WIRELESS AUTHENTICATION METHODS

These authenticate the device only. These devices do not use TLS, which is only used with certificates. Do not use a username; only use a password (PSK).

 WEP (Wired Equivalent Privacy)

·       Built on RC4 – uses a 24-bit IV – PSK (Pre-Shared Key)

·       Prone to IV (Initialization Vector) attack

 WPA (Wi-Fi Protected Access)

·       Built on RC4 – uses TKIP (Temporal Key Integrity Protocol)

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

 WPA2 (Wi-Fi Protected Access 2)

·       Built on AES – uses CCMP

·       Personal Mode (PSK) or Enterprise Mode (with RADIUS)

·       The PSK is prone to brute force attacks

·       AES replaced RC4, CCMP replaced TKIP

 WPA3 (Wi-Fi Protected Access 3)

• Built on GCMP-256 (Galois/Counter Mode Protocol)
• Replaces PSK with SAE (Simultaneous Authentication of Equals)

 WPS (Wi-Fi Protected Setup)

• Connection is generally used with a pushbutton
• If there is no push button, use the 8-digit PIN at the bottom of the AP
• Prone to a brute force attack, can be broken in less than 11,000 attempt
• Tools used for cracking WPS: Reaver, Wifite, Wash 

 The following authenticate the user and require certificates. When using certificates, you must use TLS.

 Enterprise Mode / 802.1x Authentication

• Using this method requires a RADIUS server
• Authentication can be accomplished with a username & password, smart card, or token
• Authentication is used against an enterprise directory service / AAA server / RADIUS
• 802.1x requires a Supplicant, Authenticator, and Authentication server (AAA / RADIUS) 

 EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

• Certificates are needed on both the server and wireless device (Supplicant)
• Provides mutual authentication
• Authenticates the user – uses an enterprise directory service

 EAP-TTLS (Extensible Authentication Protocol – Tunneled Transport Layer Security)

• Certificate on the server only
• Authenticates the user - uses an enterprise directory service
• End-to-end protection of authentication credentials

 PEAP (Protected Extensible Authentication Protocol)

• Certificate on the server only
• Uses TLS
• Authenticates the user – uses an enterprise directory service
• End-to-end protection of authentication credentials

 The following authenticate the user and do not use certificates

 LEAP (Lightweight Extensible Authentication Protocol)

• Does not require certificates
• Replaced with EAP-FAST

 EAP-FAST (Flexible Authentication via Secure Tunneling)

• Do not use certificates
• Replaced LEAP

 The following is the RADIUS federation

 Multiple organizations allow access to one another’s users

Uses the native 802.1x client (Supplicant)

Each organization has a RADIUS server and joins a mesh