If you’re planning to take the Security+ exam, you should have a basic understanding of troubleshooting security issues related to wireless networking such as configuring wireless security.
For example, can you answer this question?
Q. Your organization is planning to implement a wireless network using WPA2 Enterprise. Of the following choices, what is required?
A. An authentication server with a digital certificate installed on the authentication server
B. An authentication server with DHCP installed on the authentication server
C. An authentication server with DNS installed on the authentication server
D. An authentication server with WEP running on the access point
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
IEEE 802.1x
An 802.1x server is integrated with a database of accounts and it provides port-based authentication by requiring users and devices to authenticate before granting them access to a network. When systems connect, the 802.1x server challenges them to authenticate and prevents full network access until it receives valid credentials. This prevents rogue devices from being able to access network resources.
You can implement IEEE 802.1x as a Remote Authentication Dial-In User Service (RADIUS) server. RADIUS provides centralized authentication. When implemented with WPA or WPA2, 802.1x provides an added layer of protection by ensuring users can authenticate before granting them access to the wireless network.
At some point, people started saying that 802.1x is shorthand for multiple wireless protocols such as 802.11a, 802.11b, and so on. It is not. You can implement 802.1x with WPA and WPA2 using Enterprise mode.
Personal Versus Enterprise Modes
Both WPA and WPA2 can operate in either Personal or Enterprise modes. When using Personal mode, users access the wireless network anonymously with a preshared key (PSK) or passphrase. This doesn’t provide authentication. As a reminder, authentication proves a user’s identity with the use of credentials such as a username and password. Users claim an identity with a username and prove their identity with a password.
In contrast, WPA or WPA2 Enterprise mode forces users to authenticate with unique credentials before granting them access to the wireless network. Enterprise mode uses an 802.1x server, often implemented as a RADIUS server, which accesses a database of accounts. If users don’t have the proper credentials, Enterprise mode (using an 802.1x server) blocks their access. Also, an 802.1x server has a certificate on it to secure the authentication process.
The figure shows two screenshots of a Cisco wireless router with the Wireless Security section selected. By clicking in the box next to Security Mode, you can select a variety of different security modes such as WEP, WPA Personal, WPA2 Personal, WPA Enterprise, or WPA2 Enterprise. When you select one of the Personal settings such as WPA2 Personal in the top portion of the figure, it shows a passphrase. It can be as many as 63 characters long and the passphrase you enter here is the same passphrase you would enter on all the wireless devices. Many security experts recommend using a passphrase at least 20 characters long, with a mix of uppercase, lowercase, numbers, and special characters.
Configuring wireless security
If you select WPA2 Enterprise, as shown in the bottom portion of the figure, it displays different information. You would need to put in the IP address of the RADIUS (or 802.1x) server, the port it is using, and a shared secret. The official default port for RADIUS is 1812. However, some vendors have used other ports such as 1645. The key is that you must enter the same port here that the server is using. The shared secret is similar to a password and you must enter it here exactly as it is entered on the server.
After configuring WPA2 Enterprise on a WAP, it redirects all attempts to connect to the RADIUS server to authenticate. After users authenticate, the RADIUS server tells the WAP to grant them access.
Wireless authentication systems using an 802.1x server are more advanced than most home networks need, but many larger organizations use them. In other words, most home networks use Personal mode, whereas many organizations use Enterprise mode to increase security. A combination of both a security protocol such as WPA2 and an 802.1x authentication server significantly reduces the chance of a successful access attack against a wireless system.
Remember this
Personal mode (or WPA-PSK and WPA2-PSK) uses a preshared key and does not provide individual authentication. WPA/WPA2 Enterprise mode is more secure than Personal mode, and it provides strong authentication. Enterprise mode uses an 802.1x server (implemented as a RADIUS server) to add authentication.
Q. Your organization is planning to implement a wireless network using WPA2 Enterprise. Of the following choices, what is required?
A. An authentication server with a digital certificate installed on the authentication server
B. An authentication server with DHCP installed on the authentication server
C. An authentication server with DNS installed on the authentication server
D. An authentication server with WEP running on the access point
Answer is A. WPA2 Enterprise requires an 802.1x authentication server and most implementations require a digital certificate installed on the server.
The network will likely have Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) services, but it isn’t necessary to install them on the authentication server.
Wired Equivalent Privacy (WEP) provides poor security and is not compatible with WPA2 Enterprise.
1 thought on “Configuring Wireless Security”