Complete PDF manual
PDF of this chapter

Wireless Security Options

The following is a list of wireless security options you can select from, depending on your security needs:

No Security: Easy, but no security.
MAC Access List: No data security.
WEP: Security, but vulnerable.
WPA or WPA-PSK: Strong security.
WPA2 or WPA2-PSK: Very strong security.

There are several ways you can enhance the security of your wireless network:

Restrict Access Based on MAC address. You can restrict access to only trusted PCs so that unknown PCs cannot wirelessly connect to the WN802T v2. MAC address filtering adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed.
Turn Off the Broadcast of the Wireless Network Name (SSID). If you disable broadcast of the SSID, only devices that have the correct SSID can connect. This nullifies the wireless network "discovery" feature of some products such as Vista and Windows XP, but the data is still fully exposed to a determined snoop using specialized test equipment like wireless sniffers.
Use WEP. Wired Equivalent Privacy (WEP) data encryption provides data security. WEP open authentication and WEP data encryption will block all but the most determined eavesdropper.

Use WPA or WPA-PSK. Wi-Fi Protected Access (WPA) data encryption provides data security. The very strong authentication along with dynamic per frame rekeying of WPA make it virtually impossible to compromise. Because this is a new standard, wireless device driver and software availability may be limited.

Figure 3-1 Basic security settings

Security options are available under Configuration > Security > Security Settings (see Figure 3-1). An overview of the information that is required to set up security options follows-including a description of the Network Authentication choices that are available:

Wireless Network Name or Service Set Identifier (SSID). This is the name of your wireless network. It is used to identify the particular 802.11 wireless LAN to which a user wants to attach. A client device will receive broadcast messages from all access points within range advertising their SSIDs, and can choose one to connect to based on pre-configuration, or by displaying a list of SSIDs in range and asking the user to select one.It is set to the default name of NETGEAR (see Configuring Basic Wireless Settings). It is normal for multiple access points to share the same SSID if they provide access to the same network.
Broadcast Wireless Network Name (SSID). If you disable broadcast of the SSID, only devices that have the correct SSID can connect. This nullifies the wireless network "discovery" feature of some products such as Vista and Windows XP, but the data is still fully exposed to a determined snoop using specialized test equipment like wireless sniffers. The default is enabled.
Security Settings. Configure the following settings:
Network Authentication. The WN802T v2 Access Point is set by default as an open system (no authentication) with no data encryption. When setting up Network Authentication, bear in mind the following:
If you are using Access Point mode, then all options are available. In other modes such as Repeater or Bridge, some options may be unavailable.
Not all wireless adapters support WPA or WPA2. Windows Vista, XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA. However, client software is required on the client. Consult the product documentation for your wireless adapter and WPA or WPA2 client software for instructions on configuring WPA2 settings.

You can configure the WN802T v2 to use the types of network authentication shown in the following table:

Table 3-1. Network Authentication Types

Type1	Description
Open System	Can be used with WEP encryption or no encryption.
Shared Key	You must use WEP encryption and enter at least one shared key.
WPA with RADIUS	You must configure the RADIUS Server Settings to use this option.
WPA2 with RADIUS (WPA2 is a later version of WPA.)	Only select this if all clients support WPA2. If selected, you must use AES encryption and configure the RADIUS Server Settings.
WPA and WPA2 with RADIUS	This selection allows clients to use either WPA (with TKIP) or WPA2 (with AES). If selected, you must use TKIP+ AES encryption and configure the RADIUS Server Settings.
WPA-PSK	You must use TKIP or TKIP + AES encryption and enter the WPA passphrase (network key).
WPA2-PSK (WPA2 is a later version of WPA)	Only select this if all clients support WPA2. If selected, you must use AES or TKIP + AES encryption and enter the WPA/WPA2 passphrase (network key).
WPA-PSK and WPA2-PSK	This selection allows clients to use either WPA (with TKIP) or WPA2 (with AES). If selected, you must use TKIP + AES encryption and enter the WPA passphrase (network key).

1All options are available if using Access Point mode. In other modes (for example, Repeater or Bridge) some options may be unavailable.

Data Encryption. The available options depend on the Network Authentication setting selected (see Table 3-1.); otherwise, the default is None. The data encryption settings are explained in the following table:

Table 3-2. Data Encryption Settings

Data Encryption Type	Description
None	No encryption is used.
64 bits WEP	Standard WEP encryption, using 40/64 bit encryption.
128 bits WEP	Standard WEP encryption, using 104/128 bit encryption.
152 bits WEP	Proprietary mode that will only work with other wireless devices that support this mode.
TKIP	This is the standard encryption method used with WPA and WPA2.
AES	This is the standard encryption method for WPA2.
TKIP + AES	This setting supports both WPA and WPA2. Broadcast packets use TKIP. For unicast (point-to-point) transmissions, WPA clients use TKIP, and WPA2 clients use AES.

Note: WEP and TKIP provide only legacy rates of operation. So, AES is the recommended solution to use the 802.11n rates and speed.

Use of passphrases and keys are explained in the following section:

Passphrase. To use the Passphrase to generate the WEP keys, enter a passphrase and click Generate Keys. You can also enter the keys directly. These keys must match the other wireless stations.
Key 1, Key 2, Key 3, Key 4. If using WEP, select the key to be used as the default key. Data transmissions are always encrypted using the default key. The other keys can only be used to decrypt received data.
Preshared Key Passphrase. If using WPA-PSK, enter the passphrase here. All wireless stations must use the same passphrase (network key). The network key must be from 8 to 63 characters in length.
Wireless Client Security Separation. If enabled, the associated wireless clients will not be able to communicate with each other (this feature is intended for hotspots and other public access situations). The default is No.

Note: If you are using a RADIUS server, configure the RADIUS settings first, as described in the Configuring WPA with RADIUS.