WIRELESS AUTHENTICATION METHODS

These authenticate the device only. These devices do not use TLS as this is only used with certificates. Do not use a username only a password (PSK).

 WEP (Wired Equivalent Privacy)

·       Built on RC4 – uses a 24-bit IV – PSK (Pre-Shared Key)

·       Prone to IV (Initialization Vector) attack

 

WPA (Wi-Fi Protected Access)

·       Built on RC4 – uses TKIP (Temporal Key Integrity Protocol)

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

 

WPA2 (Wi-Fi Protected Access 2)

·       Built on AES – uses CCMP

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

·       AES replaced RC4, CCMP replaced TKIP

 

WPA3 (Wi-Fi Protected Access 3)

• Built on GCMP-256 (Galois/Counter Mode Protocol)
• Replaces PSK with SAE (Simultaneous Authentication of Equals)

 

WPS (Wi-Fi Protected Setup)

• Connection normally used with a pushbutton
• If there is no push button, use the 8-digit PIN on the bottom of the AP
• Prone to a brute force attack, can be broken in less than 11,000 attempt
• Tools used for cracking WPS: Reaver, Wifite, Wash 

 

The following authenticate the user and require certificates. When using certificates you must use TLS.

 

Enterprise Mode / 802.1x Authentication

• Using this method requires a RADIUS server
• Authentication can be accomplished with a username & password, smart card, or token
• Authentication is used against an enterprise directory service / AAA server / RADIUS
• 802.1x requires a Supplicant, Authenticator, and Authentication server (AAA / RADIUS) 

 

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

• Certificates required on both the server and wireless device (Supplicant)
• Provides mutual authentication
• Authenticates the user – uses an enterprise directory service

 

EAP-TTLS (Extensible Authentication Protocol – Tunneled Transport Layer Security)

• Certificate on the server only
• Authenticates the user - uses an enterprise directory service
• End-to-end protection of authentication credentials

 

PEAP (Protected Extensible Authentication Protocol)

• Certificate on the server only
• Uses TLS
• Authenticates the user – uses an enterprise directory service
• End-to-end protection of authentication credentials

 

The following authenticate the user and do not use certificates

 

LEAP (Lightweight Extensible Authentication Protocol)

• Does not require certificates
• Replaced with EAP-FAST

 

EAP-FAST (Flexible Authentication via Secure Tunneling)

• Does not use certificates
• Replaced LEAP

 

The following is RADIUS federation

 

Multiple organizations allow access to one another’s users

Uses the native 802.1x client (Supplicant)

Each organization has a RADIUS server and joins a mesh