Appendix D Wireless LANs

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.

Table 63 Comparison of EAP Authentication Types

 

EAP-MD5EAP-TLSEAP-TTLSPEAPLEAP

Mutual Authentication

No

Yes

Yes

Yes

Yes

 

 

 

 

 

 

Certificate – Client

No

Yes

Optional

Optional

No

 

 

 

 

 

 

Certificate – Server

No

Yes

Yes

Yes

No

 

 

 

 

 

 

Dynamic Key Exchange

No

Yes

Yes

Yes

Yes

 

 

 

 

 

 

Credential Integrity

None

Strong

Strong

Strong

Moderate

 

 

 

 

 

 

Deployment Difficulty

Easy

Hard

Moderate

Moderate

Moderate

 

 

 

 

 

 

Client Identity Protection

No

No

Yes

Yes

No

 

 

 

 

 

 

WPA and WPA2

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA.

Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.

Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when required for compatibility reasons, but offers stronger encryption than TKIP with Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP).

TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice.

 

175

WAP3205 v2 User’s Guide