While some wireless networks are meant for open access by anyone who wishes to use them, most wireless networks limit access to authorized users. There are three primary mechanisms to authenticate the users of a wireless network: preshared keys, enterprise authentication and captive portals. Learn how to secure wireless networks, including the use of preshared keys and enterprise authentication, EAP, PEAP and LEAP authentication and captive portals.
- [Narrator] While some wireless networks are meant for open access by anyone who wishes to use them, most wireless networks limit access to authorized users. There are three primary mechanisms to authenticate the users of a wireless network: preshared keys, enterprise authentication, and captive portals. Preshared keys are the simplest kind of wireless authentication, and are commonly used on home Wi-Fi networks. In the preshared key approach, the network uses a 256-bit encryption key to control access.
Whenever a user wishes to connect a device to the network, he or she must enter the preshared key on the device. The preshared key may be entered directly, as a 64 character hexadecimal string, but that's a pretty unwieldy approach. Instead, most networks use preshared keys that ask users to enter a password, consisting of between 8 and 13 ASCII characters. The network then uses the PBKDF2 key stretching function to convert that ASCII password into a 256-bit network encryption key.
I discussed the PBKDF2 function in the key stretching video of this course. Preshared keys work fine, but they do have some major limitations that prevent them from being used on large Wi-Fi networks. First, changing the network encryption key is a tremendous burden. Each time the key changes, users must reconfigure all wireless devices to use the new key. This might not be bad on a home network supporting a handful of users, but it's completely impractical in most business environments.
Second, the use of a shared key prevents the identification of individual users and the restriction of network access by user identity. For example, if a user leaves the organization, network administrators have no way to revoke that user's wireless network access short of changing the preshared key on all wireless devices in the organization. The more common way to approach wireless authentication in a large organization is through the use of enterprise authentication.
In this approach, the organization runs an authentication server using the radius protocol that verifies user credentials, and ensures that only authorized users access the network. In this approach, instead of entering a preshared key, users enter a username and password to access the network. Enterprise authentication takes place on these networks using versions of the Extensible Authentication Protocol, or EAP. There are three major versions of EAP.
The Lightweight Extensible Authentication Protocol, or LEAP, was a version of EAP created by Cisco that relies upon the MS-CHAP authentication protocol. LEAP is not a secure approach to authentication, and should not be used. The Extensible Authentication Protocol, or EAP, is a broad framework for authentication that actually has more than a hundred different variations. Some of these are secure, but others should not be used.
For example, the EAP-TLS variant uses transport layer security to protect EAP communications, and is considered highly secure. On the other hand, the EAP-MD5 variant relies upon the insecure MD5 hashing function and should not be used. The final variant of EAP is the Protected EAP, or PEAP, protocol. PEAP takes standard EAP variants and protects them inside a TLS tunnel, this allows the use of otherwise insecure EAP variants because the entire EAP session is protected inside a TLS session.
If you use EAP, be sure to understand which variant you're using, and research that variant's security status. The third approach to wireless authentication is the use of captive portals. You might not be familiar with the term captive portal, but you've almost definitely seen them in use, in hotels, airports, coffee shops, and other public locations. Captive portals provide authentication on unencrypted wireless networks. When a user connects to a wireless network that uses a captive portal, the user is redirected to a webpage the requires them to authenticate before gaining access to the network.
This authentication may be as simple as accepting the terms of service, it may require an account password, or it may even require a credit card payment to escape the captive portal and use the internet.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security