Security Overview: PRO/Wireless LAN Mini PCI Adapter User's Guide

WEP Encryption and Authentication
Encryption Overview
Protecting Your Network
Authentication Types
802.1x Authentication
What is a RADIUS
Wi-Fi Protected Access (WPA)
PEAP
Cisco LEAP

WEP Encryption and Authentication

Wired Equivalent Privacy (WEP) encryption and shared authentication provides protect for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers using the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point.

Supported authentication schemes are Open and Shared-Key authentication:

Shared-Key authentication is supported using 64-bit and 128-bit WEP encryption keys.
Open mode does not use an encryption authentication method to associate to a specific access point.

Network Keys

When Data Encryption (WEP, CKIP or TKIP) is enabled, a network key is used for encryption. A network key can be provided for you automatically (for example, it might be provided on your wireless network adapter, or enter it yourself and specify the key length (64-bits or 128-bit), key format (ASCII characters or hexadecimal digits), and key index (the location where a specific key is stored). The longer the key length, the more secure the key. Every time the length of a key is increased by one bit, the number of possible keys double. Under 802.11, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point or a wireless station transmits an encrypted message using a key that is stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving access point or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body.

Encryption Static and Dynamic Key Types

802.1x uses two types of encryption keys, static and dynamic. Static encryption keys are changed manually and are more vulnerable. MD5 authentication only uses static encryption keys. Dynamic encryption keys are renewed automatically on a periodic basis. This makes the encryption key(s) more secure. To enable dynamic encryption keys, you must use 802.1x certificate-based authentication methods, such as TLS or TTLS or PEAP.

Encryption Overview

Security in the WLAN can be supplemented by enabling data encryption using WEP (Wireless Encryption Protocol). You can choose a 64 or 128 bit level encryption. Also, the data can then be encrypted with a key. Another parameter called the key index is provides the option to create multiple keys for that profile. However, only one key can be used at a time. You can also choose to password protect the profile to ensure privacy. The pass phrase is used to generate a WEP key automatically. You have the option of either using a pass phrase or entering a WEP key manually. Using 64-bit encryption, the pass phrase is 5 characters long and you can choose to enter any arbitrary and easy to remember phrase like Acme1 or enter 10 Hexadecimal numbers for the WEP key corresponding to the network the user wants to connect to. For 128-bit encryption, the pass phrase is 13 characters long or you can enter a 26 hexadecimal numbers for the WEP key to get connected to the appropriate network.

Note: You must use the same encryption type, key index number, and WEP key as other devices on your wireless network. Also, if 802.1x authentication is being used, WEP encryption must be disabled.

Authentication Types

The IEEE 802.1x standard provides a general authentication framework for 802 LANs and specifies an extensible authentication protocol (EAP) to enable LAN transport for many different types of authentication protocols. A WAN client initiates an authorization request to the access point, which authenticates the client to an Extensible Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server may authenticate either the user (via passwords) or the machine (by MAC address). 802.1x authentication is independent of the 802.11 authentication process. The 802.1x standard provides an authentication framework. There are different 802.1x authentication types, each providing a different approach to authentication employing the same protocol and framework for communication between a client and an access point. In most protocols, upon the completion of the 802.1x authentication process, the supplicant receives a key that it uses for data encryption.

Refer to Setting up the Client for WEP and MD5 authentication for details about setting up an 802.1x profile.

802.1x Authentication

802.1x features

802.1x supplicant protocol support
Support for the Extensible Authentication Protocol (EAP) - RFC 2284
Supported Authentication Methods:
- MD5 - RFC 2284
- EAP TLS Authentication Protocol - RFC 2716 and RFC 2246
- EAP Tunneled TLS (TTLS)
- Cisco LEAP
- PEAP
Supports Windows XP, 2000

802.1x Authentication Notes

802.1x authentication methods, include passwords, certificates, and smart cards (plastic cards that hold data)
802.1x authentication option can only be used with Infrastructure operation mode
Network Authentication modes are: EAP-TLS, EAP-TTLS, MD5 Challenge, LEAP (for Cisco-Client eXtentions mode only), and PEAP (for WPA modes only)

Overview

802.1x authentication is independent of the 802.11 authentication process. The 802.1x standard provides a framework for various authentication and key-management protocols. There are different 802.1x authentication types, each providing a different approach to authentication but all employing the same 802.1x protocol and framework for communication between a client and an access point. In most protocols, upon the completion of the 802.1x authentication process, the supplicant receives a key that it uses for data encryption. Refer to 802.1x and Data encryption for more information.

With 802.1x authentication, an authentication method is used between the client and a Remote Authentication Dial-In User Service (RADIUS) server connected to the access point. The authentication process uses credentials, such as a user's password that are not transmitted over the wireless network. Most 802.1x types support dynamic per-user, per-session keys to strengthen the static key security. 802.1x benefits from the use of an existing authentication protocol known as the Extensible Authentication Protocol (EAP). 802.1x authentication for wireless LANs has three main components: The authenticator (the access point), the supplicant (the client software), and the authentication server (a Remote Authentication Dial-In User Service server (RADIUS). 802.1x authentication security initiates an authorization request from the WLAN client to the access point, which authenticates the client to an Extensible Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server may authenticate either the user (via passwords or certificates) or the system (by MAC address). In theory, the wireless client is not allowed to join the networks until the transaction is complete. There are several authentication algorithms used for 802.1x; MD5-Challenge, EAP-TLS, EAP-TTLS, Protected EAP (PEAP), and EAP Cisco Wireless Light Extensible Authentication Protocol (LEAP). These are all methods for the WLAN client to identify itself to the RADIUS server. With RADIUS authentication, users identities are checked against databases. RADIUS constitutes a set of standards addressing Authentication, Authorization and Accounting (AAA). Radius includes a proxy process to validate clients in a multi-server environment. The IEEE 802.1x standard is for controlling and authenticating access to port-based 802.11 wireless and wired Ethernet networks. Port-based network access control is similar to a switched local area network (LAN) infrastructure that authenticates devices that are attached to a LAN port and prevent access to that port if the authentication process fails.

How 802.1x authentication works

A simplified description of the 802.1x authentication is:

A client sends a "request to access" message to an access point. The access point requests the identity of the client.

The client replies with its identity packet which is passed along to the authentication server.

The authentication server sends an "accept" packet to the access point.

The access point places the client port in the authorized state and data traffic is allowed to proceed.

What is a RADIUS?

RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and Accounting (AAA) client-server protocol for when a AAA dial-up client logs in or out of a Network Access Server. Typically, a RADIUS server is used by Internet Service Providers (ISP) to performs AAA tasks. AAA phases are described as follows:

Authentication phase: Verifies a user name and password against a local database. After the credentials are verified, the authorization process begins.
Authorization phase: Determines whether a request will be allowed access to a resource. An IP address is assigned for the Dial-Up client.
Accounting phase: Collects information on resource usage for the purpose of trend analysis, auditing, session time billing, or cost allocation.

Wi-Fi Protected Access* (WPA)

Wi-Fi Protected Access (WPA) is a security enhancement that strongly increases the level of data protection and access control to a WLAN. WPA mode enforces 802.1x authentication and key-exchange and only works with dynamic encryption keys. To strengthen data encryption, WPA utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements that include a per-packet key mixing function, a message integrity check (MIC) named Michael an extended initialization vector (IV) with sequencing rules, and a also re-keying mechanism. Using these improvement enhancements, TKIP protects against WEP's known weaknesses.

PEAP

PEAP is a new Extensible Authentication Protocol (EAP) IEEE 802.1x authentication type designed to take advantage of server-side EAP-Transport Layer Security (EAP-TLS) and to support various authentication methods, including user's passwords and one-time passwords, and Generic Token Cards.

Cisco LEAP

Cisco LEAP (EAP Cisco Wireless) is a server and client 802.1x authentication via a user-supplied logon password. When a wireless access point communicates with a Cisco LEAP-enabled RADIUS (Cisco Secure Access Control Server (ACS) server), Cisco LEAP provides access control through mutual authentication between client wireless adapters and the wireless network and provides dynamic, individual user encryption keys to help protect the privacy of transmitted data.

Cisco Rogue AP security feature

The Cisco Rogue AP feature provides security protection from an introduction of a rogue access point that could mimic a legitimate access point on a network in order to extract information about user credentials and authentication protocols which could compromise security. This feature only works with Cisco's LEAP authentication. Standard 802.11 technology does not protect a network from the introduction of a rogue access point.

CKIP

Cisco Key Integrity Protocol (CKIP) is Cisco proprietary security protocol for encryption
in 802.11 media. CKIP uses the following features to improve 802.11 security in infrastructure
mode:

Key Permutation
Message Integrity Check
Message Sequence Number

Back to Contents Page

Please read all restrictions and disclaimers.