To gain access to a wireless network, you’ll need to provide some form of authentication. In this video, you’ll learn about authentication and security technologies for wireless networks.
<< Previous Video: Wireless Encryption Next: Denial of Service >>
In a previous video, we discussed encryption mechanisms that we use on our networks. But we also need to provide some way to authenticate onto the network. And to do that, we use a framework called EAP. This is the Extensible Authentication Protocol. This framework has many different methods that can be used to authenticate to a network.
And there are many RFC standards that use EAP as the authentication method. For our wireless networks, both WPA and WPA2 use different forms of EAP to provide this authentication to our wireless networks. Cisco was an early adopter of wireless technologies. And on some of their first access points that used WEP encryption, they used LEAP, or Lightweight EAP, to provide authentication.
When WEP was replaced with more advanced encryption methods, Cisco updated their authentication to EAP-FAST. FAST stands for Flexible Authentication via Secure Tunneling. This provided a lightweight authentication method. But it also increased the security we needed for our wireless networks.
As wireless technology became more popular, there was an authentication method that also gained wide adoption. This was EAP-TLS. The TLS stands for Transport Layer Security. This is the same security that we use for our web servers. And we’re using that now, also, for our wireless authentication.
Some organizations, though, needed additional options for authentication. So we created EAP-TTLS. This is EAP Tunneled Transport Layer Security. This allowed us to tunnel other types of authentication methods through the existing encrypted EAP communication.
Another popular EAP type is PEAP. This is the Protected Extensible Authentication Protocol, or protected EAP. This was created by Cisco, Microsoft, and RSA Security to provide EAP within a TLS tunnel. This was commonly implemented on Microsoft devices as PEAPv0. You might also see it referred to as EAP-MSCHAPv2, because it authenticated to the Microsoft CHAP version two databases.
When you’re configuring the authentication type on your wireless devices, you’ll have a number of options available. They’ll probably come from a configuration screen that looks similar to this one. One configuration option may be to not require any type of authentication on the wireless network. And that would be defined as an open system, where no password was needed.
If you’re at home, or you’re working in a small office, your wireless network may be configured with WPA2-Personal. You might see this also called WPA2-PSK. The PSK is for pre-shared key. This means that anybody who needs access to the network, needs to know that pre-shared key. And if you change that pre-shared key on the access point, you would have to also change all the configurations of the devices connecting to that wireless network.
If you’re in a much larger working environment, you’re not going to give everybody the same key and expect that particular key to remain secure. In that particular case, you would use WPA2-Enterprise. You may see this referred to as WPA2-802.1X. That’s because we’re going to use 802.1X to provide network access control to this wireless network.
You would log in with your normal username and password for your particular device. It will authenticate against a back-end AAA server. And then you’ll gain access to the wireless network. If you leave the organization, then your access to all of the networks is also disabled. And if someone changes their own personal password, it doesn’t change the authentication process for anybody else in the organization.
We spoke in an earlier video about performing MAC filtering on a wired network. But of course, you could perform filtering on a media access control address on a wireless network as well. You would normally define all of the allowed device’s MAC addresses in your access point. And that, of course, would prevent any other MAC addresses from joining the network.
You can, of course, use a wireless analyzer to view all of the MAC addresses communicating on your wireless network. So you may find that MAC filtering does not have the level of security that you would need. In fact, we commonly refer to this as security through obscurity, which, of course, is no security at all.
We’re starting to see more mobile device managers take advantage of geofencing. They’ll use the GPS functionality in a mobile device to determine whether someone gets access to the network or not. You can also integrate this into cameras. If the information inside of your building is very sensitive, you can disable the camera when someone happens to be at work.
But you could, of course, also use this for authentication. Someone might have to be at least in your regional area to be able to log in to your wireless network. And if someone’s GPS shows them to be outside of a particular area, you can restrict that access to your network.