Zyxel NBG4604 Router Manual PDF (Setup & Configuration Guide)

Page 246 / 268 Scroll up to view Page 241 - 245

Appendix D Wireless LANs

NBG4604 User’s Guide

246

However, MD5 authentication has some weaknesses. Since the authentication

server needs to get the plaintext passwords, the passwords must be stored. Thus

someone other than the authentication server may access the password file. In

addition, it is possible to impersonate an authentication server as MD5

authentication method does not perform mutual authentication. Finally, MD5

authentication method does not support data encryption with dynamic session

key. You must configure WEP encryption keys for data encryption.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless

stations for mutual authentication. The server presents a certificate to the client.

After validating the identity of the server, the client sends a different certificate to

the server. The exchange of certificates is done in the open before a secured

tunnel is created. This makes user identity vulnerable to passive attacks. A digital

certificate is an electronic ID card that authenticates the sender’s identity.

However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle

certificates, which imposes a management overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for

only the server-side authentications to establish a secure connection. Client

authentication is then done by sending username and password through the

secure connection, thus client identity is protected. For client authentication, EAP-

TTLS supports EAP methods and legacy authentication methods such as PAP,

CHAP, MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure

connection, then use simple username and password methods through the

secured connection to authenticate the clients, thus hiding client identity.

However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2

and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is

implemented only by Cisco.

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of

IEEE 802.1x.

Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key

expires when the wireless connection times out, disconnects or reauthentication

times out. A new WEP key is generated each time reauthentication is performed.

Page 247 / 268

Appendix D Wireless LANs

NBG4604 User’s Guide

247

If this feature is enabled, it is not necessary to configure a default encryption key

in the Wireless screen. You may still configure and store keys here, but they will

not be used while Dynamic WEP is enabled.

Note: EAP-MD5 cannot be used with dynamic WEP key exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and

PEAP) use dynamic keys for data encryption. They are often deployed in corporate

environments, but for public deployment, a simple user name and password pair

is more practical. The following table is a comparison of the features of

authentication types.

WPA(2)

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2

(IEEE 802.11i) is a wireless security standard that defines stronger encryption,

authentication and key management than WPA.

Key differences between WPA(2) and WEP are improved data encryption and user

authentication.

Encryption

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity

Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. In addition to

TKIP, WPA2 also uses Advanced Encryption Standard (AES) in the Counter mode

with Cipher block chaining Message authentication code Protocol (CCMP) to offer

stronger encryption.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically

generated and distributed by the authentication server. It includes a per-packet

key mixing function, a Message Integrity Check (MIC) named Michael, an

extended initialization vector (IV) with sequencing rules, and a re-keying

mechanism.

Table 87

Comparison of EAP Authentication Types

EAP-MD5

EAP-TLS

EAP-TTLS

PEAP

LEAP

Mutual Authentication

No

Yes

Certificate – Client

No

Yes

Optional

No

Certificate – Server

No

Yes

No

Dynamic Key Exchange

No

Yes

Credential Integrity

None

Strong

Moderate

Deployment Difficulty

Easy

Hard

Moderate

Client Identity

Protection

No

Yes

No

Page 248 / 268

Appendix D Wireless LANs

NBG4604 User’s Guide

248

TKIP regularly changes and rotates the encryption keys so that the same

encryption key is never used twice. The RADIUS server distributes a Pairwise

Master Key (PMK) key to the AP that then sets up a key hierarchy and

management system, using the pair-wise key to dynamically generate unique data

encryption keys to encrypt every data packet that is wirelessly communicated

between the AP and the wireless clients. This all happens in the background

automatically.

WPA2 AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit

mathematical algorithm called Rijndael.

The Message Integrity Check (MIC) is designed to prevent an attacker from

capturing data packets, altering them and resending them. The MIC provides a

strong mathematical function in which the receiver and the transmitter each

compute and then compare the MIC. If they do not match, it is assumed that the

data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating

an integrity checking mechanism (MIC), TKIP makes it much more difficult to

decode data on a Wi-Fi network than WEP, making it difficult for an intruder to

break into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only

difference between the two is that WPA-PSK uses a simple common password,

instead of user-specific credentials. The common-password approach makes WPA-

PSK susceptible to brute-force password-guessing attacks but it's still an

improvement over WEP as it employs an easier-to-use, consistent, single,

alphanumeric password.

User Authentication

WPA or WPA2 applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to

authenticate wireless clients using an external RADIUS database.

If both an AP and the wireless clients support WPA2 and you have an external

RADIUS server, use WPA2 for stronger data encryption. If you don't have an

external RADIUS server, you should use WPA2 -PSK (WPA2 -Pre-Shared Key) that

only requires a single (identical) password entered into each access point, wireless

gateway and wireless client. As long as the passwords match, a wireless client will

be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK

depending on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2.

WEP is less secure than WPA or WPA2.

Page 249 / 268

Appendix D Wireless LANs

NBG4604 User’s Guide

249

23.5.2

WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

1

First enter identical passwords into the AP and all wireless clients. The Pre-Shared

Key (PSK) must consist of between 8 and 63 ASCII characters (including spaces

and symbols).

2

The AP checks each wireless client's password and (only) allows it to join the

network if the password matches.

3

The AP derives and distributes keys to the wireless clients.

4

The AP and wireless clients use the TKIP or AES encryption process to encrypt

data exchanged between them.

Figure 165

WPA(2)-PSK Authentication

23.5.3

WPA(2) with RADIUS Application Example

You need the IP address of the RADIUS server, its port number (default is 1812),

and the RADIUS shared secret. A WPA(2) application example with an external

RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution

system.

1

The AP passes the wireless client's authentication request to the RADIUS server.

2

The RADIUS server then checks the user's identification against its database and

grants or denies network access accordingly.

3

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that

then sets up a key hierarchy and management system, using the pair-wise key to

dynamically generate unique data encryption keys to encrypt every data packet

that is wirelessly communicated between the AP and the wireless clients.

Page 250 / 268

Appendix D Wireless LANs

NBG4604 User’s Guide

250

Security Parameters Summary

Refer to this table to see what other security parameters you should configure for

each Authentication Method/ key management protocol type. MAC address filters

are not dependent on how you configure these security features.

Table 88

Wireless Security Relational Matrix

AUTHENTICATION

METHOD/ KEY

MANAGEMENT

PROTOCOL

ENCRYPTIO

N METHOD

ENTER

MANUAL KEY

IEEE 802.1X

Open

None

No

Disable

Enable without Dynamic WEP

Key

Open

WEP

No

Enable with Dynamic WEP

Key

Yes

Enable without Dynamic WEP

Key

Yes

Disable

Shared

WEP

No

Enable with Dynamic WEP

Key

Yes

Enable without Dynamic WEP

Key

Yes

Disable

WPA

TKIP

No

Enable

WPA-PSK

TKIP

Yes

Enable

WPA2

AES

No

Enable

WPA2-PSK

AES

Yes

Enable

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share