User's Manual

ManualsBrandsIntel Mobile Communications ManualsElectronicsIntel Wireless WiFi Link 4965AGN

Back to Contents

Security Overview

WEP Encryption

● Open and Shared Key authentication

802.1x Authentication

● How 802.1x Authentication Works

● 802.1x Features

WPA/WPA2

Enterprise Mode

Personal Mode

WPA-Enterprise and WPA2-Enterprise

WPA-Personal and WPA2-Personal

AES-CCMP

TKIP

TLS

TTLS

● Authentication Protocols

PEAP

● Authentication Protocols

Cisco Features

● Cisco LEAP

● Cisco Rogue Access Point Security Feature

● Fast Roaming (CCKM)

● CKIP

● 802.11b and 802.11g Mixed Environment Protection Protocol

● EAP-FAST

● Mixed Cell Mode

● Radio Management

WEP Encryption

Use IEEE 802.11 Wired Equivalent Privacy (WEP) encryption to prevent

unauthorized reception of wireless data. WEP encryption provides two levels of

security that use a 64-bit key (sometimes referred to as 40-bit) or a 128-bit key

(also known as 104-bit). For stronger security, use a 128-bit key. If you use

encryption, all wireless devices on your wireless network must use the same

encryption keys.

Wired Equivalent Privacy (WEP) encryption and shared authentication provide

protection for your data on the network. WEP uses an encryption key to encrypt

data before transmitting it. Only computers that use the same encryption key can

access the network or decrypt the encrypted data transmitted by other computers.

Authentication provides an additional validation process from the adapter to the

access point.

The WEP encryption algorithm is vulnerable to passive and active network attacks.

TKIP and CKIP algorithms include enhancements to the WEP protocol that mitigate

existing network attacks and address its shortcomings.

Open and Shared Key Authentication

IEEE 802.11 supports two types of network authentication methods: Open System

and Shared Key.

● When Open authentication is used, any wireless station can request

authentication. The station that needs to authenticate with another wireless

station sends an authentication management request that contains the

identity of the sending station. The receiving station or access point grants

any request for authentication. Open authentication allows any device

network access. If no encryption is enabled on the network, any device that

knows the Service Set Identifier (SSID) of the access point can gain access to

the network.

● When Shared Key authentication is used, each wireless station is assumed to

have received a secret shared key over a secure channel that is independent

from the 802.11 wireless network communications channel. Shared key

authentication requires that the client configure a static WEP key. The client

access is granted only if it passes a challenge-based authentication.

802.1x Authentication

How 802.1x Authentication Works

802.1x Features

Overview

The 802.1x authentication is independent of the 802.11 authentication process. The

802.1x standard provides a framework for various authentication and key-

management protocols. There are different 802.1x authentication types, each

provides a different approach to authentication but all employ the same 802.1x

protocol and framework for communication between a client and an access point. In

most protocols, upon completion of the 802.1x authentication process, the

supplicant receives a key that it uses for data encryption. Refer to How 802.1x

authentication works for more information. With 802.1x authentication, an

authentication method is used between the client and a Remote Authentication Dial-

In User Service (RADIUS) server connected to the access point. The authentication

process uses credentials, such as a user's password that are not transmitted over

the wireless network. Most 802.1x types support dynamic per-user, per-session

keys to strengthen the static key security. 802.1x benefits from the use of an

existing authentication protocol known as the Extensible Authentication Protocol

(EAP).

802.1x authentication for wireless networks has three main components:

● The authenticator (the access point)

● The supplicant (the client software)

● The authentication server (RADIUS)

The 802.1x authentication security initiates an authorization request from the

wireless client to the access point, which authenticates the client to an Extensible

Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server may

authenticate either the user (via passwords or certificates) or the system (by MAC

address). In theory, the wireless client is not allowed to join the networks until the

transaction is complete.

There are several authentication algorithms used for 802.1x. Some examples are:

EAP-TLS, EAP-TTLS, and Protected EAP (PEAP). These are all methods for the

wireless client to identify itself to the RADIUS server. With RADIUS authentication,

user identities are checked against databases. RADIUS constitutes a set of

standards that addresses Authentication, Authorization and Accounting (AAA).

Radius includes a proxy process to validate clients in a multi-server environment.

The IEEE 802.1x standard is for controlling and authenticating access to port-based

802.11 wireless and wired Ethernet networks. Port-based network access control is

similar to a switched local area network (LAN) infrastructure that authenticates

devices attached to a LAN port and prevent access to that port if the authentication

process fails.

What is RADIUS?

RADIUS is the Remote Authentication Dial-In User Service, an Authorization,

Authentication, and Accounting (AAA) client-server protocol, that is used when a

AAA dial-up client logs in or out of a Network Access Server. Typically, a RADIUS

server is used by Internet Service Providers (ISP) to perform AAA tasks. AAA phases

are described as follows:

● Authentication phase: Verifies a user name and password against a local

database. After credentials are verified, the authorization process begins.

● Authorization phase: Determines whether a request is allowed access to a

resource. An IP address is assigned for the dial-up client.

● Accounting phase: Collects information on resource usage for the purpose

of trend analysis, auditing, session time billing, or cost allocation.

How 802.1x Authentication Works

A simplified description of 802.1x authentication is:

● A client sends a "request to access" message to an access point. The access

point requests the identity of the client.

● The client replies with its identity packet which is passed along to the

authentication server.

● The authentication server sends an "accept" packet to the access point.

● The access point places the client port in the authorized state and data traffic

is allowed to proceed.

802.1x Features

● 802.1x supplicant protocol support

● Support for the Extensible Authentication Protocol (EAP) - RFC 2284

● Supported Authentication Methods:

❍ EAP TLS Authentication Protocol - RFC 2716 and RFC 2246

❍ EAP Tunneled TLS (TTLS)

❍ PEAP

● Supports Windows XP and Windows 2000

NOTE: Intel PROSet/Wireless security features on Windows Vista

support TTLS and EAP-SIM authentication only.

WPA or WPA2

Wi-Fi Protected Access (WPA or WPA2) is a security enhancement that strongly

increases the level of data protection and access control to a wireless network. WPA

enforces 802.1x authentication and key-exchange and only works with dynamic

encryption keys. To strengthen data encryption, WPA utilizes its Temporal Key

Integrity Protocol (TKIP). TKIP provides important data encryption enhancements

that include a per-packet key mixing function, a message integrity check (MIC)

called Michael an extended initialization vector (IV) with sequencing rules, and a

rekeying mechanism. With these enhancements, TKIP protects against WEP's known

weaknesses.

The second generation of WPA that complies with the IEEE TGi specification is

known as WPA2.

Enterprise Mode: Enterprise Mode verifies network users through a RADIUS or

other authentication server. WPA utilizes 128-bit encryption keys and dynamic

session keys to ensure your wireless network's privacy and enterprise security.

Enterprise Mode is targeted to corporate or government environments.

Personal Mode: Personal Mode requires manual configuration of a pre-shared key

(PSK) on the access point and clients. PSK authenticates users via a password, or

identifying code, on both the client station and the access point. No authentication

server is needed. Personal Mode is targeted to home and small business

environments.

WPA-Enterprise and WPA2-Enterprise: Provide this level of security on

enterprise networks with an 802.1x RADIUS server. An authentication type is

selected to match the authentication protocol of the 802.1x server.

NOTE: WPA-Enterprise and WPA2-Enterprise are interoperable.

WPA-Personal and WPA2-Personal: Provide this level of security in the small

network or home environment. It uses a password also called a pre-shared key

(PSK). The longer the password, the stronger the security of the wireless network. If

your wireless access point or router supports WPA-Personal and WPA2-Personal then

you should enable it on the access point and provide a long, strong password. The

same password entered into access point needs to be used on this computer and all

other wireless devices that access the wireless network.

NOTE: WPA-Personal and WPA2-Personal are not interoperable.

AES-CCMP - (Advanced Encryption Standard - Counter CBC-MAC Protocol) The new

method for privacy protection of wireless transmissions specified in the IEEE 802.11i

standard. AES-CCMP provides a stronger encryption method than TKIP. Choose AES-

CCMP as the data encryption method whenever strong data protection is important.

NOTE: Some security solutions may not be supported by your

computer’s operating system and may require additional software or

hardware as well as wireless LAN infrastructure support. Check with

your computer manufacturer for details.

TKIP (Temporal Key Integrity Protocol) is an enhancement to WEP (Wired

Equivalent Privacy) security. TKIP provides per-packet key mixing, a message

integrity check and a rekeying mechanism, which fixes the flaws of WEP.

TLS

A type of authentication method using the Extensible Authentication Protocol (EAP)

and a security protocol called the Transport Layer Security (TLS). EAP-TLS uses

certificates which use passwords. EAP-TLS authentication supports dynamic WEP

key management. The TLS protocol is intended to secure and authenticate

communications across a public network through data encryption. The TLS

Handshake Protocol allows the server and client to provide mutual authentication

and to negotiate an encryption algorithm and cryptographic keys before data is

transmitted.

TTLS

These settings define the protocol and the credentials used to authenticate a user.

In TTLS (Tunneled Transport Layer Security), the client uses EAP-TLS to validate the

server and create a TLS-encrypted channel between the client and server. The client

can use another authentication protocol, typically password-based protocols, as MD5

Challenge over this encrypted channel to enable server validation. The challenge

and response packets are sent over a non-exposed TLS encrypted channel. TTLS

implementations today support all methods defined by EAP, as well as several older

methods (PAP, CHAP, MS-CHAP and MS-CHAPv2). TTLS can easily be extended to

work with new protocols by defining new attributes to support new protocols.

Authentication Protocols

● MD5: Message Digest 5 (MD5) is a one-way authentication method that uses

user names and passwords. This method does not support key management,

but does require a pre-configured key if data encryption is used. It can be

safely deployed for wireless authentication inside EAP tunnel methods.

● PAP: Password Authentication Protocol is a two way handshake protocol

designed for use with PPP. Password Authentication Protocol is a plain text

password used on older SLIP systems. It is not secure.

● CHAP: Challenge Handshake Authentication Protocol is a three-way

handshake protocol that is considered more secure than PAP Authentication

Protocol.

● MS-CHAP (MD4): Uses a Microsoft version of RSA Message Digest 4

challenge-and-reply protocol. This only works on Microsoft systems and

enables data encryption. To select this authentication method causes all data

to be encrypted.

● MS-CHAP-V2: Introduces an additional feature not available with MSCHAPV1

or standard CHAP authentication, the change password feature. This feature

allows the client to change the account password if the RADIUS server reports

that the password has expired.

PEAP

PEAP is a new Extensible Authentication Protocol (EAP) IEEE 802.1x authentication

type designed to take advantage of server-side EAP-Transport Layer Security (EAP-

TLS) and to support various authentication methods, including users' passwords and

one-time passwords, and Generic Token Cards.

Authentication Protocols

● Generic Token Card (GTC): Carries user specific token cards for

authentication. The main feature in GTC is Digital Certificate/Token Card-

based authentication. In addition, GTC includes the ability to hide user name

identities until the TLS encrypted tunnel is established, which provides

additional confidentiality that user names are not being broadcasted during

the authentication phase.

● MS-CHAP-V2: Refer to MS-CHAP-V2 above.

● TLS: The TLS protocol is intended to secure and authenticate communications

across a public network through data encryption. The TLS Handshake Protocol

allows the server and client to provide mutual authentication and to negotiate

an encryption algorithm and cryptographic keys before data is transmitted.

Refer to

TLS above.

Cisco Features

NOTE: Cisco Features are not supported on a Windows Vista platform.

Cisco LEAP

Cisco LEAP (Cisco Light EAP) is a server and client 802.1x authentication through a

user-supplied logon password. When a wireless access point communicates with a

Cisco LEAP-enabled RADIUS (Cisco Secure Access Control Server [ACS]), Cisco LEAP

provides access control through mutual authentication between client wireless

adapters and the wireless networks and provides dynamic, individual user

encryption keys to help protect the privacy of transmitted data.

Cisco Rogue Access Point Security Feature

The Cisco Rogue Access Point feature provides security protection from an

introduction of a rogue access point that could mimic a legitimate access point on a

network in order to extract information about user credentials and authentication

protocols that could compromise security. This feature only works with Cisco's LEAP

authentication. Standard 802.11 technology does not protect a network from the

introduction of a rogue access point. Refer to LEAP Authentication for more

information.

Fast Roaming (CCKM)

When a wireless LAN is configured for fast reconnection, a LEAP-enabled client

device can roam from one access point to another without involving the main

server. Using Cisco Centralized Key Management (CCKM), an access point

configured to provide Wireless Domain Services (WDS) takes the place of the

RADIUS server and authenticates the client without perceptible delay in voice or

other time-sensitive applications.

CKIP

Cisco Key Integrity Protocol (CKIP) is Cisco proprietary security protocol for

encryption in 802.11 media. CKIP uses the following features to improve 802.11

security in infrastructure mode:

● Key Permutation (KP)

● Message Sequence Number

802.11b and 802.11g Mixed Environment Protection Protocol

Some access points, for example Cisco 350 or Cisco 1200, support environments in

which not all client stations support WEP encryption; this is called Mixed-Cell Mode.

When these wireless networks operate in "optional encryption" mode, client stations

that join in WEP mode, send all messages encrypted, and stations that use standard

mode send all messages unencrypted. These access points broadcast that the

network does not use encryption, but allow clients that use WEP mode. When Mixed-

Cell is enabled in a profile, it allows you to connect to access points that are

configured for "optional encryption."

EAP-FAST

EAP-FAST like EAP-TTLS and PEAP, uses tunneling to protect traffic. The main

difference is that EAP-FAST does not use certificates to authenticate. Provisioning in

EAP-FAST is negotiated solely by the client as the first communication exchange

when EAP-FAST is requested from the server. If the client does not have a pre-

shared secret Protected Access Credential (PAC), it is able to initiate a provisioning

EAP-FAST exchange to dynamically obtain one from the server.

EAP-FAST documents two methods to deliver the PAC: manual delivery through an

out-of-band secure mechanism and automatic provisioning.

● Manual delivery mechanisms are any delivery mechanism that the

administrator of the network feels is sufficiently secure for their network.

● Automatic provisioning establishes an encrypted tunnel to protect the

authentication of the client and the delivery of the PAC to the client. This

mechanism, while not as secure as a manual method may be, is more secure

than the authentication method used in LEAP.

The EAP-FAST method is divided into two parts: provisioning and authentication.

The provisioning phase involves the initial delivery of the PAC to the client. This

phase only needs to be performed once per client and user.

Mixed-Cell Mode

Some access points, for example Cisco 350 or Cisco 1200, support environments in

which not all client stations support WEP encryption; this is called Mixed-Cell Mode.

When these wireless networks operate in "optional encryption" mode, client stations

that join in WEP mode, send all messages encrypted, and stations that use standard

mode, send all messages unencrypted. These access points broadcast that the

network does not use encryption, but allows clients that use WEP mode to join .

When Mixed-Cell is enabled in a profile, it allows you to connect to access points

that are configured for "optional encryption."

Radio Management

When this feature is enabled your wireless adapter provides radio management

information to the Cisco infrastructure. If the Cisco Radio Management utility is used

on the infrastructure, it configures radio parameters, detects interference and rogue

access points.

Back to Contents

Trademarks and Disclaimers