TTLS

These settings define the protocol and the credentials used to authenticate a user. In TTLS (Tunneled Transport Layer Security), the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol, typically password-based protocols, as MD5 Challenge over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel. TTLS implementations today support all methods defined by EAP, as well as several older methods (PAP, CHAP, MS-CHAP and MS-CHAPv2). TTLS can easily be extended to work with new protocols by defining new attributes to support new protocols.

Authentication Protocols

  • PAP: Password Authentication Protocol is a two-way handshake protocol designed for use with PPP. Password Authentication Protocol is a plain text password used on older SLIP systems. It is not secure.
  • CHAP: Challenge Handshake Authentication Protocol is a three-way handshake protocol that is considered more secure than PAP. Authentication Protocol.
  • MS-CHAP (MD4): Uses a Microsoft version of RSA Message Digest 4 challenge-and-reply protocol. This only works on Microsoft systems and enables data encryption. To select this authentication method causes all data to be encrypted.
  • MS-CHAP-V2: Iintroduces an additional feature not available with MSCHAPV1 or standard CHAP authentication, the change password feature. This feature allows the client to change the account password if the RADIUS server reports that the password has expired.

PEAP

PEAP is a new Extensible Authentication Protocol (EAP) IEEE 802.1x authentication type designed to take advantage of server-side EAP-Transport Layer Security (EAP-TLS) and to support various authentication methods, including users' passwords and one-time passwords, and Generic Token Cards.

Authentication Protocols

  • Generic Token Card (GTC): Carries user specific token cards for authentication. The main feature in GTC is Digital Certificate/Token Card-based authentication. In addition, GTC includes the ability to hide user name identities until the TLS encrypted tunnel is established, which provides additional confidentiality that user names are not being broadcasted during the authentication phase.
  • MS-CHAP-V2: Refer to MS-CHAP-V2 above.
  • TLS: The TLS protocol is intended to secure and authenticate communications across a public network through data encryption. The TLS Handshake Protocol allows the server and client to provide mutual authentication and to negotiate an encryption algorithm and cryptographic keys before data is transmitted. Refer to TLS above.

Cisco Features

User Guide

User Guide
Security Overview

Back to Contents

Security Overview: Intel(R) PRO/Wireless Network Connection User's Guide

Intel(R) PRO/Wireless 3945ABG Network Connection
Intel(R) PRO/Wireless 2915ABG Network Connection
Intel(R) PRO/Wireless 2200BG Network Connection

WEP Encryption

802.1x Authentication
WPA and WPA2

MD5
TLS
TTLS
PEAP

Cisco Features

This section describes the types of security used in connecting to wireless networks.

WEP Encryption

Use IEEE 802.11 Wired Equivalent Privacy (WEP) encryption to prevent unauthorized reception of wireless data. WEP encryption provides two levels of security, using a 64-bit key (sometimes referred to as 40-bit) or a 128-bit key (also known as 104-bit). For stronger security, use a 128-bit key. If you use encryption, all wireless devices on your wireless network must use the same encryption keys.

WEP encryption and shared authentication provides protection for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers using the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point.

The WEP encryption algorithm can be vulnerable to passive and active network attacks. TKIP and CKIP algorithms include enhancements to the WEP protocol that mitigate existing network attacks and address its shortcomings.
NOTE: CKIP is only supported through the use of Intel PROSet/Wireless software.

Open and Shared Key authentication

IEEE 802.11 authentication supports two types of network authentication methods: Open System and Shared Key.

  • Open authentication: Any wireless station can request authentication. The station that needs to authenticate with another wireless station sends an authentication management request that contains the identity of the sending station. The receiving station, or Access Point, grants any request for authentication. Open authentication allows any device network access. If no encryption is enabled on the network, any device that knows the Service Set Identifier (SSID) of the access point can gain access to the network.
  • Shared Key authentication: Each wireless station is assumed to have received a secret shared key over a secure channel that is independent from the 802.11 wireless network communications channel. Shared key authentication requires that the client configure a static WEP key. The client access is granted only if it passes a challenge-based authentication.

802.1x Authentication

The 802.1x authentication is independent of the 802.11 authentication process. The 802.1x standard provides a framework for various authentication and key-management protocols. There are different 802.1x authentication types, each providing a different approach to authentication but all employing the same 802.1x protocol and framework for communication between a client and an access point. In most protocols, upon the completion of the 802.1x authentication process, the supplicant receives a key that it uses for data encryption. Refer to How 802.1x authentication works for more information. With 802.1x authentication, an authentication method is used between the client and a Remote Authentication Dial-In User Service (RADIUS) server connected to the access point. The authentication process uses credentials (for example, a user's password that are not transmitted over the wireless network). Most 802.1x types support dynamic per-user, per-session keys to strengthen the static key security. 802.1x benefits from the use of an existing authentication protocol known as the Extensible Authentication Protocol (EAP).

The 802.1x authentication for wireless LANs has three main components: The authenticator (the access point), the supplicant (the client software), and the authentication server (a Remote Authentication Dial-In User Service [RADIUS] server). The 802.1x authentication security initiates an authorization request from the wireless client to the access point, which authenticates the client to an Extensible Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server may authenticate either the user (via passwords or certificates) or the system (by MAC address). In theory, the wireless client is not allowed to join the network until the transaction is complete.

There are several authentication algorithms used for 802.1x. Some examples are; MD5-Challenge, EAP-TLS, EAP-TTLS, Protected EAP (PEAP), and EAP Cisco Wireless Light Extensible Authentication Protocol (LEAP). These are all methods for the wireless client to identify itself to the RADIUS server. With RADIUS authentication, user identities are verified against databases. RADIUS constitutes a set of standards addressing Authentication, Authorization, and Accounting (AAA). Radius includes a proxy process to validate clients in a multi-server environment. The IEEE 802.1x standard is for controlling and authenticating access to port-based 802.11 wireless and wired Ethernet networks. Port-based network access control is similar to a switched local area network (LAN) infrastructure that authenticates devices that are attached to a LAN port and prevent access to that port if the authentication process fails.

What is RADIUS?

RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and Accounting (AAA) client-server protocol, which is used when a AAA dial-up client logs in or out of a Network Access Server. Typically, a RADIUS server is used by Internet Service Providers (ISP) to perform AAA tasks. AAA phases are described as follows:

  • Authentication phase: Verifies a user name and password against a local database. After the credentials are verified, the authorization process begins.
  • Authorization phase: Determines whether a request is allowed access to a resource. An IP address is assigned for the Dial-Up client.
  • Accounting phase: Collects information on resource usage for the purpose of trend analysis, auditing, session time billing, or cost allocation.

How 802.1x Authentication Works

A simplified description of the 802.1x authentication is:

  1. A client sends a "request to access" message to an access point. The access point requests the identity of the client.
  2. The client replies with its identity packet which is passed along to the authentication server.
  3. The authentication server sends an "accept" packet to the access point.
  4. The access point places the client port in the authorized state and data traffic is allowed to proceed.

802.1x Features

  • 802.1x supplicant protocol support
  • Support for the Extensible Authentication Protocol (EAP) - RFC 2284
  • Supported Authentication Methods:
    • MD5 - RFC 2284
    • EAP TLS Authentication Protocol - RFC 2716 and RFC 2246
    • EAP Tunneled TLS (TTLS)
    • Cisco LEAP
    • EAP-SIM
    • PEAP
    • EAP-FAST
  • Supports Microsoft Windows XP, Microsoft Windows 2000

WPA and WPA2

Wi-Fi Protected Access (WPA or WPA2) is a security enhancement that strongly increases the level of data protection and access control to a wireless network. WPA enforces 802.1x authentication and key-exchange and only works with dynamic encryption keys. To strengthen data encryption, WPA utilizes Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements that include a per-packet key mixing function, a message integrity check (MIC) called Michael, an extended initialization vector (IV) with sequencing rules, and a rekeying mechanism. With these enhancements, TKIP protects against WEP's known weaknesses.

The second generation of WPA that complies with the IEEE TGi specification is known as WPA2.

Enterprise Mode: Enterprise Mode verifies network users through a RADIUS or other authentication server. WPA utilizes 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security. Enterprise Mode is targeted to corporate or government environments.

Personal Mode: Personal Mode requires manual configuration of a pre-shared key (PSK) on the access point and clients. PSK authenticates users via a password, or identifying code, on both the client station and the access point. No authentication server is needed. Personal Mode is targeted to home and small business environments.

WPA-Enterprise and WPA2-Enterprise: Provide this level of security on enterprise networks with an 802.1x RADIUS server. An authentication type is selected to match the authentication protocol of the 802.1x server.
NOTE: WPA-Enterprise and WPA2-Enterprise are not interoperable.

WPA-Personal and WPA2-Personal: Provides this level of security in the small network or home environment. It uses a password also called a pre-shared key (PSK). The longer the password, the stronger the security of the wireless network. If your wireless access point or router supports WPA-Personal and WPA2-Personal then you should enable it on the access point and provide a long, strong password. The same password entered into access point needs to be used on this computer and all other wireless devices that access the wireless network.
NOTE: WPA-Personal and WPA2-Personal are not interoperable.

AES-CCMP - (Advanced Encryption Standard - Counter CBC-MAC Protocol) It is the new method for privacy protection of wireless transmissions specified in the IEEE 802.11i standard. AES-CCMP provides a stronger encryption method than TKIP. Choose AES-CCMP as the data encryption method whenever strong data protection is important.
NOTE: Some security solutions may not be supported by your computer’s operating system and may require additional software or hardware as well as wireless LAN infrastructure support. Check with your computer manufacturer for details.

TKIP (Temporal Key Integrity Protocol) is an enhancement to WEP (Wired Equivalent Privacy) security. TKIP provides per-packet key mixing, a message integrity check, and a rekeying mechanism, which fixes the flaws of WEP.

MD5

Message Digest 5 (MD5) is a one-way authentication method that uses user names and passwords. This method does not support key management, but does require a pre-configured key if data encryption is used. It can be safely deployed for wireless authentication inside EAP tunnel methods.

TLS

A type of authentication method using the Extensible Authentication Protocol (EAP) and a security protocol called the Transport Layer Security (TLS). EAP-TLS uses certificates which use passwords. EAP-TLS authentication supports dynamic WEP key management. The TLS protocol is intended to secure and authenticate communications across a public network through data encryption. The TLS Handshake Protocol allows the server and client to provide mutual authentication and to negotiate an encryption algorithm and cryptographic keys before data is transmitted.

NOTE: CKIP is only supported through the use of Intel(R) PROSet/Wireless.

Cisco LEAP

Light Extensible Authentication Protocol (LEAP) is an authentication implementation of 802.1x by Cisco, which provides a challenge-response authentication mechanism and dynamic WEP key assignment.

Cisco LEAP (Cisco Light EAP) is a server and client 802.1x authentication via a user-supplied logon password. When a wireless access point communicates with a Cisco LEAP-enabled RADIUS (Cisco Secure Access Control Server [ACS] server), Cisco LEAP provides access control through mutual authentication between client wireless adapters and the wireless networks and provides dynamic, individual user encryption keys to help protect the privacy of transmitted data.

Cisco Rogue AP Security Feature

The Cisco Rogue AP feature provides security protection from an introduction of a rogue AP that could mimic a legitimate AP on a network in order to extract information about user credentials and authentication protocols that could compromise security. This feature only works with Cisco's LEAP authentication. Standard 802.11 technology does not protect a network from the introduction of a rogue AP. Refer to LEAP Authentication for more information.

CKIP

Cisco Key Integrity Protocol (CKIP) is Cisco proprietary security protocol for encryption in 802.11 media. CKIP uses the following features to improve 802.11 security in infrastructure mode:

  • Key Permutation (KP)
  • Message Integrity Check (MIC)
  • Message Sequence Number

Fast Roaming (CCKM)

When a wireless LAN is configured for fast reconnection, a LEAP-enabled client device can roam from one access point to another without involving the main server. Using Cisco Centralized Key Management (CCKM), an access point configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client without perceptible delay in voice or other time-sensitive applications.

Mixed Cells Mode

Some access points, for example Cisco 350 or Cisco 1200, support environments in which not all client stations support WEP encryption; this is called Mixed-Cell Mode. When these wireless networks operate in “optional encryption” mode, client stations that join in WEP mode send all messages encrypted, and stations that join in using standard mode send all messages unencrypted. These access points broadcast that these network do not use encryption, but allow clients to join using WEP mode. When “Mixed-Cell” is enabled in a profile, it allows you to connect to access points that are configured for “optional encryption.”

Radio Management

When this feature is enabled your wireless adapter provides radio management information to the Cisco infrastructure. If the Cisco Radio Management utility is used in the infrastructure, it configures radio parameters, detects interference and rogue access points.

EAP-FAST

EAP-FAST, like EAP-TTLS and PEAP, uses tunneling to protect traffic. The main difference is that EAP-FAST does not use certificates to authenticate. Provisioning in EAP-FAST is negotiated solely by the client as the first communication exchange when EAP-FAST is requested from the server. If the client does not have a pre-shared secret Protected Access Credential (PAC), it can request to initiate a provisioning EAP-FAST exchange to dynamically obtain one from the server.

EAP-FAST documents two methods to deliver the PAC: manual delivery through an out-of-band secure mechanism, and automatic provisioning.

  • Manual delivery mechanisms can be any delivery mechanism that the administrator of the network feels is sufficiently secure for their network.
  • Automatic provisioning establishes an encrypted tunnel to protect the authentication of the client and the delivery of the PAC to the client. This mechanism, while not as secure as a manual method may be, is more secure than the authentication method used in LEAP.

The EAP-FAST method can be divided into two parts: provisioning, and authentication. The provisioning phase involves the initial delivery of the PAC to the client. This phase only needs to be performed once per client and user.

Back to Top

Back to Contents

Shop
Laptops & Netbooks
Desktops & Workstations
Servers, Storage & Networking
Printers, Ink & Toner
Electronics & Accessories
Support
Product Support
Order Support
Warranty Information
Parts & Upgrades
Customer Support Charter
Community
Join the Discussion
Share Your Ideas
Read our Blog
Ratings & Reviews
Company Information
About Dell
Corporate Responsibility
Careers
Investors
Newsroom
My Account
Sign-In / Register
Order Status

Laptops | Desktops | Business Laptops | Business Desktops | Workstations | Servers | Storage | Monitors | Printers | Electronics
All rights reserved : About Dell | Site Terms | Terms and Conditions | Unresolved Issues | Privacy | Returns Policy | Site Map | Feedback

Large Text
* DELL'S TERMS AND CONDITIONS: All sales subject to Dell's terms and conditions. You can find them by clicking on "Terms and Conditions of Sale" located at the bottom of our website, www.dell.com.au OR on request.

snWEB2