Wireless networking on Cisco Router

How an end user client with a WLAN NIC accesses a LAN

  • To allow clients to find the AP easily, the AP periodically broadcasts beacons, announcing its (SSID) Service Set Identifier, data rates, and other WLAN information.
  • SSID is a naming scheme for WLANs to allow an administrator to group WLAN devices together.
  • To discover APs, clients will scan all channels and listen for the beacons from the AP(s). By default, the client will associate itself with the AP that has the strongest signal.
  • When the client associates itself with the AP, it sends the SSID, its MAC address, and any other security information that the AP might require based on the authentication method configured on the two devices.
  • Once connected, the client periodically monitors the signal strength of the AP to which it is connected.
  • If the signal strength becomes too low, the client will repeat the scanning process to discover an AP with a stronger signal. This process is commonly called roaming.

SSID and MAC Address Filtering

When implementing SSIDs, the AP and client must use the same SSID value to authenticate. By default, the access point broadcasts the SSID value, advertising its presence, basically allowing anyone access to the AP. Originally, to prevent rogue devices from accessing the AP, the administrator would turn off the SSID broadcast function on the AP, commonly called SSID cloaking. To allow a client to learn the SSID value of the AP, the client would send a null string value in the SSID field of the 802.11 frame and the AP would respond; of course, this defeats the security measure since through this query process, a rogue device could repeat the same process and learn the SSID value.

Therefore, the APs were commonly configured to filter traffic based on MAC addresses. The administrator would configure a list of MAC addresses in a security table on the AP, listing those devices allowed access; however, the problem with this solution is that MAC addresses can be seen in clear-text in the airwaves. A rogue device can easily sniff the airwaves, see the valid MAC addresses, and change its MAC address to match one of the valid ones.
This is called MAC address spoofing.

WEP

WEP (Wired Equivalent Privacy) was first security solutions for WLANs that employed encryption. WEP uses a static 64-bit key, where the key is 40 bits long, and a 24-bit initialization vector (IV) is used. IV is sent in clear-text. Because WEP uses RC4 as an encryption algorithm and the IV is sent in clear-text, WEP can be broken. To alleviate this problem, the key was extended to 104 bits with the IV value. However, either variation can easily be broken in minutes on laptops and computers produced today.

802.1x EAP

The Extensible Authentication Protocol (EAP) is a layer 2 process that allows a wireless client to authenticate to the network. There are two varieties of EAP: one for wireless and one for LAN connections, commonly called EAP over LAN (EAPoL).

One of the concerns in wireless is allowing a WLAN client to communicate to devices behind an AP. Three standards define this process: EAP, 802.1x, and Remote Authentication Dial In User Service (RADIUS). EAP defines a standard way of encapsulating authentication information, such as a username and password or a digital certificate that the AP can use to authenticate the user.802.1x and RADIUS define how to packetize the EAP information to move it across the network.

WPA

Wi-Fi Protected Access (WPA) was designed by the Wi-Fi Alliance as a temporary security solution to provide for the use of 802.1x and enhancements in the use of WEP until the 802.11i standard would be ratified. WPA can operate in two modes: personal and enterprise mode. Personal mode was designed for home or SOHO usage. A pre-shared key is used for authentication, requiring you to configure the same key on the clients and the AP. With this mode, no authentication server is necessary as it is in the official 802.1 x standards. Enterprise mode is meant for large companies, where an authentication server will centralize the authentication credentials of the clients.

WPA2

WPA2 is the IEEE 802.11i implementation from the Wi-Fi Alliance. Instead of using WEP, which uses the weak RC4 encryption algorithm, the much more secure Advanced Encryption Standard (AES)–counter mode CBC-MAC Protocol (CCMP) algorithm is used.