Wireless Fundamentals: Encryption and Authentication
This article gives insight on wireless encryption and authentication to help users make an educated decision on what type of security to implement into their wireless network. Cisco Meraki equipment supports several types of encryption and authentication.
- WPA2 - PSK (Pre Shared Key)
- WPA2 - Enterprise
- Splash Page
- Hidden SSID
Wired Equivalent Privacy, now depreciated, was part of the original 802.11 standard. WEP utilized a 40-128 bit key that was a combination of a key (string of hexadecimal characters) and an initialization vector. Cisco Meraki Access Points support pre-shared key WEP authentication. WEP was deemed insecure due to how easy it could be decoded but is still available in Cisco Meraki equipment for legacy devices.
Wi-Fi Protected Access, WPA, was created to “patch” the issues with WEP, allowing users to update their equipment with a firmware update as opposed to buying brand new hardware. WPA included a new type of key system called TKIP (Temporal Key Integrity Protocol.) TKIP develops a unique encryption key for each wireless frame facilitating a more secure connection. However, TKIP is susceptible to wireless attacks and is no longer considered the Enterprise standard.
WPA2 – Personal
WPA2 is currently the most secure standard utilizing AES (Advanced Encryption Standard) and a pre-shared key for authentication. WPA2 is backwards compatible with TKIP to allow interoperability with legacy devices. AES uses CCMP encryption protocol which is a stronger algorithm for message integrity and confidentiality. By default, SSIDs on Cisco Meraki access points that are configured as WPA2 utilize AES encryption.
WPA2 – Enterprise
WPA2 Enterprise utilizes authentication on a user level, using the 802.1x standard, along with the features of WPA2 such as AES. Cisco Meraki fully supports WPA2 Enterprise association with RADIUS and PEAP/MSCHAPv2, or Meraki Authentication, to provide a secure wireless network for enterprise use. users log in with a valid username and password to authenticate instead of a pre-shared key susceptible to social engineering.
WPA3, announced by the Wi-Fi Alliance in 2018, introduced new features to simplify Wi-Fi security, including enabling better authentication, increased cryptographic strength, and requiring the use of Protected Management Frames (PMFs) to increase network security. For additional information on WPA3 encryption and configuration on Meraki access-points please refer to WPA3 Encryption and Configuration Guide.
Cisco Meraki provides a variety of splash pages that can be utilized for additional security.
- Sign on with Authentication - Forces users to authentication through a sign on page using various types of Authentication including RADIUS, LDAP, and Meraki Authentication.
- Sign on with SMS Authentication - Forces users to authenticate with an SMS code that they would receive on their phone.
- Systems Manager Sentry - Utilizes Cisco Meraki Systems Manager, users will need to install the manager client on their computer, their device can then be viewed on a Systems Manager network.
Splash Pages can be used with or without a WPA/WEP solution as well.
A hidden SSID can prevent public visibility of your corporate SSID. Hidden SSID's require a manual creation of a wireless profile in order for the wireless client to initiate association. Although packet sniffers can detect SSID names from other probe requests and association frames, disabling SSID broadcasts can dissuade many would-be attackers from trying to gain access.
Shown below Figure 1 is a standard non hidden SSID beacon frame, the AP will send this out for each of the SSIDs that it is broadcasting out.
A hidden SSID will not broadcast the beacon frames - clients will have to know the SSID name to associate. Figure 2 is an iPhone broadcasting a request to see if the SSID "Test" is available in the area.
For more information on Wireless Security, please review the Wireless LAN Security Overview document.