Manual
Chapter 10: Configuring Security
112
The best security you can have on a wireless network is WPA/WPA2
Enterprise (RADIUS) mode using CCMP (AES) encryption algorithm.
AES is a symmetric 128-bit block data encryption technique that works
on multiple layers of the network. It is the most effective encryption
system currently available for wireless networks. If all clients or other
access points on the network are WPA/CCMP compatible, use this
encryption algorithm. (If all clients are WPA2 compatible, choose to
support only WPA2 clients.)
The second best choice is WPA/WPA2 Enterprise (RADIUS) with the
encryption algorithm set to Both (that is, both TKIP and CCMP). This
lets WPA client stations without CCMP associate, uses TKIP for
encrypting multicast and broadcast frames, and allows clients to select
whether to use CCMP or TKIP for unicast (access point-to-single-
station) frames. This WPA configuration allows more interoperability, at
the expense of some security. Client stations that support CCMP can
use it for their unicast frames. If you encounter access point-to-station
interoperability problems with the Both encryption algorithm setting,
then you will need to select TKIP instead. (See next bullet.)
The third best choice is WPA/WPA2 Enterprise (RADIUS) with the
encryption algorithm set to TKIP. Some clients have interoperability
issues with CCMP and TKIP enabled at same time. If you encounter
this problem, then choose TKIP as the encryption algorithm. This is the
standard WPA mode, and most interoperable mode with client wireless
software security features. TKIP is the only encryption algorithm that is
being tested in Wi-Fi WPA certification.
Note
If there are older client stations on your network that do not support
WPA or WPA2, you can configure WPA/WPA2 Enterprise (RADIUS)
with Both, CCMP, or TKIP and check the “Allow non-WPA IEEE
802.1x clients” checkbox to allow non-WPA clients. This provides
IEEE 802.1x key management for non-WPA clients with even better
data protection of TKIP and CCMP (AES) key management and
encryption algorithms for your WPA clients.
A typical scenario is when you are upgrading a current 802.1x
network to use WPA. You might have a mix of clients, some new
clients that support WPA or WPA2 and some older ones that do not
support any flavors of WPA. You might even have other access
points on the network that support only 802.1x and some that
support WPA with RADIUS or WPA2 Enterprise (RADIUS). For as
long as this mix persists, use the “Allow non-WPA IEEE 802.1x
clients” option
When all the stations have been upgraded to use WPA or better yet
WPA2, you should disable the “Allow non-WPA IEEE 802.1x clients”
option, and set the WPA Versions option appropriately (WPA,
WPA2, or Both).