how-to block ads
Quoting from here
WPA Enterprise Mode (RADIUS):
Requires an authentication server
Uses RADIUS protocols for authentication and key distribution
Centralizes management of user credentials
The Enterprise Mode of WPA benefits from the maturity of the RADIUS architecture -- but it requires a RADIUS server. This is not something that will benefit most home users.
WPA is a more powerful security technology for Wi-Fi networks than WEP. It provides strong data protection by using encryption as well as strong access controls and user authentication. WPA utilizes 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security.
There are two basic forms of WPA:
• WPA Enterprise (requires a Radius server)
• WPA Personal (also known as WPA-PSK)
Either can use TKIP or AES for encryption. Not all WPA hardware supports AES.
WPA-PSK is basically an authentication mechanism in which users provide some form of credentials to verify that they should be allowed access to a network. This requires a single password entered into each WLAN node (Access Points, Wireless Routers, client adapters, bridges). As long as the passwords match, a client will be granted access to a WLAN.
Encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is in WPA-PSK, authentication is reduced to a simple common password, instead of user-specific credentials.
The Pre-Shared Key (PSK) mode of WPA is considered vulnerable to the same risks as any other shared password system - dictionary attacks for example. Another issue may be key management difficulties such as removing a user once access has been granted where the key is shared among multiple users, not likely in a home environment.
Feedback received on this FAQ entry:
To improve data encryption, WPA utilizes TKIP.
TKIP dynamically changes keys as the system is used, and provides a message integrity check and a re-keying mechanism, thus fixing the flaws of WEP. An important part of TKIP is that it changes the key used for each packet. This is the "temporal" part. TKIP is one of the two choices provided by both WAPs and Operating Systems (such as Windows XP) when initializing WPA protection on your wireless network.
More information here: »www.nwfusion.com/reviews/2004/10···kip.html
AES is a block cipher adopted as an encryption standard by the US government and reportedly it has never been cracked. It's one of the two choices provided by both WAPs and Operating Systems (such as Windows XP) when initializing WPA protection on your wireless network.
If you use the standard interface for WPA key entry and provide a text passphrase that uses words found in dictionaries of fewer than 20 characters, a cracker passively intercepting initial key exchange messages can employ an offline dictionary attack and extract the encryption key, gaining access to the network. Key exchange messages occur at the beginning of a connection between an adapter (station) and an access point; that exchange can be forced to repeat by a cracker sending a disassociate message which forces a new exchange within about 30 seconds. So a cracker can be on and off the network in a couple of minutes with the information they need. This is actually much worse than WEP, but easily solved.
The solution is also quite simple: choose a key of at least 96 bits or a passphrase that includes gibberish thats more than 20 characters long. So far, of all the WPA interfaces that Ive seen, only Apples allows you to enter raw hexadecimal and they require 64 hex characters (32 bytes or a full 256 bits).
Robert suggests generating a small random value, turning it into its hex equivalent, and then entering those hex digits as a text passphrase to have sufficient randomness. For more information on passphrase weaknesses and strategies for choosing them, Robert refers you to this FAQ.
You can run WPA-PSK with AES-CCMP on a Windows 2K machine with Funk Software's "Odyssey Client" to control the network card, and a software such as "HyperWRT" if you have a Linksys router like the WRT54G.
The Odyssey Client does this by having the network card's driver loaded into the supplicant during the configuration stage.
- If this is not completed, the process ends by interrupting communications. Both the client and AP perform this checking and either one (or both) may be the side with the problem.
- This communications interruption is a possible cause for the DHCP failure.
- Because of profile corruption or bugs in some software, this problem can affect wireless products that are not configured to use WPA, WPA-PSK or 802.1X. Use these same steps if you are having the described problems and are using WEP or no encryption.
- Some 802.11 software and hardware products are more robust than others. Some products may not tolerate unexpected issues like an AP changing security methods, a frequently rebooting AP or client, or multiple security profiles for a single access point.
The purpose of these steps is to give a hardware and software independent method of resolving the issue of repeated communication lockouts between a wireless Access Point and a wireless client computer.
SOME EXAMPLES OF WHEN TO USE THIS:
- You repeatedly get a message from a wireless computer about Limited Connectivity because you did not get an IP address, or you are assigned an APIPA 169.254 address.
- If you have set a manual IP address, the wireless client says it is connected, but it repeatedly is not communicating or it stops communicating within 5 minutes of connecting every time
- Even though you have saved profiles for your wireless Access Point (AP), some clients repeatedly refuse to attempt to connect
- In Event Viewer, DHCP and TCPIP appear in the system event logs over and over, and rebooting has not solved the problem
THINGS TO TRY FIRST:
- Reboot your wireless computers and power-cycle your AP.
- Turn off any options to hide your SSID from broadcasts.
- Turn off any proprietary speed-enhancing technologies.
- On your wireless client, delete and re-create your saved profile.
STEPS TO PERFORM:
1. On your wireless AP, change your SSID to something that you have never used before.
2. Unplug power to your AP, take note of the time
3. Remove all saved profiles for that AP from your wireless computers
4. Reboot your wireless computers
5. After 65+ minutes from step 2, plug in your router
6. Using your wireless computers, associate with the new SSID
7. Leave the client connected for 65+ minutes. There may or may not be indications of up to two brief reconnections during this time. Do not reboot the AP during this time.
8. Shut down or reboot your wireless client computer normally (do not sleep, hibernate, or abruptly power-cycle).
TIP: The 65+ minute wait in step 5 may not be necessary for your hardware or software. If you only have one or two clients, you may wish to first try these steps without that wait. If they are not successful, then try all of the steps again with the wait.
WHY THIS WOULD WORK (IF IT WORKS): Setting up a new SSID causes the clients to create a new, clean, and correct profile for the access point. Rebooting the hardware is one attempt at clearing authentication failure lockouts. Waiting 65 minutes with the router off is another. Leaving the client online for 65 minutes is to ensure at least one successful key exchange after the initial successful authentication. Shutting down normally allows the software or OS to save configuration or registry information so that you can successfully connect in the future.
This problem occurs due to various timing issues involving authentication and the resume process. The authentication process is starting before the hardware is ready or before the initial wireless connection is established.
Even if you are not using WPA2 in your network, the following optional update for XP SP2 is known to help concerning this problem in any WPA or 802.1X mode (including RADIUS):
The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available
If you do not have Administrator rights to your computer, the best course of action would be to ask your an Administrator to apply this update for you.
Otherwise, you may also mitigate this problem by either logging out or turning off your wireless card before suspending. Many newer laptops are equipped with a switch either as a Function Key (Fn) or an actual switch somewhere along the outside casing with the symbol ((())).