ONT Notes – 802.1x and Encryption on LWAPs

• Traditional WLAN weaknesses
  • SSID for security
  • Vulnerable to rogue APs
  • MAC filtering for security
  • WEP
• WEP weaknesses
  • Disribution of static keys is not scalable
  • WEP keys can be cracked easily
  • Vulnerable to dictionary attacks
  • No protection against rogue APs
• Benefits of 802.1x
  • Centralized authentication through Radius via AAA
  • Mutual authentication between client and auth server
  • Can use multiple encryption algorithms (AES, WPA, TKIP, WEP)
  • Automatic dynamic WEP keys
  • Roaming
• Requirements of 802.1x
  • EAP-capable client (supplicant)
  • 802.1x-capable AP (authenticator)
  • EAP-capable auth server

• WPA
  • Features
    • Authenticated key management – auths prior to key management
    • Unicast and broadcast key management – keys are distributed and stored on the client and the AP
    • TKIP and MIC
      • Temporal Key Integrity Protocol (TKIP) – per-packet keying
      • Message Integrity Checking (MIC) – integrity checking
    • Initialization vector (IV) expansion – from 24 bits to 48 bits
  • Shortcomings
    • Relies on RC4
    • Firmware support required in NICs, APs
    • Susceptible to DoS attacks
    • Dictionary attacks can discover PSKs
• WPA2
  • Features
    • 802.1x authentication or PSK
    • Key distribution and renewal
    • Proactive Key Caching (PKC) – allows roaming
    • IDS for rogue APs and attacks
  • Shortcomings
    • Supplicant must have WPA2-compliance firmware
    • AAA server must support EAP
    • WPA2 uses more CPU, so a hardware upgrade may be required
    • Older devices may not be upgradeable and must be replaced

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

Tags: 642-845, 802.1p, 802.1x, aes, campus, ccmp, ccnp, certification, cisco, eap, eap-fast, eap-tls, leap, lwap, lwapp, mic, ont, peap, peap-gtc, peap-mschapv2, psk, ssid, test, tkip, wifi, Wireless