1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. WGT624
    5. /
  5. 26
Page 126 / 148 Scroll up to view Page 121 - 125
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
D-10
Wireless Networking Basics
202-10090-01, April 2005
How Does WPA Compare to WPA2 (IEEE 802.11i)?
WPA is forward compatible with the WPA2 security specification. WPA is a subset of WPA2 and
used certain pieces of the early 802.11i draft, such as 802.1x and TKIP. The main pieces of WPA2
that are not included in WPA are secure IBSS (Ad-Hoc mode), secure fast handoff (for specialized
802.11 VoIP phones), as well as enhanced encryption protocols, such as AES-CCMP. These
features were either not yet ready for market or required hardware upgrades to implement.
What are the Key Features of WPA and WPA2 Security?
The following security features are included in the WPA and WPA2 standard:
WPA and WPA2 Authentication
WPA and WPA2 Encryption Key Management
Temporal Key Integrity Protocol (TKIP)
Michael message integrity code (MIC)
AES support (WPA2, requires hardware support)
Support for a mixture of WPA, WPA2, and WEP wireless clients to allow a migration strategy,
but mixing WEP and WPA/WPA2 is discouraged
These features are discussed below.
WPA/WPA2 addresses most of the known WEP vulnerabilities and is primarily intended for
wireless infrastructure networks as found in the enterprise. This infrastructure includes stations,
access points, and authentication servers (typically RADIUS servers). The RADIUS server holds
(or has access to) user credentials (for example, user names and passwords) and authenticates
wireless users before they gain access to the network.
The strength of WPA/WPA2 comes from an integrated sequence of operations that encompass
802.1X/EAP authentication and sophisticated key management and encryption techniques. Its
major operations include:
Network security capability determination. This occurs at the 802.11 level and is
communicated through WPA information elements in Beacon, Probe Response, and (Re)
Association Requests. Information in these elements includes the authentication method
(802.1X or Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES).
Page 127 / 148
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
Wireless Networking Basics
D-11
202-10090-01, April 2005
The primary information conveyed in the Beacon frames is the authentication method and the
cipher suite. Possible authentication methods include 802.1X and Pre-shared key. Pre-shared
key is an authentication method that uses a statically configured pass phrase on both the
stations and the access point. This obviates the need for an authentication server, which in
many home and small office environments will not be available nor desirable. Possible cipher
suites include: WEP, TKIP, and AES (Advanced Encryption Standard). We talk more about
TKIP and AES when addressing data privacy below.
Authentication. EAP over 802.1X is used for authentication. Mutual authentication is gained
by choosing an EAP type supporting this feature and is required by WPA. 802.1X port access
control prevents full access to the network until authentication completes. 802.1X
EAPOL-Key packets are used by WPA to distribute per-session keys to those stations
successfully authenticated.
The supplicant in the station uses the authentication and cipher suite information contained in
the information elements to decide which authentication method and cipher suite to use. For
example, if the access point is using the pre-shared key method then the supplicant need not
authenticate using full-blown 802.1X. Rather, the supplicant must simply prove to the access
point that it is in possession of the pre-shared key. If the supplicant detects that the service set
does not contain a WPA information element then it knows it must use pre-WPA 802.1X
authentication and key management in order to access the network.
Key management. WPA/WPA2 features a robust key generation/management system that
integrates the authentication and data privacy functions. Keys are generated after successful
authentication and through a subsequent 4-way handshake between the station and Access
Point (AP).
Data Privacy (Encryption). Temporal Key Integrity Protocol (TKIP) is used to wrap WEP in
sophisticated cryptographic and security techniques to overcome most of its weaknesses.
Data integrity. TKIP includes a message integrity code (MIC) at the end of each plaintext
message to ensure messages are not being spoofed.
Page 128 / 148
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
D-12
Wireless Networking Basics
202-10090-01, April 2005
WPA/WPA2 Authentication: Enterprise-level User
Authentication via 802.1x/EAP and RADIUS
Figure 4-6:
WPA/WPA2 Overview
IEEE 802.1x offers an effective framework for authenticating and controlling user traffic to a
protected network, as well as providing a vehicle for dynamically varying data encryption keys via
EAP from a RADIUS server, for example. This framework enables using a central authentication
server, which employs mutual authentication so that a rogue wireless user does not join the
network.
It is important to note that 802.1x does not provide the actual authentication mechanisms. When
using 802.1x, the EAP type, such as Transport Layer Security (EAP-TLS), or EAP Tunneled
Transport Layer Security (EAP-TTLS), defines how the authentication takes place.
Note
: For environments with a Remote Authentication Dial-In User Service (RADIUS)
infrastructure, WPA supports Extensible Authentication Protocol (EAP). For environments
without a RADIUS infrastructure, WPA supports the use of a pre-shared key.
Together, these technologies provide a framework for strong user authentication.
Windows XP implements 802.1x natively, and several NETGEAR switch and wireless access
point products support 802.1x.
Certificate
Authority
(for
example
Win Server,
VeriSign)
WPA/WPA2
enabled
wireless
client with
“supplicant”
TCP/IP
Ports Closed
Until
Authenticated
RADIUS Server
Wired Network with Optional
802.1x Port Based Network
Access Control
WPA/WPA2
enabled
Access Point
using
pre-shared key
or
802.1x
TCP/IP
Ports Opened
After
Authenticated
Wireless LAN
Login
Authentication
Page 129 / 148
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
Wireless Networking Basics
D-13
202-10090-01, April 2005
Figure 4-7:
802.1x Authentication Sequence
The AP sends Beacon Frames with WPA/WPA2 information element to the stations in the service
set. Information elements include the required authentication method (802.1x or Pre-shared key)
and the preferred cipher suite (WEP, TKIP, or AES). Probe Responses (AP to station) and
Association Requests (station to AP) also contain WPA information elements.
1.
Initial 802.1x communications begin with an unauthenticated supplicant (client device)
attempting to connect with an authenticator (802.11 access point). The client sends an
EAP-start message. This begins a series of message exchanges to authenticate the client.
2.
The access point replies with an EAP-request identity message.
1
2
3
4
5
6
7
Client with a WPA/
WPA2-enabled wireless
adapter and supplicant
(Win XP, Funk,
Meetinghouse)
For example, a
WPA/WPA2-enabled
AP
For example, a
RADIUS server
Page 130 / 148
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3
D-14
Wireless Networking Basics
202-10090-01, April 2005
3.
The client sends an EAP-response packet containing the identity to the authentication server.
The access point responds by enabling a port for passing only EAP packets from the client to
an authentication server located on the wired side of the access point. The access point blocks
all other traffic, such as HTTP, DHCP, and POP3 packets, until the access point can verify the
client's identity using an authentication server (for example, RADIUS).
4.
The authentication server uses a specific authentication algorithm to verify the client's identity.
This could be through the use of digital certificates or some other EAP authentication type.
5.
The authentication server will either send an accept or reject message to the access point.
6.
The access point sends an EAP-success packet (or reject packet) to the client.
7.
If the authentication server accepts the client, then the access point will transition the client's
port to an authorized state and forward additional traffic.
The important part to know at this point is that the software supporting the specific EAP type
resides on the authentication server and within the operating system or application “supplicant”
software on the client devices. The access point acts as a “pass through” for 802.1x messages,
which means that you can specify any EAP type without needing to upgrade an 802.1x-compliant
access point. As a result, you can update the EAP authentication type to such devices as token
cards (Smart Cards), Kerberos, one-time passwords, certificates, and public key authentication, or
as newer types become available and your requirements for security change.
WPA/WPA2 Data Encryption Key Management
With 802.1x, the rekeying of unicast encryption keys is optional. Additionally, 802.11 and 802.1x
provide no mechanism to change the global encryption key used for multicast and broadcast
traffic. With WPA/WPA2, rekeying of both unicast and global encryption keys is required.
For the unicast encryption key, the Temporal Key Integrity Protocol (TKIP) changes the key for
every frame, and the change is synchronized between the wireless client and the wireless access
point (AP). For the global encryption key, WPA includes a facility (the Information Element) for
the wireless AP to advertise the changed key to the connected wireless clients.
If configured to implement dynamic key exchange, the 802.1x authentication server can return
session keys to the access point along with the accept message. The access point uses the session
keys to build, sign and encrypt an EAP key message that is sent to the client immediately after
sending the success message. The client can then use contents of the key message to define
applicable encryption keys. In typical 802.1x implementations, the client can automatically change
encryption keys as often as necessary to minimize the possibility of eavesdroppers having enough
time to crack the key in current use.

Rate

4.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top