Pass your certification exam. Faster. Guaranteed.

WLAN Authentication Transcription

Welcome to our Authentication to WLAN Module. There are several methods that can be used to authenticate wireless local area network users. On public networks, we typically see open authentication. Devices that attempt to connect to an open network are assumed to be authorized by default. You click on the name of the network that you want to connect to, and you're connected.

DHCP, or dynamic host configuration protocol, will automatically assign an IP address and configure the client so that it can access network resources. And the Internet if configured correctly. Networks can also use encryption, such as WEP, WPA, or WPA2 to authenticate users and encrypt the traffic that is being transmitted, and this is common in small offices and home offices.

This type of authentication requires that the wireless device use a secret pre-shared key, or PSK, before they are connected to the network and before they receive the configuration information from the DHCP server. 802.11 WiFi supports three different types of authentication. Open systems have no controls in place. You simply click on the network and you're granted access.

Pre-shared key authentication is used with WEP or WPA, WPA2, PSK, which stands for pre-shared key. With these type of systems the user enters a pass phrase and they are connected to the system. All of the users share the same pass phrase. The third option is enterprise authentication using either RADIUS or TACACS+ servers.

This method requires each individual user to enter a username and password, and provides accountability so that you know who had access to the system and when. Preshared key authentication or PSK has several vulnerabilities. The preshared keys are generally static are not usually changed or updated. So once an individual knows your preshared key there is a good chance they'll be able to use it for a long period of time.

Keys are cached on the client's machine for convenience so they do not have to enter the key every time they want to connect to the internet. If someone has access to one of your employee's machines they may be able to determine the key for your network. Key management is very difficult with pre shared key authentication.

It is not scalable, and when you must support a large number of wireless devices in a domain, you will have to figure out how you will get the new password out to all of your users if you decide to change it. Also, because you're using the same credentials for all your users, there is no accountability or way to prove which user was responsible for any criminal, or malicious activity.

There are free utilities that allow people to crack WEP keys very easily, so WEP should never be used because it is not secure. You can also use WPA or WPA2 for pre shared key authentication. Unfortunately, most devices do not have a lockout for unsuccessful attempts to authenticate, so attackers can use either a dictionary attack, where they try every possible word in a dictionary or a generated list.

Or they can try a brute force attack, where they try every possible combination of keys until they discover the pre-shared key. Once they discover the pre-shared key, they are now able to access your network and the Internet. And since the pre-shared key is not changed very frequently, they could have access for a long period of time.

Stealing wireless access or leaching is still an issue with WPA or WPA2 because Individuals may attempt to steal your resources without permission to connect. You also have to be concerned with rogue access points. An individual in your company brings in their own wireless access point and plugs it in without your knowledge And now creates additional vulnerabilities.

And evil twin attacks are also a problem where an attacker creates a new wireless access point with a name that appears to be friendly, such as your company name, and they basically trick individuals in your organization into connecting to their wireless access point. And they can read all of the traffic to and from your employees, that connected to that evil twin wireless access point.

IEEE802.1X allow enterprise authentication where, Where each user uses an individual username and password. You can authenticate the individual users using Microsoft Chap, and these individuals will login to the router using their username and a password Hash so the router is not actually storing the user's password. These systems typically have triple A servers, which provide authentication, authorization, and accounting for your remote users, using either Radius, or Tack X Plus for authentication.

EAP, or extensible authentication protocol, Is used to provide multi factor authentication that is needed for your enterprise environment. With, PEAP, or Protected Extensible Authentication Protocol, you can use digital certificates for mutual authentication between the server and the client. These technologies also support the use of smart cards, biometric identification, and tokens.

For the CISSP examination, you should remember that the IEEE802.1X standard, allows for enterprise authentication on wireless networks. So that you can have accountability for which individual users connected to your network. It also solves the problem of pre-shared keys and key management where you have to distribute that key to all of your employees in order to allow them to connect to the network.

WPA and WPA2 Enterprise support the IEEE 802.1x standard. This supports scalable authentication where you can centrally manage and control the individuals that access your network. Users can be authenticated by Microsoft chat version 2, by providing their username and password. And radius or both do authentication authorization and accounting So access and usage can be tracked on a per- user basis. Your wireless access points can be centrally controlled and monitored, and it does support port- based authentication of your clients. You can also roam through Throughout a large building or facility, using ESSID, or extended service set identifier. This prevents your employees from having to consistently log on, as they move from different buildings throughout the campus.

The technology supports wireless V-Lands, or virtual local area networks. So, you can segregate clients based on their need to access different resources. And these devices also support rogue access point discovery, so you can determine if an individual plugs in an unauthorized access point on your network. When a laptop or other wireless device connects to the wireless access point, the wireless access point is not responsible for doing any authentication or encryption.

The wireless access point simply forwards the traffic to the radius server. Which is responsible for authenticating the user. Once the user successfully authenticates, they are then connected to the corporate network, where they have access to corporate resources and the Internet. This concludes are authentication to WLAN module. Thank you for watching.