication with a static WEP key for your NWA that is in
Wireless Client operating mode. Select 802.1x in the Security Mode field to display the following screen.
Figure 35
Security: 802.1x + Static WEP for Wireless Client
NWA1100-N User’s Guide 79
Chapter 7 Wireless Security Screen
The following table describes the labels in this screen.
Table 17
Security: 802.1x + Static WEP for Wireless Client
LABEL
Security Settings
Profile Name
Security Mode
Data Encryption
Passphrase
Generate
Key 1 to
Key 4
DESCRIPTION
This is the name that identifying this profile.
Choose the same security mode used by the AP.
Select 64-bit WEP, 128-bit WEP or 152-bit WEP to use 802.1x authentication with a static WEP key.
Enter the passphrase or string of text used for automatic WEP key generation.
Click this to get the keys from the Passphrase you entered.
The WEP keys are used to encrypt data. Both the NWA and the wireless device to which the NWA is connecting must use the same WEP key for data transmission.
If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F").
If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters
("0-9", "A-F").
If you chose 152-bit WEP, then enter 16 ASCII characters or 32 hexadecimal characters
("0-9", "A-F").
You must configure all four keys, but only one key can be activated at any one time.
IEEE802.1x Authentication
EAP Type The options on the left refer to EAP methods. You can choose either TLS, LEAP, PEAP or
TTLS.
The options on the right refer to authentication protocols. You can choose between
MSCHAPv2 and GTC.
User Information
Username
Password
Apply
Reset
Back
Supply the username of the account created in the RADIUS server.
Supply the password of the account created in the RADIUS server.
Click Apply to save your changes.
Click Reset to begin configuring this screen afresh.
Click Back to return to the previous screen.
7.4.4 Security: WPA, WPA2 or WPA2-MIX
This screen varies depending on whether you select Access Point, Multi SSID or Wireless Client in the Wireless > Wireless Settings screen.
80 NWA1100-N User’s Guide
Chapter 7 Wireless Security Screen
7.4.4.1 Access Point or Multi SSID
Use this screen to employ WPA and/or WPA2 as the security mode of your NWA that is in Access
Point or Multi SSID operating mode. Select WPA, WPA2 or WPA2-MIX in the Security Mode field to display the following screen.
Figure 36
Security:WPA, WPA2 or WPA2-MIX for Access Point
The following table describes the labels not previously discussed
Table 18
Security: WPA, WPA2 or WPA2-MIX for Access Point
LABEL
Security Settings
Profile Name
Security Mode
Rekey Options
ReAuthentication
Timer
DESCRIPTIONS
This is the name that identifying this profile.
Choose WPA, WPA2 or WPA2-MIX in this field.
Specify how often wireless stations have to resend usernames and passwords in order to stay connected.
Enter a time interval between 10 and 9999 seconds. Alternatively, enter “0” to turn reauthentication off.
Group Key
Update every Seconds
Apply
Reset
Back
Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
Select this option to have the NWA sends a new group key out to all clients at the rate you sepecify in the evey Second field.
The re-keying process is the WPA equivalent of automatically changing the group key for an AP and all clients in a WLAN on a periodic basis.
Enter how often you want the NWA to send a new group key out to all clients.
Click Apply to save your changes.
Click Reset to begin configuring this screen afresh.
Click Back to return to the previous screen.
NWA1100-N User’s Guide 81
Chapter 7 Wireless Security Screen
7.4.4.2 Wireless Client
Use this screen to employ WPA or WPA2 as the security mode of your NWA that is in Wireless Client operating mode. Select WPA or WPA2 in the Security Mode field to display the following screen.
Figure 37
Security: WPA or WPA2 for Wireless Client
82
The following table describes the labels in this screen.
Table 19
Security: WPA or WPA2 for Wireless Client
LABEL DESCRIPTION
Security Settings
Profile Name
Security Mode
This is the name that identifying this profile.
Choose the same security mode used by the AP.
Data Encryption This shows the encryption method used by the NWA.
TKIP - This is the Temporal Key Integrity Protocol encryption method added later to the
WEP encryption protocol to further secure.
AES - This is the Advanced Encryption Standard encryption method. It is a more recent development over TKIP and considerably more robust.
IEEE802.1x Authentication
EAP Type The options on the left refer to EAP methods. You can choose either TLS, LEAP, PEAP or
TTLS.
The options on the right refer to authentication protocols. You can choose between
MSCHAPv2 and GTC.
User Information
Username
Password
Apply
Reset
Back
Supply the username of the account created in the RADIUS server.
Supply the password of the account created in the RADIUS server.
Click Apply to save your changes.
Click Reset to begin configuring this screen afresh.
Click Back to return to the previous screen.
NWA1100-N User’s Guide
Chapter 7 Wireless Security Screen
7.4.5 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX
Use this screen to employ WPA-PSK, WPA2-PSK or WPA2-PSK-MIX as the security mode of your
NWA. Select WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in the Security Mode field to display the following screen.
Figure 38
Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX
The following table describes the labels not previously discussed
Table 20
Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX
LABEL
Profile Name
Security Mode
Pre-Shared Key
DESCRIPTION
This is the name that identifying this profile.
Choose WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in this field.
The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials.
Apply
Reset
Back
Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).
Click Apply to save your changes.
Click Reset to begin configuring this screen afresh.
Click Back to return to the previous screen.
7.5 Technical Reference
This section provides technical background information on the topics discussed in this chapter.
The following is a general guideline in choosing the security mode for your NWA.
• Use WPA(2)-PSK if you have WPA(2)-aware wireless clients but no RADIUS server.Use WPA(2) security if you have WPA(2)-aware wireless clients and a RADIUS server. WPA has user authentication and improved data encryption over WEP.
• Use WPA(2)-PSK if you have WPA(2)-aware wireless clients but no RADIUS server.
• If you don’t have WPA(2)-aware wireless clients, then use WEP key encrypting. A higher bit key offers better security. You can manually enter 64-bit, 128-bit or 152-bit WEP keys.
More information on Wireless Security can be found in Appendix D on page 177 .
NWA1100-N User’s Guide 83
![](http://s1.manualzz.com/store/data/002114511_1-7915e801f63119d797f75a89bf3e6bf7-210x147.png)
Advertisement
Key Features
- 2.4 GHz
- Maximum data transfer rate: 300 Mbit/s
- IEEE 802.11b, IEEE 802.11g, IEEE 802.11n, IEEE 802.1x, IEEE 802.3, IEEE 802.3af, IEEE 802.3az, IEEE 802.3u
- EAP-SIM, EAP-TLS, EAP-TTLS, PEAP, TTLS, WEP, WPA, WPA2, WPA2-PSK
- Power over Ethernet (PoE)
- Antennas quantity: 2 External