IEEE 802.11i Considerations
With all the terms and concepts used in this tutorial, you may not be immediately clear about what exactly you, as a wireless network administrator, need to do to deploy a network that is IEEE 802.11i compliant. Table below presents that information in bitesized pieces.
Scenario | Suggested Solutions and Tips |
---|---|
You manage a small wireless network with only a few users and devices and need to use the most current security mechanisms. | Consider IEEE 802.11i. Use IEEE 802.11i with pre-shared keys, which help you avoid the additional overhead of maintaining a public key infrastructure (PKI). |
You manage a large to mediumsized wireless network and need to use the most current security mechanisms. | Consider IEEE 802.11i. Consider using IEEE 802.11i with one of the EAP authentication types. |
You already use digital certificates for server- or infrastructure-side authentication on your network. | Consider using EAP-TTLS with IEEE 802.11i. EAP-TTLS does not require mutual authentication. |
You already use digital certificates for server- or infrastructure-side authentication and for client-side authentication on your network. | Consider using EAP-TLS with IEEE 802.11i. EAP-TLS requires mutual authentication. |
You are considering using EAP-TLS or EAP-TTLS on the infrastructure side of your wireless network. | You need a RADIUS server implementation that
supports EAP. You need a PKI that lets you manage the digital certificates that will be used, which includes the tasks of issuing, revoking, signing, and storing the certificates. Some of this can occur via a certificate authority implementation. Your WAPs (the authenticator entity) must support 802.1X so that they can communicate with the RADIUS servers via EAP. You might get 802.1X support in infrastructure hardware via simple firmware upgrades if the vendor doesn't support it. Consider temporarily allowing legacy authentication mechanism to coexist with new 802.1X-based mechanisms, which will help if things don't work as smoothly as planned. |
You are considering using EAPTLS or EAP-TTLS on the client or peer side of the wireless network. | You need the wireless clients STAs to be able to talk 802.1X to the access point. The supplicant software on the clients needs to support the EAP type with which the server is configured. |
In this tutorial:
- Securing Wireless Networks
- Security Background
- Security Services
- Cryptographic Concepts and Terms
- Encryption and Decryption
- Keyspace
- Exclusive OR (XOR)
- Algorithm
- Asymmetric Encryption Algorithms
- Public-Private Key Cryptography
- Cipher
- Concealment Ciphers vs. Running Key Ciphers
- Stream Ciphers vs. Block Ciphers
- Cipher Examples
- Cipher Implementations
- Wi-Fi Protected Access
- TKIP/WPA
- Wi-Fi Protected Access 2 (WPA2)
- CCMP/AES
- Hash Functions
- EAP
- EAP Entities
- EAP Grammar
- EAP Types
- EAP-TTLS
- EAP-PSK
- EAP-SIM
- EAP-AKA
- IEEE 802.11i
- Four-Way Handshake
- IEEE 802.11i Considerations