Use IEEE 802.11 Wired Equivalent Privacy (WEP) encryption to prevent unauthorized reception of wireless data. WEP encryption provides two levels of security: 64-bit key (sometimes referred to as 40-bit) or a 128-bit key (also known as 104-bit). For stronger security, use a 128-bit key. If you use encryption, all wireless devices on your wireless network must use the same encryption keys.
Wired Equivalent Privacy (WEP) encryption and shared authentication provides protection for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers that use the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point.
The WEP encryption algorithm is vulnerable to passive and active network attacks. TKIP and CKIP algorithms include enhancements to the WEP protocol that mitigate existing network attacks and address its shortcomings.
IEEE 802.11 supports two types of network authentication methods: Open System and Shared Key.
How 802.1x Authentication Works
802.1x Features
802.1x authentication is independent of the 802.11 authentication process. The 802.1x standard provides a framework for various authentication and key-management protocols. There are different 802.1x authentication types, each provides a different approach to authentication but all employ the same 802.1x protocol and framework for communication between a client and an access point. In most protocols, upon the completion of the 802.1x authentication process, the supplicant receives a key that it uses for data encryption. Refer to How 802.1x authentication works for more information. With 802.1x authentication, an authentication method is used between the client and a Remote Authentication Dial-In User Service (RADIUS) server connected to the access point. The authentication process uses credentials, such as a user's password that are not transmitted over the wireless network. Most 802.1x types support dynamic per-user, per-session keys to strengthen the static key security. 802.1x benefits from the use of an existing authentication protocol known as the Extensible Authentication Protocol (EAP).
802.1x authentication for wireless LANs has three main components:
802.1x authentication security initiates an authorization request from the wireless client to the access point, which authenticates the client to an Extensible Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server may authenticate either the user (via passwords or certificates) or the system (by MAC address). In theory, the wireless client is not allowed to join the networks until the transaction is complete.
There are several authentication algorithms used for 802.1x. Some examples are: EAP-TLS, EAP-TTLS, and Protected EAP (PEAP). These are all methods for the wireless client to identify itself to the RADIUS server. With RADIUS authentication, user identities are checked against databases. RADIUS constitutes a set of standards addressing Authentication, Authorization and Accounting (AAA). Radius includes a proxy process to validate clients in a multi-server environment. The IEEE 802.1x standard is for controlling and authenticating access to port-based 802.11 wireless and wired Ethernet networks. Port-based network access control is similar to a switched local area network (LAN) infrastructure that authenticates devices that are attached to a LAN port and prevent access to that port if the authentication process fails.
RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and Accounting (AAA) client-server protocol, which is used when a AAA dial-up client logs in or out of a Network Access Server. Typically, a RADIUS server is used by Internet Service Providers (ISP) to perform AAA tasks. AAA phases are described as follows:
A simplified description of 802.1x authentication is:
Wi-Fi Protected Access (WPA or WPA2) is a security enhancement that strongly increases the level of data protection and access control to a wireless network. WPA enforces 802.1x authentication and key-exchange and only works with dynamic encryption keys. To strengthen data encryption, WPA utilizes Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements that include a per-packet key mixing function, a message integrity check (MIC) called Michael an extended initialization vector (IV) with sequencing rules, and a rekeying mechanism. With these improvement enhancements, TKIP protects against WEP's known weaknesses.
The second generation of WPA that complies with the IEEE TGi specification is known as WPA2.
Enterprise Mode: Enterprise Mode verifies network users through a RADIUS or other authentication server. WPA utilizes 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security. Enterprise Mode is targeted to corporate or government environments.
Personal Mode: Personal Mode requires manual configuration of a pre-shared key (PSK) on the access point and clients. PSK authenticates users via a password, or identifying code, on both the client station and the access point. No authentication server is needed. Personal Mode is targeted to home and small business environments.
WPA-Enterprise and WPA2-Enterprise: Provide this level of security on enterprise networks with an 802.1x RADIUS server. An authentication type is selected to match the authentication protocol of the 802.1x server.
WPA-Personal and WPA2-Personal: Provide this level of security in the small network or home environment. It uses a password also called a pre-shared key (PSK). The longer the password, the stronger the security of the wireless network. If your wireless access point or router supports WPA-Personal and WPA2-Personal then you should enable it on the access point and provide a long, strong password. The same password entered into access point needs to be used on this computer and all other wireless devices that access the wireless network.
NOTE: WPA-Personal and WPA2-Personal are not interoperable.
AES-CCMP - (Advanced Encryption Standard - Counter CBC-MAC Protocol) It is the new method for privacy protection of wireless transmissions specified in the IEEE 802.11i standard. AES-CCMP provides a stronger encryption method than TKIP. Choose AES-CCMP as the data encryption method whenever strong data protection is important.
NOTE: Some security solutions may not be supported by your computer’s operating system and may require additional software or hardware as well as wireless LAN infrastructure support. Check with your computer manufacturer for details.
TKIP (Temporal Key Integrity Protocol) is an enhancement to WEP (Wired Equivalent Privacy) security. TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism, which fixes the flaws of WEP.
Message Digest 5 (MD5) is a one-way authentication method that uses user names and passwords. This method does not support key management, but does require a pre-configured key if data encryption is used. It can be safely deployed for wireless authentication inside EAP tunnel methods.
A type of authentication method using the Extensible Authentication Protocol (EAP) and a security protocol called the Transport Layer Security (TLS). EAP-TLS uses certificates which use passwords. EAP-TLS authentication supports dynamic WEP key management. The TLS protocol is intended to secure and authenticate communications across a public network through data encryption. The TLS Handshake Protocol allows the server and client to provide mutual authentication and to negotiate an encryption algorithm and cryptographic keys before data is transmitted.
These settings define the protocol and the credentials used to authenticate a user. In TTLS (Tunneled Transport Layer Security), the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol, typically password-based protocols, as MD5 Challenge over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel. TTLS implementations today support all methods defined by EAP, as well as several older methods (PAP, CHAP, MS-CHAP and MS-CHAPv2). TTLS can easily be extended to work with new protocols by defining new attributes to support new protocols.
PEAP is a new Extensible Authentication Protocol (EAP) IEEE 802.1x authentication type designed to take advantage of server-side EAP-Transport Layer Security (EAP-TLS) and to support various authentication methods, including users' passwords and one-time passwords, and Generic Token Cards.
Cisco LEAP (Cisco Light EAP) is a server and client 802.1x authentication through a user-supplied logon password. When a wireless access point communicates with a Cisco LEAP-enabled RADIUS (Cisco Secure Access Control Server [ACS]), Cisco LEAP provides access control through mutual authentication between client wireless adapters and the wireless networks and provides dynamic, individual user encryption keys to help protect the privacy of transmitted data.
The Cisco Rogue Access Point feature provides security protection from an introduction of a rogue access point that could mimic a legitimate access point on a network in order to extract information about user credentials and authentication protocols that could compromise security. This feature only works with Cisco's LEAP authentication. Standard 802.11 technology does not protect a network from the introduction of a rogue access point. Refer to LEAP Authentication for more information.
When a wireless LAN is configured for fast reconnection, a LEAP-enabled client device can roam from one access point to another without involving the main server. Using Cisco Centralized Key Management (CCKM), an access point configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client without perceptible delay in voice or other time-sensitive applications.
Cisco Key Integrity Protocol (CKIP) is Cisco proprietary security protocol for encryption in 802.11 media. CKIP uses the following features to improve 802.11 security in infrastructure mode:
Some access points, for example Cisco 350 or Cisco 1200, support environments in which not all client stations support WEP encryption; this is called Mixed-Cell Mode. When these wireless networks operate in "optional encryption" mode, client stations that join in WEP mode, send all messages encrypted, and stations that use standard mode send all messages unencrypted. These access points broadcast that the network does not use encryption, but allow clients that use WEP mode. When Mixed-Cell is enabled in a profile, it allows you to connect to access points that are configured for "optional encryption."
EAP-FAST like EAP-TTLS and PEAP, uses tunneling to protect traffic. The main difference is that EAP-FAST does not use certificates to authenticate. Provisioning in EAP-FAST is negotiated solely by the client as the first communication exchange when EAP-FAST is requested from the server. If the client does not have a pre-shared secret Protected Access Credential (PAC), it is able to initiate a provisioning EAP-FAST exchange to dynamically obtain one from the server.
EAP-FAST documents two methods to deliver the PAC: manual delivery through an out-of-band secure mechanism and automatic provisioning.
The EAP-FAST method is divided into two parts: provisioning and authentication. The provisioning phase involves the initial delivery of the PAC to the client. This phase only needs to be performed once per client and user.
Some access points, for example Cisco 350 or Cisco 1200, support environments in which not all client stations support WEP encryption; this is called Mixed-Cell Mode. When these wireless network operate in "optional encryption" mode, client stations that join in WEP mode, send all messages encrypted, and stations that use standard mode, send all messages unencrypted. These access points broadcast that the network does not use encryption, but allows clients that use WEP mode to join . When Mixed-Cell is enabled in a profile, it allows you to connect to access points that are configured for "optional encryption."
When this feature is enabled your wireless adapter provides radio management information to the Cisco infrastructure. If the Cisco Radio Management utility is used on the infrastructure, it configures radio parameters, detects interference and rogue access points.