Wireless Cryptographic Protocols
Open mode
Note that the Security Options section also includes a choice of None. If you select None, the AP will operate in Open mode, meaning that it doesn't have any security
PSK mode vs Enterprise mode vs open mode
PSK(or WPA-PSK and WPA2-PSK) uses a pre-shared key and does not provide individual authentication. Open mode doesn't use any security and allows all users to access the AP. Enterprise mode is more secure than Personal mode, and it provides strong authentication. Enterprise mode uses an 802.1x server (implemented as a RADIUS server) to add authentication.
When you select Enterprise mode, you'll need to enter three pieces of information:
Some APs support Enterprise mode,but some dont. If it did, it would include a check box to implement WPA2 Enterprise. 1. RADIUS Server. You enter the IP address assigned to the 802.1x server, which is often a RADIUS server. This is sometimes referred to as an AAA server. 2.RADIUS port. You enter the port used by the RADIUS server. The official default port for RADIUS is 1812. However, some vendors have used other ports such as 1645. The key is that you must enter the same port here that the server is using. 3. Shared Secret. The shared secret is similar to a password and you must enter it here exactly as it is entered on the RADIUS server
WPA
WPA improved wireless security by giving users an alternative to WEP with existing hardware while the developers worked on creating the stronger WPA2 protocol. WPA is susceptible to password-cracking attacks, especially when the AP has a weak passphrase. The attacker uses a wireless protocol analyzer to capture the authentication traffic and then uses an offline brute force attack to discover the passphrase. Attackers often use a disassociation attack to force the user to re authenticate
Wireless Cryptographic Protocols
Wireless networks broadcast over the air, anyone who has a wireless transceiver can intercept the transmissions. You can secure wireless networks with several different steps, but the most important step is tobimplement a strong security protocol, such as Wi-Fi Protected Access II (WPA2).
Examples of Captive protocol
1.Free Internet access. Many hospitals and other medical facilities provide free Internet access to patients and visitors. The captive portal requires users to acknowledge and agree to abide by an acceptable use policy (AUP). Free captive portals rarely require users to log on, but instead just require them to check a box indicating they agree, and then click a button to continue. 2. Paid Internet access. Many hotels, resorts, cruise ships, and airlines provide Internet access to customers, but on a pay-as-you-go basis. When users attempt to access the Internet, they are redirected to the captive portal and must successfully log on with a pre-created account or enter credit card information to pay for access. 3.Alternative to IEEE 802.1x. Adding an 802.1x server can be expensive and is sometimes not a feasible option.
General info
After configuring WPA2 Enterprise on an AP, it redirects all attempts to connect to the RADIUS server to authenticate. After users authenticate, the RADIUS server tells the AP to grant them access. Wireless authentication systems using an 802.1x server are more advanced than most home networks need, but many larger organizations use them. In other words, most home networks use Personal mode, but organizations that want to increase wireless security use Enterprise mode. A combination of both a security protocol such as WPA2 and an 802.1x authentication server significantly reduces the chance of a successful access attack against a wireless system
Captive protocol
Captive portal is a technical solution that forces clients using web browsers to complete a specific process before it allows them access to the network. Organization use it as a hot spot that requires users to log on or agree to specific terms before they can access the Internet. Organizations can use captive portals as an alternative. It requires users to authenticate before granting them access.
Enterprise mode
Enterprise mode forces users to authenticate with unique credentials before granting them access to the wireless network. Enterprise mode uses an 802.1x server, often implemented as a RADIUS server, which accesses a database of accounts. If users don't have the proper credentials, Enterprise mode (using an 802.1x server) blocks their access. Also, an 802.1x server can provide certificate-based authentication to increase the security of the authentication process. The authentication protocol determines if the 802.1x server will use a certificate or not.
AES
Later implementations of WPA support Advanced Encryption Standard (AES) instead of TKIP. it is a very strong and efficient encryption algorithm. Many applications beyond WPA/WPA2 use AES to provide secure encryption and ensure confidentiality.
TKIP Versus CCMP
Temporal Key Integrity Protocol (TKIP) is an older encryption protocol used with WPA CCMP is newer encryption protocol used with WPA2. IEEE has deprecated WPA and TKIP due to various security issues, but many wireless networks are still using these older protocols. IEEE recommends using WPA2 with CCMP because it provides significantly more security. A benefit of TKIP is that it didn't require new hardware. WEP users could upgrade software and/or firmware and implement WPA with TKIP without the need to replace the hardware. Newer hardware supports WPA2, so the usage of WPA and TKIP is waning. However, you might still see some legacy hardware using WPA and TKIP. Several people have been successful at cracking WPA with TKIP, so it's best to upgrade WPA to WPA2, or at least upgrade TKIP to use AES. WPA2 supports CCMP, which is based on AES and is much stronger than WPA using TKIP. WPA2 also employs much more secure methods of managing the encryption keys than WPA.
WPA vs WEP vs WPA2(TKIP/CCMP)
WPA provided an immediate replacement for WEP and originally used TKIP, which was compatible with older hardware. Later implementations support the stronger AES encryption algorithm. WPA2 is the permanent replacement for WEP and WPA. WPA2 supports CCMP (based on AES), which is much stronger than the older TKIP protocol and CCMP should be used instead of TKIP. Both WPA and WPA2 can operate in either pre-shared key (PSK) or Enterprise modes.
PSK mode
When using PSK mode, users access the wireless network anonymously with a PSK or passphrase. This doesn't provide authentication. Authentication proves a user's identity with the use of credentials such as a username and password. Users claim an identity with a username and prove their identity with a password. Just a passphrase without a username provides authorization without authentication.
WPA vs WEP
Wi-Fi Protected Access (WPA)replacement for Wired Equivalent Privacy (WEP). WEP has known vulnerabilities and should not be used & WPA provided an immediate solution to theweaknesses of WEP without requiring users to upgrade their hardware. Even when WPA replaced WEP, its developers recognized that WPA wasn't solid enough to last for an extended period.
WPA2
Wi-Fi Protected Access II (WPA2) is the permanent replacement for WPA. WPA2 (also known as IEEE 802.11i) uses stronger cryptography than WPA. The Wi-Fi Alliance requires all devices carrying its WI-Fi CERTIFIED logo to meet WPA2 standards, including the use of the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). Although WPA2 provides significant security improvements over previous wireless encryption techniques, some enterprises need stronger security. Another step you can take is to enable authentication with Enterprise mode