This section describes the various security methods used to help protect WiFi networks.
802.1X Authentication (Enterprise Security)
Your wireless network, if left unprotected, is vulnerable to access from other computers. You can easily protect your home and small business network from nearly all forms of unauthorized access with the security methods described in this section.
Authentication is the process of identifying and approving a request from a client (usually a laptop) to access a network at a network access point. Once authentication is completed and access is granted, the client has access to the network.
You can select encryption algorithms to encrypt the information and data that is sent across your wireless network. Only computers equipped with pre-shared keys can encrypt and decrypt the data being transmitted. Encryption keys are available with two levels of security, 64-bit and 128-bit. Use 128-bit keys for greater security.
A simple way to improve network security is to set your network access point to not broadcast the Service Set Identifier (SSID). The SSID is needed to gain access. Only those computers with knowledge of the SSID can access the network. (This is not set at the adapter using the Intel(R) PROSet/Wireless WiFi Connection Utility, it is set at the access point.)
IEEE 802.11 supports two types of network authentication methods: Open System and Shared Key.
Wired Equivalent Privacy (WEP) uses encryption to help prevent unauthorized reception of wireless data. WEP uses an encryption key to encrypt data before transmitting it. Only computers that use the same encryption key can access the network and decrypt the data transmitted by other computers. WEP encryption provides for two levels of security, using a 64-bit key (sometimes referred to as 40-bit) or a 128-bit key (also known as 104-bit). For stronger security, you should use a 128-bit key. If you use encryption, all wireless devices on your wireless network must use the same encryption keys.
With WEP data encryption, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point (AP) or a wireless station transmits an encrypted message that uses a key stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving AP or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body
Because the WEP encryption algorithm is vulnerable to network attacks, you should consider using WPA-Personal or WPA2-Personal security.
WPA-Personal Mode is targeted to home and small business environments. WPA Personal requires manual configuration of a pre-shared key (PSK) on the access point and clients. No authentication server is needed. The same password entered at the access point needs to be used on this computer and all other wireless devices that access the wireless network. Security depends on the strength and secrecy of the password. The longer the password, the stronger the security of the wireless network. If your wireless access point or router supports WPA-Personal and WPA2-Personal then you should enable it on the access point and provide a long, strong password. WPA-Personal makes available the TKIP and AES-CCMP data encryption algorithms.
WPA2-Personal requires manual configuration of a pre-shared key (PSK) on the access point and clients. No authentication server is needed. The same password entered at the access point needs to be used on this computer and all other wireless devices that access the wireless network. Security depends on the strength and secrecy of the password. The longer the password, the stronger the security of the wireless network. WPA2 is an improvement over WPA and implements the full IEEE 802.11i standard. WPA2 is backward compatible with WPA. WPA2-Personal makes available the TKIP and AES-CCMP data encryption algorithms.
NOTE: WPA-Personal and WPA2-Personal are interoperable.
This section describes security common used by larger companies.
Overview
What is Radius?
How 802.1X Authentication Works
802.1X Features
The 802.1X authentication is independent of the 802.11 authentication process. The 802.11 standard provides a framework for various authentication and key-management protocols. There are different 802.1X authentication types and each provides a different approach to authentication, but all employ the same 802.11 protocol and framework for communication between a client and an access point. In most protocols, after completion of the 802.1X authentication process, the client receives a key that it uses for data encryption. See How 802.1X authentication works for more information. With 802.1X authentication, an authentication method is used between the client and a server (for example a Remote Authentication Dial-In User Service (RADIUS) server) connected to the access point. The authentication process uses credentials, such as a user's password, that are not transmitted over the wireless network. Most 802.1X types support dynamic per-user, per-session keys to strengthen the key security. The 802.1X authentication benefits from the use of an existing authentication protocol known as the Extensible Authentication Protocol (EAP).
The 802.1X authentication for wireless networks has three main components:
The 802.1X authentication security initiates an authorization request from the wireless client to the access point, which authenticates the client to an Extensible Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server may authenticate either the user (via passwords or certificates) or the system (by MAC address). In theory, the wireless client is not allowed to join the networks until the transaction is complete. (Not all authentication methods use a RADIUS server. WPA-Personal and WPA2-Personal use a common password that must be entered at the access point and at all devices requesting access to the network.)
There are several authentication algorithms used with 802.1X. Some examples are: EAP-TLS, EAP-TTLS, Protected EAP (PEAP), and EAP Cisco Wireless Light Extensible Authentication Protocol (LEAP). These are all methods for the wireless client to identify itself to the RADIUS server. With RADIUS authentication, user identities are checked against databases. RADIUS constitutes a set of standards that addresses Authentication, Authorization, and Accounting (AAA). RADIUS includes a proxy process to validate clients in a multi-server environment. The IEEE 802.1X standard provides a mechanism for controlling and authenticating access to port-based 802.11 wireless and wired Ethernet networks. Port-based network access control is similar to a switched local area network (LAN) infrastructure that authenticates devices attached to a LAN port and prevents access to that port if the authentication process fails.
RADIUS is the Remote Authentication Dial-In User Service, an Authorization, Authentication, and Accounting (AAA) client-server protocol that is used when a AAA dial-up client logs in or out of a Network Access Server. Typically, a RADIUS server is used by Internet Service Providers (ISP) to perform AAA tasks. AAA phases are described as follows:
Following is a simplified description of how 802.1X authentication works.
The following authentication methods are supported on Windows XP:
See Open Authentication.
See WPA-Personal.
See WPA2-Personal.
Enterprise Mode authentication is targeted to corporate or government environments. WPA Enterprise verifies network users through a RADIUS or other authentication server. WPA uses 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security. An authentication type is selected to match the authentication protocol of the 802.1X server.
WPA Enterprise authentication is targeted to corporate or government environments. WPA2 Enterprise verifies network users through a RADIUS or other authentication server. WPA2 uses 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security. An authentication type is selected to match the authentication protocol of the 802.1X server. Enterprise Mode is targeted to corporate or government environments. WPA2 is an improvement over WPA and implements the full IEEE 802.11i standard.
Advanced Encryption Standard - Counter CBC-MAC Protocol. The new method for privacy protection of wireless transmissions specified in the IEEE 802.11i standard. AES-CCMP provides a stronger encryption method than TKIP. Choose AES-CCMP as the data encryption method whenever strong data protection is important. AES-CCMP is available with WPA/WPA2 Personal/Enterprise network authentication.
NOTE: Some security solutions may not be supported by your computer's operating system and may require additional software or hardware as well as wireless LAN infrastructure support. Check with your computer manufacturer for details.
Temporal Key Integrity Protocol provides per-packet key mixing, a message integrity check, and a rekeying mechanism. TKIP is available with WPA/WPA2 Personal/Enterprise network authentication.
See CKIP.
Wired Equivalent Privacy (WEP) uses encryption to help prevent unauthorized reception of wireless data. WEP uses an encryption key to encrypt data before transmitting it. Only computers that use the same encryption key can access the network and decrypt the data transmitted by other computers. Enterprise WEP is not exactly the same as personal WEP, in that you can select Open network authentication and then click Enable 802.1X and be able to choose from all client authentication types. The selection of authentication types are not available under personal WEP.
A type of authentication method using the Extensible Authentication Protocol (EAP) and a security protocol called the Transport Layer Security (TLS). EAP-TLS uses certificates which use passwords. EAP-TLS authentication supports dynamic WEP key management. The TLS protocol is intended to secure and authenticate communications across a public network through data encryption. The TLS Handshake Protocol allows the server and client to provide mutual authentication and to negotiate an encryption algorithm and cryptographic keys before data is transmitted.
These settings define the protocol and the credentials used to authenticate a user. In TTLS (Tunneled Transport Layer Security), the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol. Typically, password-based protocols challenge over a non-exposed TLS encrypted channel. TTLS implementations today support all methods defined by EAP, as well as several older methods (PAP, CHAP, MS-CHAP and MS-CHAP-V2). TTLS can easily be extended to work with new protocols by defining new attributes to support new protocols.
PEAP is a new Extensible Authentication Protocol (EAP) IEEE 802.1X authentication type designed to take advantage of server-side EAP-Transport Layer Security (EAP-TLS) and to support various authentication methods, including users' passwords, one-time passwords, and Generic Token Cards.
A version of Extensible Authentication Protocol (EAP). Light Extensible Authentication Protocol (LEAP) is a proprietary extensible authentication protocol developed by Cisco that provides a challenge-response authentication mechanism and dynamic key assignment.
Extensible Authentication Protocol Method for GSM Subscriber Identity (EAP-SIM) is a mechanism for authentication and session key distribution. It uses the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). EAP-SIM uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM requires you to enter a user verification code, or PIN, for communication with the Subscriber Identity Module (SIM) card. A SIM card is a special smart card that is used by Global System for Mobile Communications (GSM) based digital cellular networks. RFC 4186 describes EAP-SIM.
EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement) is an EAP mechanism for authentication and session key distribution, using the Universal Mobile Telecommunications System (UMTS) Subscriber Identity Module (USIM). The USIM card is a special smart card used with cellular networks to validate a given user with the network.
Password Authentication Protocol is a two-way handshake protocol designed for use with PPP. Password Authentication Protocol is a plain text password used on older SLIP systems. It is not secure. Only available for TTLS Authentication Type.
Challenge Handshake Authentication Protocol is a three-way handshake protocol that is considered more secure than Password Authentication Protocol. Only available for TTLS authentication Type.
Uses a Microsoft version of RSA Message Digest 4 challenge-and-reply protocol. This only works on Microsoft systems and enables data encryption. To select this authentication method causes all data to be encrypted. Only available for TTLS authentication type.
Introduces an additional feature not available with MS-CHAP-V1 or standard CHAP authentication, the change password feature. This feature allows the client to change the account password if the RADIUS server reports that the password has expired. Available for TTLS and PEAP authentication types.
Carries user specific token cards for authentication. The main feature in GTC is Digital Certificate/Token Card-based authentication. In addition, GTC includes the ability to hide user name identities until the TLS encrypted tunnel is established, which provides additional confidentiality that user names are not being broadcasted during the authentication phase. Only available for PEAP authentication type.
The TLS protocol is intended to secure and authenticate communications across a public network through data encryption. The TLS Handshake Protocol allows the server and client to provide mutual authentication and to negotiate an encryption algorithm and cryptographic keys before data is transmitted. Only available for PEAP authentication type.
Cisco LEAP (Cisco Light EAP) is a server and client 802.1X authentication through a user-supplied logon password. When a wireless access point communicates with a Cisco LEAP-enabled RADIUS (Cisco Secure Access Control Server [ACS]), Cisco LEAP provides access control through mutual authentication between client WiFi adapters and the wireless networks and provides dynamic, individual user encryption keys to help protect the privacy of transmitted data.
The Cisco Rogue access point feature provides security protection from an introduction of a rogue access point that could mimic a legitimate access point on a network in order to extract information about user credentials and authentication protocols that could compromise security. This feature only works with Cisco's LEAP authentication. Standard 802.11 technology does not protect a network from the introduction of a rogue access point. See LEAP Authentication for more information.
Some access points, for example Cisco 350 or Cisco 1200, support environments in which not all client stations support WEP encryption; this is called Mixed-Cell Mode. When these wireless networks operate in "optional encryption" mode, client stations that join in WEP mode, send all messages encrypted, and stations that use standard mode send all messages unencrypted. These access points broadcast that the network does not use encryption but allow clients that use WEP mode. When "Mixed-Cell" is enabled in a profile, it lets you connect to access points that are configured for "optional encryption."
Cisco Key Integrity Protocol (CKIP) is Cisco proprietary security protocol for encryption in 802.11 media. CKIP uses the following features to improve 802.11 security in infrastructure mode:
NOTE: CKIP is not used with WPA/WPA2 Personal/Enterprise network authentication.
NOTE: CKIP is only supported through the use of the WiFi connection utility on Windows XP.
When a wireless LAN is configured for fast reconnection, a LEAP-enabled client device can roam from one access point to another without involving the main server. Using Cisco Centralized Key Management (CCKM), an access point configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client without perceptible delay in voice or other time-sensitive applications.
Some access points, for example Cisco 350 or Cisco 1200, support environments in which not all client stations support WEP encryption; this is called Mixed-Cell Mode. When these wireless network operate in "optional encryption" mode, client stations that join in WEP mode send all messages encrypted, and stations that use standard mode send all messages unencrypted. These access points broadcast that the network does not use encryption, but allows clients that use WEP mode to join. When Mixed-Cell is enabled in a profile, it lets you connect to access points that are configured for "optional encryption."
When this feature is enabled your WiFi adapter provides radio management information to the Cisco infrastructure. If the Cisco Radio Management utility is used on the infrastructure it configures radio parameters, detects interference and rogue access points.
EAP-FAST, like EAP-TTLS and PEAP, uses tunneling to protect traffic. The main difference is that EAP-FAST does not use certificates to authenticate. Provisioning in EAP-FAST is negotiated solely by the client as the first communication exchange when EAP-FAST is requested from the server. If the client does not have a pre-shared secret Protected Access Credential (PAC), it is able to initiate a provisioning EAP-FAST exchange to dynamically obtain one from the server.
EAP-FAST documents two methods to deliver the PAC: manual delivery through an out-of-band secure mechanism and automatic provisioning.
The EAP-FAST method is divided into two parts: provisioning and authentication. The provisioning phase involves the initial delivery of the PAC to the client. This phase only needs to be performed once per client and user.