Security Setup

Security Setup is performed independently according to the radio modes.

At the tabs of "11a Security Setup" and "11b/g Security Setup", the securities in 11a mode and 11b/g mode should be set, respectively. The security mode, SSID view, and Station Isolation set at this time operate independently by set radios.

Blocking Network via Station Isolation

If the Station Isolation option is activated, AP can block out the communication between the radio clients of the relevant radio band. However, the comunication between the radio client and the wired equipments is continuously permitted.

This traffic blocking, also, is applied to the client connected to the network via WDS link. If the Station Isolation item is activated, the client, also, cannot communicate with other clients. For the information on WDS, refer to WDS Setup.

The following setup information describes how to set the security mode at AP. If the data is to be exchanged into AP, the client should set the security mode and the encryption key the same as thoses of AP.


Notes	Other Security modes besides the Plain-text mode are applied only to "Internal" network. To "Guest" network, only the Plain-text. (For the information on Guest network, refer to Guest Access Setup.)

SSID View, Station Isolation, Security Mode

In order to set the security of AP, select the security mode, and set the items described below. (As explained below, the SSID view and the Station Isolation items can be activated/non-activated for the preparatory measure.)


Items	Description
Broadcast SSID	In order to activate the item of Broadcast SSID, select the checkbox. IN the default setup, AP contains the Service Set Identifier (SSID) into Beacon frame to transmit it. You can prevent the automatic retrieval of your AP by not transmitting SSID. In this case, the network name of AP (SSID) is not displayed on the network list that can be connected by the client. The client should designate the correct network name in order to access AP.
Station Isolation	Select the checkbox if activating the Station Isolation item. If the Station Isolation item is uncheck, the radio client can communicate with other clients via AP. If the Station Isolation item is checked AP can block out the communication between the radio clients. However, the communication between the radio client and the wired equipment continues to be continued. This traffic block out is applied also to the client connected to the network via WDS link. If the Station Isolation item is activated, this client also cannot communicate with other wireless clients. For the information on WDS, refer to WDS Setup.
보안 모드	Select one of the following security modes. None (Plain-text) Static WEP IEEE 802.1x WPA Enterprise WPA Personal To Guest network, only the "None (Plain-text)" security mode can be set. (For this information, refer to Guest Access Setup.) Other security modes besides the Plain-text mode are applied only to the "Internal" network.

None (Plain-text)

None (Or Plain-text) mode means that the client does not encrypt the data when it communicate with SMT-R2000.

If the "None (Plain-text)" is selected, other security items are not necessary to be set any more.

Guest Network

To Guest network, only the "None (Plain-text)" security mode can be set.

This feature make the guest client access without the security setup.

The minimum method for protecting the Guest network is to block out the transmission of SSID (Network name).

For the information on Guest network, refer to Guest Access Setup.

Static WEP

Wired Equivalent Privacy is a protocol of data encryption for 802.11 wireless network. All clients and APs should have the shared key of 64-bit (40 bit secret key+24 bit initialization vector(IV)) for the data encryption.

64-bit WEP key and 128-bit WEP key cannot be shared to be used.

If selecting "Static WEP" as the security mode, the following items should be set.


Item	Description
Key Index to be used	Select the key index in the drop down menus (1 ~ 4). The default key index is 1. The key index that is to be used indicates what key to be used for the encryption in the data transmission.
Key Length	Designate the length of WEP key by selecting one of the followings: 64 bit 128 bit
Key types	Designate the type of WEP key by selecting one of the followings: ASCII Hex
WEP Key	Up to four WEP keys can be designated. Enter in each test box the character ring that is used as WEP key. In case of "ASCHII" selected, the input can be made by combining the ASCHII characters. In case of "HEX" selected, hexadecimal (Combination of `0-9` and `a-f` or `A-F`) can be entered. Enter the characters as many as the figure designated at "Characters required" item. The character ring entered into this item is RC4WEP key shared by the client and AP. The client should set the same WEP key in the same index as designated in AP. (Refer to Static WEP Key Setup Rules.) Characters required: Means the number of the characters necessary for WEP key. The necessary items are automatically updated according to the key lengths and the key types.
Authentication	The authentication algorithm is the procedure checking if the relevant client, in case of using Static WEP security mode, is permitted for the access to AP. Designate the authentication algorithm to be used by selecting one of followings: Open System shared Key Note: You can select either of Open System checkbox or the public key checkbox. The authentication of Open System method permits the accesses by all clients. In this case, whether the client uses the correct WEP is not important. This authentication algorithm is used in the None (Plain-text), IEEE 802.1x, WPA security mode. If the authentication algorithm is set as "Open System", all clients can access AP. Note that just because a client station is allowed to associate does not ensure it can exchange traffic with an access point. A station must have the correct WEP key to be able to successfully access and decrypt data from an access point, and to transmit readable data to the access point. Shared Key authentication requires the client station to have the correct WEP key in order to associate with the access point. When the authentication algorithm is set to "Shared Key", a station with an incorrect WEP key will not be able to associate with the access point. Open System and Shared key. The cases of selecting both of two algorithms are as follows: If the client is set to use both of WEP security mode and the Shared Key authentication mode, the client should have the correct WEP key for the access to AP. If the client is set to use the WEP security mode and the Open System authentication mode, the client should have the correct WEP key for the access to AP.

Static WEP Key Setup Rules

All clients should set the Wireless LAN (WLAN) security mode as WEP. In addition, the client should have one of the WEP keys set at AP in order to discramble the data transmitted from AP into the client.

In order to decrypt the data from the client into AP, AP should have all keys that the clients use.

Both of AP and the client should allocate the same key to the same index. For example, if AP allocates the WEP key, abc123 into No.3 index, the client should also allocate the same key into No.3 index.

In some of the wirless client software such as Funk Odyssey, you can encrypt the data transmitted into other key by designating many WEP keys. By doing so, the negihboring AP cannot discrammble this data transmission.

If WEP is set by interworking wiwth the Samsung WIP-5000M terminal, the Open system should be shcekd for its authentication, and for the WEP key should be surely selected with 128 bit, ASCHI type, and only the figure should be entered in the key value.

IEEE 802.1x

IEEE 802.1x is a standard that defines the port-based authentication and the key management method. Extensible Authentication Protocol (EAP) message can be transmitted into IEEE 802.11 network using the EAP Encapsulation Over LANs (EAPOL) protocol. IEEE 802.1x generates periodically the keys. The frame body of 802.11 frame and the Cyclic redundancy Checking (CRC) can be encrypted using RC4 Stream Cipher.

This mode needs RADIUS server in order to authenticate the users. The user accont can be managed at the external RADIUS server.

AP needs the RADIUS server that supports the EAP like the Microsoft Internet Authentication Server. If the Windows client can operate, the authentication server should support the Protected EAP (PEAPO and MSCHAP V2).

If using the external RADIUS server, you should have the options for the various authentication modes, such as the certicate, Kerberos, and public authentication, which IEEE 802.1x mode supports. The most important thing is that the client should use the same authentication mode the same as the one that AP uses.

If "IEEE 802.1x" security mode is selected, the following items should be selected:


Item	Description
Radius IP	Enter the Radius IP in the Text box. Radius IP is the IP Address of RADIUS.
Radius Key	Enter the Radius key in the text box. Radius Key is the shared key that is to be used at RADIUS server. The text that you enter is expressed into "*" character so that other cannot see it. This value is not transmitted into the network.

WPA Personal

Wi-Fi Protected Access Personal is Wi-Fi Alliance IEEE 802.11i standard that includes a Counter mode/CBC-MAC Protocol-Advanced Encryption Algorithm - (CCMP-AES) method and Temporal Key Integrity Protocol (TKIP) method. WPA Personal uses the Pre-shared Key (PSK) instead of IEEE 802.1x and EAP. PSK takes the role of certicate.

This security mode is compatible with the wireless client supporting the early WPA mode.

In case of using "WPA Personal" security mode, the following items should be set.


Item	Description
WPA Version	Select the security mode of the client that AP will support. WPA WPA2 Both WPA. Select WPA if all clients in the network support the early WPA and if there is no client supporting a new WPA2. WPA2. Select WPA2 that supports the security in the level of IEEE 802.11i standard if all clients in the network support WPA2. Both. Select "Both" if the client supporting WPA2 and the one supporting only WPA are mixed. If this option is selected, the WPA client and the WPA2 client can all access the network and be authenticated.
Cipher Suites	Select the cipher suite you want to use: TKIP CCMP (AES) Both Temporal Key Integrity Protocol (TKIP) is a default value. TKIP is an encryption method safer than the WEP key encryption. TKIP can minimize the reuse of the same key in the encryption, which is the weakness of WEP, by changing the encryption key more frequently. TKIP uses 128-bit "Temporal Key" shared by AP and the client. Temporal Key can be made by combining the MAC Address of the client and the 16-octet Initialization Vector. TKIP performs the encryption using the RC4 algorithm the same as the case of WEP, but it can enhance the network security by changing the Temporal Key at every 10,000 packet. Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE802.11i that uses the Advanced Encryption Standard (AES). CCMP uses the Cipher Block Chaining Counter (CBC-CTR) mode and Cipher Block Chaining Message Authentication Code (CBC-MAC) for the encryption and the integrity checkup. If either of TKIP or CCMP (AES) is selected, Pairwise cipher is AES, and Groupwise cipher is TKIP. Pairwise cipher is used for unicast, and Groupwise cipher for multicast/broadcast. The client supporting TKIP and the one supporting AES can access AP. The WPA client should have one of the following items: A valid TKIP key A valid CCMP (AES) key The client not set as WPA Personal cannot access AP.
Key	The key value corresponding to Pre-shared Key, which is a public key for the WPA Personal mode. Minimum 8 characters up to 63 characters can be entered.

WPA Enterprise

Wi-Fi Protected Access Enterprise that uses Remote Authentication Dial-In User Service (RADIUS) is the one that has established the Wi-Fi Alliance IEEE 802.11i standard including Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) method. The Enterprise mode needs the RADIUS server for the user authentication.

This secuirty mode is compatible with the client that supports the early WPA.

If "WPA Enterprise" security mode is slelected, the followoing times should be selected:


Item	Description
WPA Version	Select the security mode of the client that the AP will support. WPA WPA2 Both WPA. Select WPA if all clients in the network support the early WPA and there is no client supporting the WPA2. WPA2. Select WPA2 that supports the security in the level of IEEE802.11i standard if all clients in the network support WPA2. Both. Select "Both"" if the client supporting WPA2 and the one supporting only WPA are mixed. If this option is selected, all of WPA client and the WPA2 client can access the network and be authenticated.
Cipher Suites	Select the encryption algorithm that you will use. TKIP CCMP (AES) Both Temporal Key Integrity Protocol (TKIP) is a default value. TKIP is the encryption method safer than the WEP key encryption. TKIP minimizes the reuse of the same key, which is a weakness of WEP, by changing the encryption key more frequently. TKIP uses the 128-bit "Temporal Key" shared by AP and the client. Temporal Key can be made by combining the MAC Address of the client and the 16-octet initialization Vector. TKIP performs the encryption using the RC4 algorithm the same as the case of WEP, but it can enhance the security of the network by changing the Temporal Key at every 10,000 packets. Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Stamdard (AES). CCMP uses CCM combined with Cipher Block Chaining Counter (CBC-CTR) mode and Cipher Block Chaining Message Authentication Code (CBC-MAC) for the encryption and the checkup of the message integrity. If all of TKIP and CCMP (AES) are selected, the client supporting TKIP and the one supporting AES can access AP. The client that has been set as the WPA Enterprise mode should have one of the followings: A valid TKIP RADIUS IP address and valid shared Key A valid CCMP (AES) IP address and valid shared Key The client that is not set in WPA Enterprise mode cannot access AP. The default setup is to use both of TKIP and CCMP. If all of TKIP and CCMP are selected, the client that is set as the WPA Enterprise mode should have one of the followings: A valid TKIP RADIUS IP address and RADIUS Key A valid CCMP (AES) IP address and RADIUS Key
Radius IP	Enter the Radius IP in the text box. Radius IP is the IP Address of RADIUS.
Radius 키	Enter the Radius Key in the text box. Radius Key is the public key that is shared at the RADIUS server. The text that you enter is expressed into "*" characters so that other cannot see. This value is not absolutely transmitted into the network.

Update settings

The security setup can be updated as follows:

Move to the security menu.

Set a desired securiy item.

Click the update button to apply the changes.