Professional Access Point
Administrator Guide
Security - 106
1. The best security you can have to-date on a wireless network is WPA/WPA2 Enterprise (RADIUS)
mode using CCMP (AES) encryption algorithm. AES is a symmetric 128-bit block data encryption
technique that works on multiple layers of the network. It is the most effective encryption system
currently available for wireless networks. If all clients or other APs on the network are WPA/CCMP
compatible, use this encryption algorithm. If all clients are WPA2 compatible, choose to support only
WPA2 clients.
2. The second best choice is WPA/WPA2 Enterprise (RADIUS) with the encryption algorithm set to Both
(that is, both TKIP and CCMP). This lets WPA clients without CCMP associate, uses TKIP for encrypt
-
ing Multicast and Broadcast frames, and allows clients to select whether to use CCMP or TKIP for Uni-
cast (access-point-to-single-station) frames. This WPA configuration allows more interoperability, at
the expense of some security. Clients that support CCMP can use it for their Unicast frames. If you
encounter access-point-to-station interoperability problems with the Both encryption algorithm setting,
then you will need to select TKIP instead.
3. The third best choice is WPA/WPA2 Enterprise (RADIUS) with the encryption algorithm set to TKIP.
Some clients have interoperability issues with CCMP and TKIP enabled at same time. If you encounter
this problem, then choose TKIP as the encryption algorithm. This is the standard WPA mode, and
most interoperable mode with client wireless software security features. TKIP is the only encryption
algorithm that is being tested in
Wi-Fi WPA certification.
SEE ALSO
For information on how to configure this security mode, see “WPA/WPA2 Enterprise (RADIUS)” on
page 117 under “Configuring Security Settings”.
Does Prohibiting the Broadcast of SSID Enhance Security?
You can prohibit the broadcast of the AP’s SSID to discourage stations from automatically discovering
your access point. When the access point’s SSID broadcast is prohibited, the network name is not
displayed in the List of Available Networks on a client device. Instead, the client must have the exact network
name configured in the supplicant before the client will be able to connect.
Prohibiting the SSID broadcast is sufficient to prevent clients from accidentally connecting to your network,
but it will not prevent even the simplest of attempts by a hacker to connect or to monitor insecure traffic.
This offers a minimum level of protection on an otherwise exposed network (such as a guest network)
where the priority is making it easy for clients to get a connection and where no sensitive information is
available.
How Does Station Isolation Protect the Network?
When Station Isolation is enabled, the access point blocks communication between wireless clients. The
access point allows data traffic between its wireless clients and wired devices on the network, but not
among wireless clients.
The traffic blocking extends to wireless clients connected to the network via WDS links; these clients
cannot communicate with each other when Station Isolation is on. See “Wireless Distribution System” on
page 153 for more information about WDS.
