Windows 7 / Networking

WPA

Although 802.1X addresses the weak authentication and key management issues of the original 802.11 standard, it provides no solution to the weaknesses of the WEP encryption algorithm. While the IEEE 802.11i wireless LAN security standard, which will be discussed in the "WPA2" section later in this tutorial, was being finalized, the Wi-Fi Alliance, an organization of wireless equipment vendors, created an interim standard known as Wi-Fi Protected Access (WPA). WPA replaces WEP with a much stronger encryption method known as the Temporal Key Integrity Protocol (TKIP). WPA also allows the optional use of the Advanced Encryption Standard (AES) for encryption.

WPA is available in two different modes:

  • WPA-Enterprise: Uses 802.1X authentication and is designed for medium and large infrastructure mode networks
  • WPA-Personal: Uses a preshared key (PSK) for authentication and is designed for small office/home office (SOHO) infrastructure mode networks

WPA2

The IEEE 802.11i standard formally replaces WEP and the other security features of the original IEEE 802.11 standard. Wi-Fi Protected Access 2 (WPA2) is a product certification available through the Wi-Fi Alliance that certifies wireless equipment as being compatible with the IEEE 802.11i standard. The goal of WPA2 certification is to support the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA. For example, WPA2 requires support for both TKIP and AES encryption. WPA2 includes fast roaming techniques such as Pairwise Master Key (PMK) caching and pre-authentication.

How It Works

When a wireless client authenticates using 802.1X, there are a series of messages sent between the wireless client and the wireless AP to exchange credentials (802.1X authentication) and to determine the pairwise transient keys (the 4-way handshake). The pairwise transient keys are used for encryption and data integrity of WPA2- protected wireless data frames. This message exchange introduces a delay in the connection process. When a wireless client roams from one wireless AP to another, the delay to perform 802.1X authentication can cause noticeable interruptions in network connectivity, especially for time-dependent traffic such as voice or video-based data streams. To minimize the delay associated with roaming to another wireless AP, WPA2 wireless equipment can optionally support PMK caching and preauthentication.

PMK Caching

As a wireless client roams from one wireless AP to another, it must perform a full 802.1X authentication with each wireless AP. WPA2 allows the wireless client and the wireless AP to cache the results of a full 802.1X authentication so that if a client roams back to a wireless AP with which it has previously authenticated, the wireless client needs to perform only the 4-way handshake and determine new pairwise transient keys. In the Association Request frame, the wireless client includes a PMK identifier that was determined during the initial authentication and stored with both the wireless client and wireless AP's PMK cache entries. PMK cache entries are stored for a finite amount of time as configured on the wireless client and the wireless AP.

To make the transition faster for wireless networking infrastructures that use a switch that acts as the 802.1X authenticator, Windows Vista and Windows Server 2008 calculate the PMK identifier value so that the PMK as determined by the 802.1X authentication with the switch can be reused when roaming between wireless APs that are attached to the same switch. This practice is known as opportunistic PMK caching.

Preauthentication

With preauthentication, a WPA2 wireless client can optionally perform 802.1X authentications with other wireless APs within its range while connected to its current wireless AP. The wireless client sends preauthentication traffic to the additional wireless AP over its existing wireless connection. After preauthenticating with a wireless AP and storing the PMK and its associated information in the PMK cache, a wireless client that connects to a wireless AP with which it has preauthenticated needs to perform only the 4-way handshake.

WPA2 clients that support preauthentication can preauthenticate only with wireless APs that advertise their preauthentication capability in Beacon and Probe Response frames.

WPA2 is available in two different modes:

  • WPA2-Enterprise: Uses 802.1X authentication and is designed for medium and large infrastructure mode networks
  • WPA2-Personal: Uses a PSK for authentication and is designed for SOHO infrastructure mode networks

Table-2 summarizes the 802.11 wireless LAN security standards.

Table-2 802.11 Wireless LAN Security Standards
Security StandardAuthentication MethodsEncryption MethodsEncryption Key Size (bits)Comments
IEEE 802.11Open system and shared keyWEP40 and 104Weak authentication and encryption. Use is highly discouraged.
IEEE 802.1XEAP authentication methodsN/AN/AStrong EAP methods provide strong authentication.
WPA-Enterprise802.1XTKIP and AES (optional)128Strong authentication (with strong EAP method) and strong (TKIP) or very strong (AES) encryption.
WPA-PersonalPSKTKIP and AES (optional)128Strong authentication (with strong PSK) and strong (TKIP) or very strong (AES) encryption.
WPA2-Enterprise802.1XTKIP and AES128Strong authentication (with strong EAP method) and strong (TKIP) or very strong (AES) encryption.
WPA2-PersonalPSKTKIP and AES128Strong authentication (with strong PSK) and strong (TKIP) or very strong (AES) encryption.

Windows Vista and Windows Server 2008 support the following security standards for 802.11 wireless LAN networking (the wireless network adapter and driver must also support the standard):

  • 802.11 with WEP
  • 802.1X
  • WPA-Enterprise
  • WPA-Personal
  • WPA2-Enterprise
  • WPA2-Personal

Components of 802.11 Wireless Networks

The components of Windows-based 802.11 protected wireless networks.

The components are:

  • Wireless clients: Initiate wireless connections to wireless APs and communicate with intranet resources or other wireless clients once connected
  • Wireless APs: Listen for wireless connection attempts, enforce authentication and connection requirements, and forward frames between wireless clients and intranet resources
  • RADIUS servers: Provide centralized authentication and authorization processing and accounting for network access attempts from wireless APs and other types of access servers
  • Active Directory domain controllers: Validate user credentials for authentication and provide account information to the RADIUS servers to evaluate authorization
  • Certification authorities: Part of the PKI that issues computer or user certificates to wireless clients and computer certificates to RADIUS servers
[Previous] [Contents] [Next]

In this tutorial:

  1. IEEE 802.11 Wireless Networks
  2. Support for IEEE 802.11 Standards
  3. Wireless Security
  4. WPA
  5. Planning and Design Considerations
  6. Wireless Authentication Modes
  7. Intranet Infrastructure
  8. Wireless AP Placement
  9. Authentication Infrastructure
  10. Wireless Clients
  11. Windows Vista Wireless Policy
  12. Windows XP Wireless Policy
  13. Command-Line Configuration
  14. PKI
  15. 802.1X Enforcement with NAP
  16. Deploying Protected Wireless Access
  17. Configuring Active Directory for Accounts and Groups
  18. Deploying Wireless APs
  19. Configuring Wireless Clients
  20. Configuring and Deploying Wireless Profiles
  21. Maintenance for a Protected Wireless
  22. Troubleshooting Wireless Connections
  23. Network Diagnostics Framework Support for Wireless Connections
  24. Wireless Diagnostics Tracing
  25. NPS Event Logging
  26. Troubleshooting the Windows Wireless Client
  27. Troubleshooting the Wireless AP
  28. Common Wireless AP Problems
  29. Troubleshooting the Authentication Infrastructure
  30. Troubleshooting Certificate-Based Validation
  31. Troubleshooting Password-Based Validation