Simple Security Questions

scottm · ‎11-01-2004

I have an AP 1100, and want to enable so encryption on the transmission. In the past I have used MAC address authentication, and want to augment the security. (Understanding that authentication and encryption security isn't the same thing)

With this, I have a few questions:

If I enable WEP (which I hear is not very secure) do I HAVE to statically map each WEP key to each device?

Why are there 4 fields for wep keys in the access points web admin page, and can I only submit transmit on only one key? Does the transmit function allow me to sent the wep key dynamically to the clients, without the need to statically assign the key to all the clients?

Can I use EAP or LEAP without a RADIUS server? What are other encyrption options without the use of a RADIUS server?

What does a RADIUS entail, is it software I can install on a NT SERVER?

Thanks!

dixho · ‎11-01-2004

Before I answer your questions, I would like to clarify certain buzz words:

1. WEP - an encryption method for 802.11 networks

2. static WEP - the WEP keys are statically defined in the access point and the wireless clients

3. dynamic WEP - each wireless client uses a different WEP key. Usually, dynamic WEP works with 802.1x authentication or WPA-PSK. This creates a more secured environment.

If I enable WEP (which I hear is not very secure) do I HAVE to statically map each WEP key to each device?

Answer: Not really. You can implement 802.1x or WPA-PSK for dynamic WEP key. Please see the above and look at the difference between WEP, static WEP, and dynamic WEP.

Why are there 4 fields for wep keys in the access points web admin page?

Answer: You can configure other devices to use different WEP key as transmit key. This creates more keys. Thus, hackers have to sniffer more packets to hack the WEP key.

and can I only submit transmit on only one key?

Answer: Yes for Cisco AP.

Does the transmit function allow me to sent the wep key dynamically to the clients, without the need to statically assign the key to all the clients?

Answer: No

Can I use EAP or LEAP without a RADIUS server?

Answer: No. However, Cisco AP comes with a radius server. Thus, you do not need an external radius server. The radius server in the AP only supports LEAP.

What are other encyrption options without the use of a RADIUS server?

Answer: static WEP and WPA-PSK

What does a RADIUS entail, is it software I can install on a NT SERVER?

Answer: There is a radius server comes with Cisco AP. Cisco also have a radius server for Windows NT. It is called ACS. Microsoft's radius server is called IAS. Another commonly used radius server is Steel Belted radius server from Funk.

scottm · ‎11-02-2004

WOW! Thanks for the concise answers.

I do hover have some follow-up questions.

1) Where can I find a step-by-step solution on how to setup 802.1x authentication or WPA-PSK in the Web Interface. I have looked within the 1100 AP Installation and Config Guide but don't see this.

2) What does the Cipher radio button do, and does this disable WEP? (radio button, either WEP or Cipher)

dixho · ‎11-02-2004

1. I do not know a document to show you how to configure WPA-PSK. Below is the instruction:

a. click on "SECURITY" and "Encryption Manager". Select cipher and TKIP in the pull down menu. Then, click on "Apply"

b. click on "SSID Manager" Select the SSID. Check "Open Authentication" with no addition. Select "Key Management" as "Mandatory". Check "WPA". Then, enter "WPA Pre-shared Key" Finally, click on "Apply"

That's should do it.

2. Cipher enables key management. It builds on top of WEP. I do not want to go too deep. Basically, WEP is used to encrypt the data. Cipher is used to protect IV (initialization vector).