Categories
CCNP Enterprise Core (350-401) Cisco Wireless

Wireless Authentication – Pre Shared Key

One methods of a secure connection to a wireless network is by utilising one of the Wi-Fi Protected Access (WPA) technologies, WPA1, WPA2, or the latest version, WPA3.

Each version of Wi-Fi Protected Access is certified by the Wi-Fi Alliance so a client and wireless access point utilising the same version of Wi-Fi Protected Access should be compatible with each other.

WPA can also specify encryption and data integrity technologies to help protect data that passes over the airwaves.

All three versions of Wi-Fi Protected Access can support two methods of client authentication, Pre-Shared Key (PSK) or 802.1x, also known as personal mode or enterprise mode respectively.

In personal mode the pre shared key must be shared and configured on every access point and client before a client device can connect to a wireless network.

Ideally the pre shared key is kept secret so unauthorised users not connect to the wireless network without the correct pre-shared key.

The pre-shared key is never sent across the air in plain text, instead a four way handshake procedure uses the pre shared key to construct and exchange an encryption key that can be openly exchanged. If the four way handshake is successful the client can connect to the network

In WPA1 and WPA2 an attacker can eavesdrop and capture the four way handshake between the client and access point. A dictionary attack can be utilised to try guess the pre shared key. If successful, the attacker can decrypt the wireless data or even join the network posing as a legitimate user.

WPA3 builds on key exchange to improve security by introducing Simultaneous Authentication of Equals (SAE). Rather than a client authenticating against the access point or server, the client and access point can initiate the authentication process equally or simultaneously.

When a password or key is compromised with WPA3, WPA3 Personal offers forward secrecy which prevents an attacker using the key to decrypt data that has been transmitted over the air.

Configuring a network with Wi-Fi Protected Access

In a Cisco wireless controller, navigate to WLANs and select Create New.

Next, select Security and the Layer 2 tab. In the Layer 2 Security drop down box select the WPA version for the WLAN.

For Personal Mode, look under Authentication Key Management and check only the box next to PSK. Enter the pre-shared key into the box next to PSK format.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.