Security+ Wireless Router
If you’re planning to take the Security+ exam you can expect to see some Security+ Wireless Router performance based questions. These questions expect you to know how to configure a wireless router. Even if you’ve done it once or twice, it might not be fresh in your mind so it’s good to review the topics.
Networks commonly use wireless routers (wireless access points with routing capabilities) and configuring security with them is an important skill to have. CompTIA stresses this on both the Network+ and Security+ exams. You should be able to configure basics such as:
- Change the SSID
- Enable/disable SSID broadcast
- Configure WPA/WPA2 Personal security
- Configure WPA/WPA2 Enterprise security (using a RADIUS server)
- Enable MAC address filtering
Ideally, you should get your hands on a WAP or a wireless router used in many homes and small offices home offices (SOHOs). They are easily accessible and aren’t expensive and the experience configuring it is valuable for on the job and the exam.
The following sections show how to configure a Cisco M20 wireless router. All devices aren’t exactly the same, but you’ll find similar settings if you click around on whatever device you have.
Requirements: This exercise assumes you’re running a wireless network with a wireless access point or wireless router that is accessible via HTTP. You’ll also need access to a computer browser such as Internet Explorer or Chrome.
Security+ Wireless Router – Accessing the Administration Page
1. Open your web browser and type in the IP address of your wireless access point or wireless router into the URL section. It is often 192.168.0.1 or 192.168.1.1.
2. When prompted, enter the administrator username and the password. If you don’t know these, you’ll need to check the documentation. You can often find the manual online with a Google search. For example, if you have an M20 router, search on “wireless router M20 Manual.”
3. Click Log In. This will typically take you to a setup page similar to the following graphic:
Security+ Wireless Router – Enable/Disable SSID Broadcast
The service set identifier (SSID) is the name of the network. It is a case sensitive string of up 32 characters. Devices come with a default SSID and it’s recommended to change the SSID from the default as a best practice.
4. Click on Wireless to see the options. The following graphic shows you what you might see.
- Network Mode refers to the wireless protocol such as 802.11b, 802.11g, and 802.11n. For this device, Mixed mode supports all three, but it also has options for only 802.11b,only 802.11g, or only 802.11n.
- Here is where you’d change the SSID from the default. In the figure, the SSID is chagned to ThisisSSID.
- If necessary, you can change the Channel to avoid interference on a channel.
- Last, you can disable the SSID broadcast to hide the SSID from casual users. Remember though, attackers can easily discover your SSID even if you disable SSID broadcast.
- For this lab, don’t save any changes. However, if you need to make any changes, ensure you save them before moving to the next page.
It’s important to realize that even if you disable SSID broadcast, attackers can still discover the SSID with a wireless sniffer. In other words, disabling SSID broadcast doesn’t provide any real security. You can read more about it in the Disable SSID Broadcast or Not? post.
Security+ Wireless Router – Configure WPA/WPA2 Personal
You also need to know how to configure basic security setting such as Wi-Fi Protected Access (WPA) Personal or Wi-Fi Protected Access version 2 (WPA2) Personal . You can typically select the appropriate setting from a drop down box and then enter the appropriate passphrase.
5. Click on Wireless Security. You’ll see a display similar to the following graphic.
- Security Mode typically includes options such as WEP (don’t use it), WPA Personal, WPA2 Personal, WPA Enterprise, and WPA2 Enterprise.
- When using WPA Personal or WPA2 Personal, you enter a passphrase (also known as a preshared key or PSK) here.
- You enter the same passphrase or PSK on all wired devices that will connect to this wireless device.
Security+ Wireless Router – Configure WPA/WPA2 Enterprise
Both WPA and WPA2 operate in either Personal or Enterprise modes. Most home and small business networks use Personal mode using a passphrase or password.
Larger enterprises add additional security to WAPs with WPA Enterprise or WPA2 Enterprise. Enterprise mode provides additional security by adding an authentication server and requiring each user to authenticate through this server. Authentication requires all users to prove their identities and a common way authentication is accomplished is with a username and password. A user claims an identity with a username and proves the identity with a password.
Enterprise mode requires an 802.1x server typically configured as a Remote Authentication Dial-In User Service (RADIUS) server, which is configured separately from the access point. The RADIUS server has access to the user’s authentication credentials and can verify when a user has entered authentication information correctly.
The following figure shows the configuration for an access point using WPA2 Enterprise. After selecting WPA2 Enterprise from the drop down box, the selections change. You then need to enter the IP address of the RADIUS server and the shared secret configured on the RADIUS server. The default port for RADIUS is 1812 and you only need to change this if the RADIUS server is using a non-default port.
6. Select one of the Enterprise modes such as WPA2 Enterprise. You’ll see a display similar to the following graphic.
- Enter the IP address of the RADIUS server.
- RADIUS servers typically use port 1812 but they can use other ports. If the server is using a different port, enter its port number.
- The shared secret is similar to password. You enter the same password here that the RADIUS server is using.
In a production environment, you will likely have to ask the RADIUS server administrator for some of these details. Also, the RADIUS server administrator would configure the RADIUS server with a database of accounts, such as an Active Directory domain.
Security+ Wireless Router – Enable MAC Address Filtering
Another configuration you might need to implement for Security+ WAP performance based questions is media access control (MAC) address filtering. The MAC address is assigned to the network interface card (NIC) when it is manufactured and you can use it to identify specific devices. When used within a MAC address filter, you can restrict access to the wireless network to specific devices based on their MAC address.
7. Select Wireless MAC Filter. You’ll see a display similar to the following graphic.
- The MAC filter is disabled by default, but you can enable it by clicking on Enabled
- After enabling it, you need to decide if you want to block specific devices from accessing the network by using the Prevent setting, or allow specific devices to access the network by using the Permit setting.
As an example, if you neighbors are using your wireless network, you can enter the MAC addresses of their devices to block them.
Or, if you want to ensure devices used in your home or business are allowed, you can enter their MAC addresses.
- Next, add the MAC addresses of devices you want to allow or block.
Devices with these MAC addresses will be allowed access to the network, but other devices will be blocked. This setting isn’t restricted to only PCs. Any wireless device has a MAC address including tablet devices and smartphones.
You can also configure a MAC address filter to block specific devices. For example, if your neighbor is using your access point to access the Internet, you can block his system using his MAC address. You would select the first setting “Prevent PCs listed below from accessing the wireless network” and enter the MAC address of his system.
8. The Wireless Client List is a cool feature in the M20 wireless router and available in many other wireless routers. Click the “Wireless Client List” button and a display will pop up based on the devices that are currently connected. It might look similar to the following graphic. For this device, you have several options:
- Click Add and the software will add the MAC addresses of all the devices to your MAC filter list. (You can also use this to discover the MAC addresses of your neighbor’s devices, if your neighbor is connected).
- If you only want to add some of them, click the check box at the right and click Add.
- Click Refresh and it will add or remove devices based on what devices are connected.
- Click Close to close the window.
- Don’t save these changes for the lab. However, if you were implementing a MAC filter, you should save the changes.
Security+ Wireless Router Summary
You can expect to see some Security+ wireless router performance based questions on the Security+ exam. These questions expect you to know how to configure a wireless access point (WAP) including the SSID, MAC address filtering, and security settings such as WPA2 Personal or WPA2 Enterprise. Good luck.