5.9 Security Fundamentals - Describe wireless security protocols (WPA, WPA2, and WPA3)
What type of server is commonly used as an 802.1x authentication server
RADIUS Server
WEP uses the ______ cipher algorithm to make every wireless data frame private and hidden from eavesdroppers
RC4
T or F, When you configure user authentication on a wireless LAN, you will not have to select a specific EAP method. Instead, you select 802.1x on the WLC so that it is ready to handle a variety of EAP methods.
True
T or F, WPA was based on parts of 802.11i and included 802.1x authentication, TKIP, and a method for dynamic encryption key management
True
The __1__ and __2__ to determine which EAP-Based Authentication they will use
1) Client 2) Authentication Server (AS)
What were the only two choices to authenticate a client in the original 802.11 standards
1) Open Authentication 2) WEP
What version of WPA support AES
2 and 3
This version of WPA leverages stronger encryption by AES with the Galois/Counter Mode Protocol (GCMP). It also uses Protected Management Frames (PMF) to secure important 802.11 management frames between APs and clients
3
This IEEE standard, allows EAP to integrate with it to provide Port-Based Access
802.1x
When _______ is enabled, it limits access to a network media until a client authenticates. This means that a wireless client might be able to associate with an AP but will not be able to pass data to any other part of the network until it successfully authenticates
802.1x
WPA2 is based around the superior ______ CCMP algorithms, rather than the deprecated TKIP from WPA
Advanced Encryption Standards (AES)
Notice that these version (1, 2, or all 3) WPA versions support two client authentication modes: a pre-shared key (PSK) or 802.1x, based on the scale of the deployment. These are also known as personal mode and enterprise mode
All 3
In LEAP, what device did the client authenticate to
Authentication Server
In the 802.1x standard, this role is the device that takes user or client credentials and permits or denies network access based on a user database and policies
Authentication Server (AS)
In the 802.1x standard, this role is the network device that provides access to the network
Authenticator
The difference between PEAP and EAS-FAST is where the AS PEAP uses a digital ____________ to authenticate itself witht he supplicant in the outer authentication process
Certificate
This protocol is considered to be more secure than TKIP. It consists of two algorithms: ■ AES counter mode encryption ■ Cipher Block Chaining Message Authentication Code (CBC-MAC) used as a message integrity check (MIC)
Counter/CBC-MAC Protocol (CCMP)
LEAP used (Static / Dynamic) WEP Keys
Dynamic
Cisco's more secure protocol that replaced LEAP is called
EAP Flexible Authentication by Secure Tunneling (EAP-FAST)
What EAP protocol is a step above PEAP and now requires a certificate installed on both the AS as well as every client that wants to connect to the network
EAP Transport Layer Security (EAP-TLS)
With __________, the AS and the supplicant exchange certificates and can authenticate each other. A TLS tunnel is built afterward so that encryption key material can be securely exchanged
EAP Transport Layer Security (EAP-TLS)
The wireless LAN controller becomes a middleman in the client authentication process, controlling user access with 802.1x and communicating with the authentication server using the _____ framework
Extensible Authentication Protocol (EAP)
This scalable authentication framework in the 802.11 standard does not consist of any one authentication method. Instead, it defines a set of common functions that actual authentication methods can use to authenticate users
Extensible Authentication Protocol (EAP)
T or F, CCMP can be used on legacy devices that support only WEP or TKIP
False
T or F, In PEAP both the supplicant and the AS have their own certificate and both are signed by a CA
False
T or F, LEAP is still offered and as such, is safe to use
False
T or F, You can use EAP-TLS when there are devices that will connect to the network, such as communicators, medical devices, and RFID tags, that cannot interface w/ a CA or use certificates.
False
With the RC4 cipher algorithm in WEP, there is an encryption key generated for each wireless ________ that is sent over the air
Frame
TKIP added various security features, this one uses an algorithm which computes a unique 128-bit WEP key for each frame.
Key Mixing Algorithm
An AP can have unique encryption _______ so individual clients on a WLAN can talk securely w/ the AP while group encryptions ________ are used when the AP needs to send encrypted data to all clients in its cell at one time
Keys
What was the early attempt to address the weaknesses in WEP from Cisco called
Lightweight EAP (LEAP)
TKIP added various security features, this one doubled the size of the feature from 24 to 48 bits, making it virtually impossible to exhaust all WEP keys by brute-force calculation
Longer Initialization Vector
TKIP added various security features, this one used an efficient algorithm which added a hash value to each frame as a message integrity check to prevent tampering; commonly called "Michael" as an informal reference
MIC
A _____________ is a security tool that can protect against data tampering
Message integrity Check (MIC)
Before CCMP can be used to secure a wireless network, the client devices and APs (must / should) support the AES counter mode and CBC-MAC in hardware
Must
How many authentication and encryption schemes should each WLAN support
One
An AP set to use the authentication option only requires that a client must use an 802.11 authentication request before it attempts to associate with an AP. No other credentials are needed.
Open Authentication
802.1x is referred to as __________ access
Port-Based
In Cisco's EAP-FAST, authentication credentials are protected by passing a ___________ between the AS and the supplicant
Protected Access Credential (PAC)
Used in EAP-FAST, this authentication credential is a form of shared secret that is generated by the AS and used for mutual authentication
Protected Access Credential (PAC)
The subsequent EAP based Protocol from EAP-FAST is
Protected EAP (PEAP)
Since managing and installing certificates for every client that wants to connect to the network (in EAP-TLS) is impractical, you would implement a ___________, through a CA, to supply certificates securely and efficiently and revoke them when a client or user should no longer have access to the network
Public Key Infrastructure (PKI)
TKIP added various security features, this one includes the __________ as evidence of the frame source
Sender's MAC Address
WEP is known as a _________-key security method. The same key must be shared between the sender and receiver ahead of time, so that each can derive other mutually agreeable encryption keys
Shared
Rather than a client authenticating against a server or AP, in this WPA3 authentication method, the client and AP can initiate the authentication process equally and even simultaneously in a method called
Simultaneous Authentication of Equals (SAE)
In the 802.1x standard, this role is the client device that is requesting access
Supplicant
TKIP added various security features, this feature provides a record of frames sent by a unique MAC address, to prevent frames from being replayed as an attack
TKIP Sequence Counter
When devices were still using WEP, what was developed which added security features to the legacy hardware stuck with WEP
Temporal Key Integrity Protocol (TKIP)
TKIP added various security features, this one is added into the MIC to prevent replay attacks that attempt to reuse or replay frames that have already been sent.
Time Stamp
T or F, All 3 versions of WPA support 802.1x
True
T or F, EAP-FAST requires a RADIUS server that must also operate as an EAP-FAST server to be able to generate PACs, one per user
True
T or F, EAP-TLS is considered to be the most secure wireless authentication method available; however, implementing it can sometimes be complex
True
T or F, Networks using the 802.1x standard, the client uses open authentication to associate with the AP, and then the actual client authentication process occurs at a dedicated authentication server instead of at the authenticator (such as an AP or WLC) itself
True
T or F, TKIP was eventually deprecated for more secure 802.11 methods and should no longer be used.
True
T or F, The 802.1x standard simply allows the communication between the supplicant and the authenticator but instructs the supplement and authenticator that there will be additional authentication between the supplicant and an AS via the various protocols available w/in the 802.1x standard
True
T or F, The AS's digital certificate used in PEAP is signed by a Certificate Authority (CA) and both the supplicant and the AS must possess the CA certificate so that the supplicant can validate the AS certificate up reciept
True
T or F, The PEAP method also uses an inner and outer authentication; however, the Authentication Server presents a digital certificate to authenticate itself with the supplicant in the outer authentication
True
T or F, There are two separate authentication processes occur in EAP-FAST —one between the AS and the supplicant and another with the end user
True
The RC4 cipher algorithm uses a string of bits as a key, commonly called a _________, to derive other encryption keys
WEP Key
What type of device is typically the Authenticator for the 802.1x standard
WLC
in this WAP Version, although the Pre-Shared Key itself is never shared during the initial 4 way handshake between the AP and client, the encrypted key this created using the Pre-Shared Key is openly exchanged over the air allowing a hacker to obtain the encrypted key and use a dictionary attack to try and determine the Pre-Shared Key
WPA and WPA 2
What 802.11 standard (WEP, WPA, WPA2) supports CCMP
WPA2
This WPA Version eliminated the Dictionary attack on the encrypted key by strengthening the key exchange between clients and APs through a method known as Simultaneous Authentication of Equals (SAE)
WPA3
