Using the IEEE 802.11 Wired Equivalent Privacy (WEP) encryption can prevent unauthorized reception of wireless data. WEP encryption provides two levels of security, using a 64-bit key (sometimes referred to as 40-bit) or a 128-bit key (also known as 104-bit). For better security, use a 128-bit key. If you use encryption, all wireless devices on your wireless network must use the same encryption keys.
Wired Equivalent Privacy (WEP) encryption and shared authentication provides protection for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers using the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point.
The WEP encryption algorithm is vulnerable to passive and active network attacks. TKIP and CKIP algorithms include enhancements to the WEP protocol that mitigate existing network attacks and address its shortcomings
802.11 supports two types of network authentication methods; Open System and Shared Key.
Using Open authentication, any wireless station can request authentication. The station that needs to authenticate with another wireless station sends an authentication management frame that contains the identity of the sending station. The receiving station or AP grants any request for authentication. Open authentication allows any device network access. If no encryption is enabled on the network, any device that knows the SSID of the access point can gain access to the network.
Using Shared Key authentication, each wireless station is assumed to have received a secret shared key over a secure channel that is independent from the 802.11 wireless network communications channel. Shared key authentication requires that the client configure a static WEP key. The client access is granted only if it passed a challenge based authentication.
How 802.1x authentication works
802.1x features
Overview
802.1x authentication is independent of the 802.11 authentication process. The 802.1x standard provides a framework for various authentication and key-management protocols. There are different 802.1x authentication types, each providing a different approach to authentication but all employing the same 802.1x protocol and framework for communication between a client and an access point. In most protocols, upon the completion of the 802.1x authentication process, the supplicant receives a key that it uses for data encryption. Refer to How 802.1x authentication works for more information. With 802.1x authentication, an authentication method is used between the client and a Remote Authentication Dial-In User Service (RADIUS) server connected to the access point. The authentication process uses credentials, such as a user's password that are not transmitted over the wireless network. Most 802.1x types support dynamic per-user, per-session keys to strengthen the static key security. 802.1x benefits from the use of an existing authentication protocol known as the Extensible Authentication Protocol (EAP).
802.1x authentication for wireless LANs has three main components: The authenticator (the access point), the supplicant (the client software), and the authentication server (a Remote Authentication Dial-In User Service server (RADIUS)). 802.1x authentication security initiates an authorization request from the wireless client to the access point, which authenticates the client to an Extensible Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server may authenticate either the user (via passwords or certificates) or the system (by MAC address). In theory, the wireless client is not allowed to join the networks until the transaction is complete. There are several authentication algorithms used for 802.1x. Some examples are; MD5-Challenge, EAP-TLS, EAP-TTLS, Protected EAP (PEAP), and EAP Cisco Wireless Light Extensible Authentication Protocol (LEAP). These are all methods for the wireless client to identify itself to the RADIUS server. With RADIUS authentication, user identities are checked against databases. RADIUS constitutes a set of standards addressing Authentication, Authorization and Accounting (AAA). Radius includes a proxy process to validate clients in a multi-server environment. The IEEE 802.1x standard is for controlling and authenticating access to port-based 802.11 wireless and wired Ethernet networks. Port-based network access control is similar to a switched local area network (LAN) infrastructure that authenticates devices that are attached to a LAN port and prevent access to that port if the authentication process fails.
RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and Accounting (AAA) client-server protocol, which is used when a AAA dial-up client logs in or out of a Network Access Server. Typically, a RADIUS server is used by Internet Service Providers (ISP) to perform AAA tasks. AAA phases are described as follows:
Authentication phase: Verifies a user name and password against a local database. After the credentials are verified, the authorization process begins.
Authorization phase: Determines whether a request is allowed access to a resource. An IP address is assigned for the Dial-Up client.
Accounting phase: Collects information on resource usage for the purpose of trend analysis, auditing, session time billing, or cost allocation
A simplified description of the 802.1x authentication is:
A client sends a "request to access" message to an access point. The access point requests the identity of the client.
The client replies with its identity packet which is passed along to the authentication server.
The authentication server sends an "accept" packet to the access point.
The access point places the client port in the authorized state and data traffic is allowed to proceed.
802.1x supplicant protocol support
Support for the Extensible Authentication Protocol (EAP) - RFC 2284
Supported Authentication Methods:
MD5 - RFC 2284
EAP TLS Authentication Protocol - RFC 2716 and RFC 2246
EAP Tunneled TLS (TTLS)
Cisco LEAP
EAP-FAST
EAP-SIM
PEAP
Supports Windows XP, 2000
Refer to Security Settings for more information.
Wi-Fi Protected Access (WPA/WPA2) is a security enhancement that strongly increases the level of data protection and access control to a wireless network. WPA enforces 802.1x authentication and key-exchange and only works with dynamic encryption keys. To strengthen data encryption, WPA utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements that include a per-packet key mixing function, a message integrity check (MIC) named Michael an extended initialization vector (IV) with sequencing rules, and a also re-keying mechanism. Using these improvement enhancements, TKIP protects against WEP's known weaknesses.
The second generation of WPA that complies with the IEEE TGi specification is known as WPA2.
WPA/WPA2 – Enterprise provides this level of security on enterprise networks with a 802.1x RADIUS server. An Authentication Type is selected to match the authentication protocol of the 802.1x server.
WPA/WPA2 - Personal provides this level of security in the small network or home environment. It uses a password also called a pre-shared key (PSK). The longer this password the stronger the security of the wireless network. If your Wireless Access Point or Router supports WPA/WPA2 Personal (WPA-PSK) then you should enable it on the access point and provide a long, strong password. The same password entered into access point needs to be used on this computer and all other wireless devices that access the wireless network.
Cisco LEAP (Cisco Light EAP) is a server and client 802.1x authentication via a user-supplied logon password. When a wireless access point communicates with a Cisco LEAP-enabled RADIUS (Cisco Secure Access Control Server (ACS) server), Cisco LEAP provides access control through mutual authentication between client wireless adapters and the wireless network and provides dynamic, individual user encryption keys to help protect the privacy of transmitted data.
When a wireless LAN is configured for fast reconnection, a LEAP enabled client device can roam from one access point to another without involving the main server. Using Cisco Centralized Key Management (CCKM), an access point configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client without perceptible delay in voice or other time-sensitive applications.
Cisco Key Integrity Protocol (CKIP) is Cisco proprietary security protocol for encryption in 802.11 media. CKIP uses the following features to improve 802.11 security in infrastructure mode:
Key Permutation (KP)
Message Integrity Check (MIC)
Message Sequence Number
EAP-FAST, like EAP-TTLS and PEAP, uses tunneling to protect traffic. The main difference is that EAP-FAST does not use certificates to authenticate.
Provisioning in EAP-FAST is negotiated solely by the client as the first communication exchange when EAP-FAST is requested from the server. If the client does not have a pre-shared secret Protected Access Credential (PAC), it can request to initiate a provisioning EAP-FAST exchange to dynamically obtain one from the server.
EAP-FAST documents two methods to deliver the PAC: manual delivery through an out-of-band secure mechanism, and automatic provisioning.
Manual delivery mechanisms can be any delivery mechanism that the administrator of the network feels is sufficiently secure for their network.
Automatic provisioning establishes an encrypted tunnel to protect the authentication of the client and the delivery of the PAC to the client. This mechanism, while not as secure as a manual method may be, is more secure than the authentication method used in LEAP.
The EAP-FAST method can be divided into two parts: provisioning, and authentication.
The provisioning phase involves the initial delivery of the PAC to the client. This phase only needs to be performed once per client and user.
Some access points, for example Cisco 350 or Cisco 1200, support environments in which not all client stations support WEP encryption, this is called Mixed-Cell Mode. When these wireless network operate in “optional encryption” mode, client stations that join in WEP mode, send all messages encrypted, and stations, that join in using standard mode, send all messages unencrypted. These APs broadcast that the network is not using encryption, but allow clients to join using WEP mode. When “Mixed-Cell” is enabled in a profile, it allows you to connect to access points that are configured for “optional encryption.” Refer to Cisco Compatible Extensions Options for more information.
When this feature is enabled your wireless adapter provides radio management information to the Cisco infrastructure. If the Cisco Radio Management utility is used on the infrastructure, it configures radio parameters, detects interference and Rogue access points.