3.4 - Given a scenario, install and configure wireless security settings. Flashcards
Cryptographic protocols
WiFi Protected Access 2 (WPA2)
WiFi Protected Access 3 (WPA3)
Counter-mode/CBC-MAC Protocol (CCMP)
SAE - Simultaneous Authentication
of Equals
– A Diffie-Hellman derived key exchange with an
authentication component
– Everyone uses a different session key, even with
the same PSK
– An IEEE standard - the dragonfly handshake
Authentication protocols
EAP
Extensible Authentication Protocol
-auth. framework
-usually used 4 wireless net auth.
-many diff. implementations (EAP-TLS, LEAP, EAP-TTLS)
->each of those protocols implements EAP msgs using protocols msging standards
PEAP - Protected Extensible Authentication Protocol
– Protected EAP
– Created by Cisco, Microsoft, and RSA Security
Also encapsulates EAP in a TLS tunnel
– AS uses a digital certificate instead of a PAC
– Client doesn’t use a certificate
User authenticates with MSCHAPv2
– Authenticates to Microsoft’s MS-CHAPv2 databases
User can also authenticate with a GTC
– Generic Token Card, hardware token generator
EAP-FAST (EAP Flexible Authentication via Secure Tunneling)
– Authentication server (AS) + supplicant share a
protected access credential (PAC) (shared secret)
-Supplicant receives the PAC
-Supplicant + AS mutually authenticate +
negotiate a Transport Layer Security (TLS) tunnel
-User authentication occurs over the TLS tunnel
-Need a RADIUS server
->Provides auth database +
EAP-FAST services
EAP-TLS
-EAP Transport Layer Security
->Strong security, wide adoption
– Support from most of the industry
Requires digital certificates on the AS and all other devices
– AS and supplicant exchange certificates for mutual authentication
– TLS tunnel is then built for the user
authentication process
Relatively complex implementation
– Need a public key infrastructure (PKI)
– Must deploy and manage certificates to
all wireless clients
– Not all devices can support the use of digital certificates
Chapple 435
Weiss 377,379,633
Gibson 120
EAP-TTLS (Tunneled Transport Layer Security)
*EAP Tunneled Transport Layer Security
– Support other authentication protocols
in a TLS tunnel
Requires a digital certificate on the AS
– DOES NOT REQUIRE digital certs on every device
– Builds a TLS tunnel using this digital certificate
Use any auth method inside the TLS tunnel
– Other EAPs
– MSCHAPv2
– Anything else
Chapple 435
Weiss 378
Gibson 120
IEEE 802.1X
-standard for NAC (net. access ctrl)
-used 4 authentication 4 devices wanting to connect to a net.
-supplicants send authentication reqs. to authenticators (net. switches, access points, wireless controllers)
-controllers connect to authentication server (usually via RADIUS)
-RADIUS servers rely on backend directory using LDAP or AD as source of identity info
Remote Authentication Dial-in
User Service (RADIUS) Federation
-Use RADIUS with federation
-common authentication, authorization, accounting (AAA) sys. 4 net. devices, wireless nets, etc.
-can operate via TCP + UDP
-operates in client server model
-sends pswds obfuscated by sharing secret + MD5 hash = pswd sec. not v strong
-traffic btwn RADIUS net. access server + RADIUS server usually encrypted using IPSec tunnels
– Members of one organization can authenticate to
the network of another organization
– Use their normal credentials
-Use 802.1X as the authentication method
->And RADIUS on the backend - EAP to authenticate
Driven by eduroam (education roaming)
– Educators can use their normal authentication
when visiting a different campus https://www.eduroam.org/
Pre-shared key (PSK) vs. Enterprise vs. Open
WiFi Protected Setup (WPS)
