ONT Notes - 802.1x and Encryption on LWAPs

• Traditional WLAN weaknesses
  • SSID for security
  • Vulnerable to rogue APs
  • MAC filtering for security
  • WEP
• WEP weaknesses
  • Disribution of static keys is not scalable
  • WEP keys can be cracked easily
  • Vulnerable to dictionary attacks
  • No protection against rogue APs
• Benefits of 802.1x
  • Centralized authentication through Radius via AAA
  • Mutual authentication between client and auth server
  • Can use multiple encryption algorithms (AES, WPA, TKIP, WEP)
  • Automatic dynamic WEP keys
  • Roaming
• Requirements of 802.1x
  • EAP-capable client (supplicant)
  • 802.1x-capable AP (authenticator)
  • EAP-capable auth server

Table 1. Characteristics of the EAP variants

• WPA
  • Features
    • Authenticated key management - auths prior to key management
    • Unicast and broadcast key management - keys are distributed and stored on the client and the AP
    • TKIP and MIC
      • Temporal Key Integrity Protocol (TKIP) - per-packet keying
      • Message Integrity Checking (MIC) - integrity checking
    • Initialization vector (IV) expansion - from 24 bits to 48 bits
  • Shortcomings
    • Relies on RC4
    • Firmware support required in NICs, APs
    • Susceptible to DoS attacks
    • Dictionary attacks can discover PSKs
• WPA2
  • Features
    • 802.1x authentication or PSK
    • Key distribution and renewal
    • Proactive Key Caching (PKC) - allows roaming
    • IDS for rogue APs and attacks
  • Shortcomings
    • Supplicant must have WPA2-compliance firmware
    • AAA server must support EAP
    • WPA2 uses more CPU, so a hardware upgrade may be required
    • Older devices may not be upgradeable and must be replaced

Table 2. WPA/WPA2 Enterprise and Personal Modes