There are a number of different methods to authenticate users with a wireless network. In this video, you’ll learn about PSK, 802.1X, captive portal, and WPS.
When you’re connecting to a wireless network. One of the first thing that happens is authentication. We need some way to ensure that the people connecting to the wireless network are truly authorized to be on that wireless network. This could be a wireless network that’s configured to allow access for mobile users. Or this may be in a coffee shop where the people stopping by are simply there temporarily and then they leave the network.
There are generally two major ways to authenticate to a wireless network. The first is giving everyone the same password. We refer to this as a pre-shared key because we’ve created the key previously. And then we hand that key out to anyone who needs access to the network.
These pre-shared keys or shared passwords are commonly used for networks that we might have at our home. In our corporate environment however, we need additional security. We need to make sure that everyone has a different authentication method for logging in. We want to be sure that if someone was to leave the company we could disabled their access but still allow access for everyone else.
To be able to do that, we use a standard called 802.1X. This provides for centralized authentication. So someone logging in into a wireless network could use the credentials that they might normally use to login into their Windows Active Directory domain. The configuration for pre-shared key or 802.1X is usually configured on the wireless access point itself. Then if anybody connects to that wireless network they’re normally prompted to add their authentication credentials as part of that connection process.
Here’s a good example of configuring that authentication on a wireless access point. You can see there are a number of different options. Any time we see anything with a personal connection that would be a pre-shared key. And anything labeled with enterprise would be 802.1X. If we can figure out wireless access point to have no security or listed as open security, that means that anyone can connect to the wireless network and they don’t need any type of authentication.
The next step up would be WPA3-Personal or you may see this written as WPA3 pre-shared key or PSK. Where everyone gets exactly the same password that they would use to connect to the wireless network. Although everyone is using the same pre-shared key to gain access to the wireless access point, the access point is going to give everyone a completely different session key.
This means that the session key that I would use for my wireless conversation will be completely different than the encryption key used for a different wireless conversation. WPA3 is able to do this using a method called SAE or simultaneous authentication of equals. And this is a new capability with WPA3 that makes the encryption configured with pre-shared keys much more secure than WPA2.
And if you’re in an office you’re probably using WPA3-Enterprise you might also see this written as WPA3-802.1X. WPA3-Enterprize we’re using a centralized authentication server. So we’re using RADIUS, TACACS or LDAP to be able to centralize everyone’s username and password.
If you’re on a third party wireless network, especially one that’s used in a coffee shop a hotel or some other temporary basis, then you’re probably using a captive portal to be able to provide this authentication. A captive portal is a method of providing authentication using a separate login screen from your browser. The access point that you’re authenticating to will check to see if you have previously authenticated. And if you haven’t it will redirect you to this portal page when you open your browser.
It’s common for this login page to ask for a username or password and many captive portals support the use of additional authentication factors as well. Once this information is typed in to the captive portal and that information is confirmed then you have access to the wireless network. These captive portals often have a time out function associated with them.
So that you’re either hitting a Logout button to disconnect from the wireless network or automatically times you out after a certain number of hours have elapsed. Once that initial session expires you’ll need to reconnect to the captive portal front end, add your credentials again and then you’ll be connected to the wireless network for that next interval.
As you can see there are a number of configuration settings inside of an access point that have to be enabled or disabled depending on the type of protection you’d like to have for your wireless network. And you have to make sure that whatever configuration you have for the access point is also configured the same way on your wireless clients. To be able to make this process a bit easier for the administrator and for the users a type of authentication was created called WPS. That stands for Wi-Fi protected setup.
This is a format that used to be called Wi-Fi simple config. The idea is that it would be much easier to use this method of authentication rather than using pre-shared keys 802.1X authentication or some other type of authentication method. WPS allows different methods to be used for authentication. For example, you could use a personal identification number that you would put into the mobile device and that gains you access to the wireless network. Or you might have to push a button on the access point itself while you’re configuring the settings on your wireless device.
Or perhaps you need to bring the wireless device close to the access point and they will transfer information between each other using near-field communication or NFC. With this configuration users don’t have to remember a pre-shared key. You don’t have to configure 802.1X authentication behind the scenes, you would simply use one of these criteria to be able to allow access to the wireless network.
Perhaps the most common method used for authentication with WPS is to add the personal identification number to the devices that will be connecting to the wireless network. But unfortunately, WPS includes a significant flaws associated with this personal identification number. And you may find that disabling WPS on your network may be a better idea than leaving this functionality enabled.
The challenge for WPS is that it was built incorrectly from the very beginning. The verification of this personal identification number is an important step during the authentication process. And as you’ve seen that PIN is an eight digit number. If we look into the details of this number it’s really a seven digit number and the last number is a checksum. So with those seven numbers, that means you could really only have 10 million possible combinations if you had to brute force every single one of those.
But it’s actually even worse than that this personal identification number validates each half of the pin individually. That means the first half or four digits are validated. And then the second half, which is only three digits because the last digit is a checksum is validated as a separate set of input. This means your four digits in the first half will be about 10,000 possibilities. And the second half of the number is only 1,000 possibilities. That means instead of going through 10 million possible combinations you only need to go through 11,000 possible combinations to try every single one of them.
If you have an older wireless access point that has no brute force attack prevention built inside of it. It only takes a number of hours to go through every possible one of those 11,000 options. Most of your newer access points are going to have brute force protection built into the device, which means you won’t be able to simply go through all 11,000. It will stop you after the first incorrect series of personal identification number attempts.
Although, WPS was intended to make the process so much easier. It instead made the process much more insecure. And usually a best practice for WPS is to simply disable it on your wireless access point.