| WPA FAQs |
|
- What is the difference between WPA, WPA2 and 802.11i? - What if a user should no longer have access my Wireless LAN? - Can I grant temporary access to a user? - Can I use multiple accesspoints? - Which operating systems are compatible? - Is authentication across the Internet secure? - Can others not use my Authentication service? - What is EAP/TLS? - What is EAP/PEAP(v0) with MSCHAPV2? - Which authentication method is better? How does it work? The concept is shown in the picture below. The user requests access to the wireless LAN to the accesspoint. The accesspoint relays the request across the internet to your authentication server at BoxedWireless. If the authentication method involves a username/password, the authentication server access the database of with users. This is shown in red.  The authentication server sends back a response to the accesspoint. Normally, the response will be positive and the access point will allow the user on the wireless LAN. This step is shown in blue. Once the user is authenticated, he or she can access the local LAN and the internet. This is shown in green. This description greatly simplifies what really happens in the background, but conceptually the description is not incorrect. What is the difference between WPA, WPA2 and 802.11i? Let's start by looking at what is not different. First, WPA2 and 802.11i are the same. WPA2 is the name used by the Wi-Fi Alliance, whereas 802.11i is the name given to the standard by the IEEE. You may also see the term RSN, Robust Security Network, which is part of WPA2/802.11i but is often used interchangeably. Second, WPA and WPA2 can use the same authentication methods, because they are all EAP based. EAP stands for Extensible Authentication Protocol and, as the name suggests, many different protocols can be built on top of EAP. So both EAP/TLS as well as EAP/PEAP-MSCHAPV2 will work both for WPA and for WPA2. A key difference between WPA and WPA2 is the underlying encryption method. For WPA this is TKIP/RC4, for WPA2 this is CCMP/AES. AES is the Advanced Encryption Standard and is used by the US Department of Defence as a replacement for older encryption standards. It is very secure. AES can be used in several modes - CCMP is the mode used by WPA2. You will see both terms used interchangeably. RC4 is the cypher on which the older WEP standard is based (to be consistent we should call it WEP/RC4 here, WEP being the way the RC4 cypher is used). RC4 has some key vulnerabilities, that make it difficult to design secure encryption using that cypher. It is these vulnerabilities that led to the demise of WEP/RC4... so how can a TKIP/RC4 be secure? Because TKIP uses the RC4 cypher in such a way that the vulnerabilities that are in the cypher do not materialize. So even though WEP/RC4 ("WEP") and TKIP/RC4 ("WPA") are based on the same underlying cypher, one is considered secure and the other is not. Having said that, the new CCMP/AES is preferable over TKIP/RC4. Also note that you will not normally see the term RC4 being used in accesspoints or wireless software. There are other benefits of WPA2 over WPA which will not be discussed here. Which authentication methods can I choose from? We support the following authentication methods: See also below under What is EAP/TLS? and What is EAP/PEAP(v0) with MSCHAPV2? What if a user should no longer have access my Wireless LAN? In this case, you simply disable the user or revoke their certificate, with one click. Can I grant temporary access to a user? Yes, you can issue certificates that have a limited validity period, or you can disable the user with one click. Can I use multiple accesspoints? Yes, you can use as many as you like. All you need to do is point them to your RADIUS server service at BoxedWireless. Do I need a special access point? Your access point needs to support WPA and you need to be able to configure the port on which authentication is done. This is normally the case with newer accesspoints. You should look for the "WPA" or "WPA2" label on the box. If your access point does not support WPA, many suppliers provide firmware upgrades that will allow you to use WPA. Which operating systems are compatible? WPA and WPA2 work on Windows, MAC OS-X and Linux. What happens if I want to continue without BoxedWireless? Upon your request, we will release the private key of your Root CA Certificate to you and you will be able to issue certificates yourself. You are not locked in to BoxedWireless in any way. Is authentication across the Internet secure? Yes. WPA was specifically designed to be carried out across public networks, such as the Internet and WiFi itself! During the authentication phase a special technique, called public key cryptography, ensures that secure communication is possible. Can others not use my Authentication service? No. Only you know the shared secret between your access points and our authentication service. And even if shared secret were compromised, it still does not mean they can access your network. If you feel your shared secret has been compromised, it can be changed easily. What is EAP/TLS? TLS is a certificate based authentication method. If you use it, you will create a client certificate for each user that you allow to use your Wireless LAN. That certificate, together with its private key, is installed on the user's machine. Only users who have a certificate that you issued, can access your wireless LAN. When you no longer want a user to access your network, you can revoke the certificate. During authentication, the user presents the certificate to the authentication server, but not before the server has presented its own certificate to the client. This way, your users can always be sure they are connecting to the right wireless network, and not a rogue accesspoint from a hacker trying to steal passwords. At BoxedWireless, we use 4096-bit RSA certificates. This is well over the recommended minimum of 1024. Although certificate based, TLS can in addition be password protected, by encrypting the private key with a password. When you do this, the user will need the correct password in order to use the certificate. A username, however, is not required with this method. What is EAP/PEAP(v0) with MSCHAPV2? EAP/PEAP(v0) with MSCHAPV2 is a username/password based method. MSCHAPV2 is originally a Microsoft authentication method and widely supported on Windows clients from Windows 2000 and Windows Me onwards. It supersedes the broken MSCHAP protocol, which should no longer be used. Normally, MSCHAPV2 is used on its own, without further protection. However, PEAP adds an extra security layer by performing the MSCHAPV2 inside a "Protected EAP" tunnel (hence the name: PEAP). Although username/password based, PEAP-MSCHAPV2 can also use certificates to authenticate the server. In other words, as with EAP/TLS, you want your user to be sure which accesspoint they are connecting to, and in order to this, the server will present a certificate, proving its identity. A client certificate, however, is not used in this method. Which authentication method is better? The strong point of TLS is that you need to have the client certificate physically installed on the user's PC. It is highly recommended that you protect the private key of the certificate with a password, otherwise a stolen laptop might give intruders access to your LAN. The requirement of having to install certificates can also be seen as a weak point. The strong point of PEAP-MSCHAPV2 is that is can be used from any machine, as long as the user knows the username/password combination. This is also the weak point: if the username/password are compromised, this may provide someone with unwanted access to your LAN. If you would like to try our service, you can sign up here. If you have any further questions not answered here, please do not hesitate to contact us. |