Wireless network security requires the configuration of many different options. In this video, you’ll learn about wireless encryption protocols, the AAA framework, and authentication options such as RADIUS, 802.1X, and EAP.
An obvious security concern regarding wireless networks is that everything is being sent over the air. This means a nearby attacker could also listen in to this communication, and if anything is being sent in the clear, they’d be able to see everything that’s being transferred. We also have the challenge of only allowing authorized users to access the wireless network. And usually, we’ll ask someone for a username, password, or some other type of authentication when they are first connecting.
The default configuration for most private wireless networks would be to encrypt all traffic going across this network. That way, if an attacker does gain access to the data going over this wireless network, they wouldn’t be able to read anything within those packets. And we need to be sure that we’re using protocols in our wireless networks that ensure integrity. This means that any traffic sent by the originating station is received exactly the same as what was sent. We often refer to this message integrity check as an MIC.
Through the years, our wireless networks have used an encryption protocol known as WPA2 to be able to encrypt all of this data. But WPA2 does have a significant security concern when it comes to the initial connection to the wireless network. There’s a four-way handshake that occurs during the initial connection with WPA2, and there’s a hash that is associated with that handshake.
The goal from the attacker’s perspective is to some way derive that pre-shared key hash or capture that hash during the handshake. Once the attackers have the hash, they can then take that hash offline and begin running it through a brute force attack to ultimately find the pre-shared key.
As our technologies have improved, we found new ways to begin brute-forcing even more efficiently. And these days, you can use techniques such as GPU processing or cloud-based password-cracking to be able to reverse engineer that password in just a number of days. And on networks like our home networks that commonly use pre-shared keys, anyone who has that key is now able to connect to the network.
When it came time to update WPA2 to the new version of WPA3, we introduced new technologies to avoid this type of brute force attack. This includes a new block cipher mode called GCMP, that stands for Galois Counter Mode Protocol. And it is a stronger encryption than what was used previously with WPA2. GCMP includes data confidentiality with the encryption associated with the protocol. And it has a message integrity check that’s included with that Galois message authentication code.
And, of course, the brute force that could be used to derive a pre-shared key with WPA2 is no longer a problem with WPA3. The authentication process and handshake has been completely changed in this newer version of WPA. This includes mutual authentication for both the client device and the access point. And now those shared session keys are created on the end devices rather than sending hashes of those keys across the network. Since there’s no longer a four-way handshake, that session key hash is not sent across the network, and therefore, there’s nothing for the attacker to brute force.
This new method of deriving the shared session keys in WPA3 is called a simultaneous authentication of equals, or SAE. This uses a derivation of Diffie-Hellman key exchange. So not only are you able to derive that shared key on both sides, you’re also able to add an authentication component.
Everyone on the wireless network gets a different session key so even if you’re all using the same pre-shared key, you won’t be able to see any of the traffic from other users on the network. This new key exchange method with WPA3 is included with the latest IEEE standards. And if you look at some of the documentation around it, you may see it referenced as the dragonfly handshake.
There was obviously an emphasis in WPA3 with making that authentication process much more secure. This is because we have users that may be located anywhere on the network. Some of them are users that connect normally to the network, and others might have temporary access.
We generally provide this network authentication using one of two different methods. One is the pre-shared key that we spoke of earlier. This is very commonly what you might use at home. So when people ask for the wireless network password, they’re referring to this pre-shared key.
But when you’re in a workplace, everyone using the same pre-shared key to access the wireless network is very insecure. So instead, we use a different method surrounding centralized authentication using 802.1X. You may have seen this in use if you try to access a wireless network in your corporate office.
You’ll probably be prompted for a username, a password, and perhaps some other type of authentication factor. You would only gain access to that wireless network once you provide the proper credentials. And this allows us to not only have separate credentials for everybody in the workplace but it, of course, keeps out any attackers.
If you look at the configuration of the Wi-Fi settings on your home router or a wireless access point, you’ll see a number of different options. One of these options may say “open system” or it might simply say “none.” This means that there is no authentication or any type of security on this wireless network.
At home, you may be using WPA3-Personal. Sometimes you’ll see this abbreviated as WPA-PSK for the pre-shared key. With this configuration, everyone has to use the same pre-shared key to initially log in and gain access to that wireless network.
And for corporate use, you’ll probably see the option of WPA3-Enterprise. This might also be abbreviated as WPA3-802.1X. This means the wireless access point will prompt for a username and password, and the authentication is usually linked back to a centralized authentication server running RADIUS, LDAP, or TACX.
A centralized authentication server is often referred to as a AAA server. This AAA framework begins with identifying the person who’s trying to connect to the network. This would be the identification, and it’s usually based around your username.
And now we begin the three As of the AAA framework. We start with authentication. This is usually a combination of our username with the password. The password, being a secret, authenticates that you must be that person who’s logging into the network.
The second A stands for “authorization.” That means once you gain access to the network, what resources do you, as that individual, have access to? And the third A stands for “accounting.” This is a list of metrics associated with your login session. So this could be the time you logged in, how much data was sent and received, and the time that you logged out.
Let’s say, for example, that you’re logging in to a VPN from home and that VPN concentrator is configured with 802.1X. It will first prompt you for a username and password, and that username and password is sent to the AAA server for authentication. If that username and password is correct, then your credentials are approved and you get access to the rest of the network.
One of the most popular authentication protocols you might see is RADIUS. RADIUS stands for remote authentication dial-in user service. And although it has “dial-in” in the name, RADIUS can be used for many purposes including connections on a local network.
So each time that you’re connecting to a router or switch to make configuration changes, logging into a server, or getting access via VPN, you’re probably providing a username and password that’s then being checked against a AAA server like a RADIUS server.
RADIUS has been around for a very long time. And many devices support using RADIUS for authentication. This is one of the reasons why we see so many devices accessing a RADIUS server to provide the authentication process when you log in.
The prompt that we get for our username and password is provided by 802.1X. This is also referred to as network access control, or NAC. This prevents anybody from gaining access to the network unless they first provide credentials. This is not just for wireless networks. We can also use 802.1X on our wired networks as well.
This is commonly used in conjunction with a AAA server. So you’ve either got a RADIUS server, an LDAP server, a TACACS server, or something similar to be able to consolidate all of those credentials to be able to access them from many different devices. Having everything centralized on AAA server also allows you additional management functionality. If someone leaves the organization, you can simply disable their account and they no longer have access to the network.
One of the protocols used in that 802.1X process is EAP, it stands for extensible authentication protocol. And it’s a framework that allows us to embed the authentication within this 802.1X process. EAP also has flexibility built into the standard, so manufacturers can customize this EAP process to meet their specific requirements. And this is a very common protocol that’s combined with 802.1X to provide that authentication to the network.
This 802.1X process commonly involves three different services, and these may be on three different devices. One is the supplicant, that’s you trying to log in to the network. There’s the authenticator, this is commonly the device you’re first connecting to. And then there is an authentication server or AAA server on the back end.
When you first try to connect to the network, you’ve not authenticated, and that authenticator will prevent the supplicant from gaining access to the network. It will then send a message back to the supplicant that asks, is this a new connection, and if it is, please provide the proper credentials. The supplicant then sends an EAP response with information about this particular supplicant’s name.
In this case, my name is James. The authenticator will pass that information off to the authentication server, asking if this is someone we should begin the authentication process with. The authentication server will send a message back to the authenticator that says, we should continue with this process.
The authenticator will then ask for credentials from the supplicant, and then you’ll type in your username, your password, and any other authentication credentials and send those off to the authenticator. The authenticator sends that information to the authentication server, who then validates the login information and then chooses the options to allow access for the supplicant.
This process occurs very quickly. You may have no idea that all of this conversation is taking place behind the scenes. And as long as you provide your username, password, and any other authentication details, 802.1X and EAP will take care of the rest.