Configuring user encryption 299Nortel WLAN—Security Switch 2300 Series Configuration GuideWPA authentication methodsYou can configure an SSID to support one or both of the following authentication methods for WPA clients:• 802.1X—The AP and client use an Extensible Authentication Protocol (EAP) method to authenticate one another,then use the resulting key in a handshake to derive a unique key for the session. The 802.1X authentication methodrequires user information to be configured on AAA servers or in the WSS’s local database. This is the default WPAauthentication method.• Preshared key (PSK)—An AP radio and a client authenticate one another based on a key that is staticallyconfigured on both devices. The devices then use the key in a handshake to derive a unique key for the session. Fora given service profile, you can globally configure a PSK for use with all clients. You can configure the key byentering an ASCII passphrase or by entering the key itself in raw (hexadecimal) form.WSS Software sets the timeout for the key exchanges between WPA (or RSN) clients and the AP to the same value asthe last setting of the retransmission timeout. The retransmission timeout is set to the lower of the 802.1X supplicanttimeout or the RADIUS session-timeout attribute. See “Setting EAP retransmission attempts” (page 579) for moreinformation.Note. For a MAC client that authenticates using a PSK, the RADIUS servers orlocal database still must contain an authentication rule for the client, to assign theclient to a VLAN.