WLAN Security

Foreword

 Due to the open transmission medium in wireless communications, the

security of a WLAN becomes the main focus of concern. As 802.11 provides
increasing wireless access bandwidth, more and more users start to use
WLANs. Users also require high security of WLAN access. It has attracted
more and more attention from users and enterprises on how to protect
user access security and data transmission security.
 This course describes WLAN access security, data security, and security
configuration.

1 Huawei Confidential
 Objectives

Upon completion of this course, you will be able to:

 Describe WLAN security threats.
 Describe WLAN security defense mechanisms.
 List common WLAN access authentication modes.

2 Huawei Confidential
 Contents

1. WLAN Security

2. WLAN Network Access Control

3. WLAN Security Configuration

3 Huawei Confidential
Common WLAN Security Threats

• No authentication: Attackers can connect to

SSID: Huawei
a Wi-Fi network randomly to intrude into the
Authentication mode: open
AP 1 Encryption mode: open network.

• Non-encrypted wireless data: Attackers can

Attack intercept and tamper with service data

device
transmitted over wireless channels by
capturing packets over the air interface.
STA AC

• Perimeter threat: If a rogue AP publishes the

same SSID as authorized APs, STAs may
AP 2
SSID: Huawei connect to the rogue AP. As a result, STA data
Rogue AP Authentication mode: open
is intercepted.
Encryption mode: open
SSID: Huawei

4 Huawei Confidential
WLAN Security Defense
 Security authentication
 Only authorized users are allowed to access and use the network.
 Two-way authentication available: The client and server can authenticate each other.

 Data encryption and integrity

 The confidentiality of data transmitted through transmission media is ensured.
 Hash, message integrity check (MIC), and cyclic redundancy check (CRC) guarantee data integrity.

 Perimeter security (not described in this chapter)

 The Wireless Intrusion Detection System (WIDS) monitors the running status of networks and systems in
accordance with given security policies, analyzes user activities, and determines the type of intrusion events to
detect unauthorized networks.
 The Wireless Intrusion Prevention System (WIPS) monitors wireless networks in real time to detect intrusion
events and provide active defense against and warning of attack behaviors.

5 Huawei Confidential
WLAN Access Process
 A STA discovers surrounding wireless networks in active/passive scanning mode. After link authentication,
association, and access authentication are complete, the STA can connect to an AP and access wireless services.

STA AP

Active/Passive Scanning

Authentication Request

Authentication Response

Association Request

Association Response

Access Authentication

6 Huawei Confidential
Link Authentication: Open System Authentication
 To ensure wireless link security, an AP needs to authenticate STAs that attempt to access the AP. IEEE 802.11
defines two link authentication modes: open system authentication and shared key authentication.
 Open system authentication requires no authentication. In this authentication mode, an AP responds to the
authentication request from any STA with a message indicating that the STA passes the authentication.
 If you want to connect to an SSID that uses open system authentication, no authentication credential is required,
and the system displays a message indicating that you have been associated with the WLAN.

Authentication Request

Authentication Response
STA AP

7 Huawei Confidential
Link Authentication: Shared Key Authentication
 Shared key authentication requires that a STA and an AP have the same key preconfigured. In this authentication
mode, the AP checks whether its key is the same as that on the STA during link authentication. If so, the
authentication is successful. Otherwise, the STA fails the authentication.

STA AP

Authentication Request

Authentication Response
(Challenge)

Authentication Response
(Encrypted Challenge)

Authentication Response
(Success)

8 Huawei Confidential
User Access Security Overview
• Link authentication: open system authentication

• Link authentication: shared key authentication

Scanning
Access authentication security policy: Open
Link • Link authentication: open system authentication
authentication
• Access authentication: N/A
To ensure secure access of wireless
• Data encryption: no encryption
Association
users on a WLAN, access security
Access authentication security policy: WEP measures need to be taken, for
• Link authentication: shared key authentication or open system example, establish security
Access authentication associations through
authentication
• Data encryption: RC4 authentication to ensure the
Key negotiation Access authentication security policy: WPA/WPA2
validity of identities of all
Data encryption communication entities.
• Link authentication: open system authentication

Wireless network • Access authentication: PSK, PPSK, or 802.1X

access
• Key negotiation: PTK/GTK

• Data encryption: TKIP or CCMP

9 Huawei Confidential
Access Authentication Security Policy: WEP
 Wired Equivalent Privacy (WEP) is a security mechanism defined in IEEE 802.11 to prevent the interception of data transmitted by
authorized users on a WLAN.

 WEP uses the Rivest Cipher 4 (RC4) algorithm and a static key to encrypt data. All STAs associated with the same SSID use the same
key to join a WLAN.

 Shared key authentication is supported only by WEP and requires that the same shared key be configured on a STA and the AP with
which the STA attempts to associate.

 The WEP key is exchanged in clear text, which is insecure. Therefore, WEP is not recommended.

Wireless Network Attributes STA AP

SSID: test The STA is associated
with an SSID using Authentication Request
Wireless network key
shared key
Network authentication: Shared Authentication Response
authentication. (Challenge)
Data encryption: WEP
Authentication Response
Network key: ********
(Encrypted Challenge)
Confirm network key: ********
Authentication Response
Key index: 1 (Success)

10 Huawei Confidential
Access Authentication Security Policy: WPA/WPA2
• For small or midsize WLANs, deploying a dedicated authentication server is costly and difficult to
maintain.
• WPA/WPA2-Personal uses pre-shared keys (WPA/WPA2-PSK) for simpler implementation and
management.
• No dedicated authentication server is required. Only a pre-shared key needs to be entered in
advance on each WLAN node (such as the WLAN server, wireless router, and network adapter).
WPA/WPA2
A WLAN client can access the WLAN if its pre-shared key is the same as that configured on the
Personal
WLAN node.
• The pre-shared key is used only for authentication but not for encryption; therefore, it will not
bring security risks as the 802.11 shared key authentication.
WPA/WPA2

• The WPA/WPA2-802.1X authentication mode is used.

WPA/WPA2 • The RADIUS server and Extensible Authentication Protocol (EAP) are used for authentication.
Enterprise
• Users provide the information required for authentication, including the user name and
password, and are authenticated by an authentication server (generally a RADIUS server).
• Large-scale enterprise WLANs usually use WPA/WPA2-Enterprise for authentication.

11 Huawei Confidential
PSK and PPSK Authentication
PSK PPSK

MAC Password
aaaa-aaaa-aaaa huawei123
bbbb-bbbb-bbbb huawei456
SSID = huawei
SSID = huawei

× cccc-cccc-cccc
√
√ PSK = huawei456

aaaa-aaaa-aaaa bbbb-bbbb-bbbb

PSK = huawei123 PSK = huawei456

PSK = huawei123 PSK = huawei123

• WPA/WPA2-PSK authentication requires that the same pre- • WPA/WPA2-PPSK authentication inherits the advantages of
shared key be configured on a wireless client and a wireless WPA/WPA2-PSK authentication and is easy to deploy. In
server (such as an AP). addition, WPA/WPA2-PPSK authentication provides different
• All clients connected to a specified SSID use the same key, pre-shared keys for different clients, improving network security.
which may bring security risks. • Users connected to the same SSID can have different keys.

12 Huawei Confidential
WLAN Security Encryption
 After a WLAN user is authenticated and authorized to access a WLAN, the WLAN must use a mechanism to protect
data of the user against tampering and eavesdropping. Encryption is the most commonly used mechanism.
Encryption algorithms ensure that only devices with correct keys can decrypt received packets.
 WLAN encryption modes:
 Temporal Key Integrity Protocol (TKIP)
 Counter Mode with CBC-MAC Protocol (CCMP)

 WPA uses the TKIP encryption algorithm to provide a key reset mechanism and enhance the valid length of the key,
alleviating the WEP key flaw.
 WPA2 uses the CCMP encryption mechanism, which adopts the Advanced Encryption Standard (AES) encryption
algorithm. This algorithm is a symmetric block encryption technology and makes the key more difficult to crack
than the TKIP encryption algorithm.
 Both WPA and WPA2 can use the TKIP or AES encryption algorithm for better compatibility. TKIP and AES provide
almost the same security level.

13 Huawei Confidential
WLAN Security Policy Comparison
Security Link Access Encryption Recommended
Description
Policy Authentication Authentication Algorithm Application Scenario
Open system Networks with low security Wireless devices can connect to a WLAN without
Open N/A No encryption
authentication requirements authentication.
No access
authentication is
It is insecure when used independently, because
provided. This Public places with high user
any wireless clients can access the WLAN
Open system security policy can No mobility, such as airports,
WEP-open without authentication. You are advised to
authentication be used together encryption/RC4 stations, business centers, and
configure this security policy together with
with Portal or MAC conference venues
Portal or MAC address authentication.
address
authentication.
Shared key Networks with low security This security policy is not recommended due to
WEP-share-key N/A RC4
authentication requirements its low security.
This security policy has higher security than WEP
Open system Home users or small/midsize
WPA/WPA2-PSK PSK authentication TKIP/AES shared key authentication. Additionally, no third-
authentication enterprise networks
party server is required and the cost is low.
This security policy provides high security and
WPA/WPA2- Open system 802.1X Large-scale enterprise networks
TKIP/AES requires a third-party server, resulting in high
802.1X authentication authentication with high security requirements
costs.

14 Huawei Confidential
 Contents

1. WLAN Security

2. WLAN Network Access Control

3. WLAN Security Configuration

15 Huawei Confidential
NAC
 Network Access Control (NAC) is an end-to-end security technology that authenticates access clients
and users to ensure network security.

NAC works together with the authentication, authorization, and accounting

Campus
(AAA) server to implement access authentication.
network
• NAC:
 Is used for interaction between users and access devices.
 Controls the user access mode (802.1X, MAC, or portal authentication)
AC as well as parameters and timers during user access.
 Ensures secure, stable connections between authorized users and
access devices.
• AAA:
AP
 Is used for interaction between access devices and the AAA server.
 The AAA server controls the access rights of access users by
authenticating, authorizing, and accounting for them.

16 Huawei Confidential
AAA
 Authentication, authorization, and accounting (AAA) provides a management mechanism for network
security.
 Authentication: verifies whether users are permitted to access the network.
 Authorization: allows users to use particular services.
 Accounting: records the network resources used by users.

Authentication Authorization Accounting

A user enters the user name and The user passes the identity The user is connected to the
password for identity authentication authentication, and the network network, and accounting is started.
when accessing a network. delivers the user authorization
information (the user belongs to
VLAN 10 and can access the
Internet).

17 Huawei Confidential
RADIUS
 AAA can be implemented using multiple protocols. RADIUS is most frequently used in actual scenarios.
 RADIUS is a protocol that uses the client/server model in distributed mode and protects a network from
unauthorized access. It is often used in network environments that require high security and allow remote user
access.
 It defines the UDP-based RADIUS packet format and transmission mechanism, and specifies UDP ports 1812 and
1813 respectively for authentication and accounting. Exchange RADIUS
packets to implement the
 RADIUS has the following characteristics: AAA function.
RADIUS server RADIUS client
 Client/Server model
AC
 Secure message exchange mechanism
 Fine scalability

AP

STA

18 Huawei Confidential
802.1X Authentication
 IEEE 802.1X is an IEEE standard for port-based network access control. It is mainly used for authentication and security on the
Ethernet.

 802.1X authentication uses the typical client/server model and consists of three entities: supplicant, authenticator, and authentication
server.

 The authentication server is usually a RADIUS server, which is used to perform authentication, authorization, and accounting for
supplicants.

 802.1X authentication is recommended for employees of midsize to large enterprises.

Authentication server (RADIUS)

2. Perform
1. Initiate authentication. authentication.

IP
Network

Supplicant (STA) AP Authenticator (AC)

3. Access the network after the authentication is successful.

19 Huawei Confidential
MAC Address Authentication
 MAC address authentication controls a user's network access rights based on the user's MAC address. In this authentication mode,
the user does not need to install any client software.

 The access device whose interface has MAC address authentication enabled starts authenticating a user when detecting the user's
MAC address for the first time.

 During the authentication process, the user does not need to enter a user name or password.

 MAC address authentication is usually used for dumb terminals (such as printers) to access the network. It also can be used with an
authentication server to implement MAC address-prioritized portal authentication: After a user passes the authentication for the first
time, the user can access the network again without authentication within a specified period of time.

AP AC RADIUS server

STA
MAC address: MAC1 User name/password:
MAC1/MAC1

20 Huawei Confidential
Portal Authentication
 Portal authentication is also called web authentication. In this authentication mode, a browser is used as the authentication client,
and no independent authentication client needs to be installed, as shown in the following figure.

 Before a user can access the Internet, the user must be authenticated on the portal page. The user can access network resources only
after passing the authentication. In addition, the service provider can expand their business on the portal page, for example,
displaying merchant advertisements.

 Portal authentication is recommended for guests, business exhibitions, and public places of large or midsize enterprises.

 Common portal authentication modes include:

 User name and password authentication: The administrator registers a temporary account for guests. The guests use this temporary account for
authentication.

 SMS authentication: Guests are authenticated using verification codes.

Portal server

STA AP AC RADIUS server

21 Huawei Confidential
MAC Address-Prioritized Portal Authentication
 MAC address-prioritized portal authentication allows disconnected users who have passed portal authentication to access the
network again within a certain period of time, without entering the user name and password, as long as they pass MAC address
authentication.

 After a user passes portal authentication, the user can access the network again through MAC address authentication within the
validity period of the MAC address.

 MAC address-prioritized portal authentication saves the time for users to obtain SMS messages or follow official accounts when
being authenticated each time.
STA AP Portal server AC RADIUS server

1. Initiates an HTTP
connection request. 2. Initiates MAC address
authentication using
MAC address authentication the STA's MAC
(In the validity period of the MAC address.
address, the user can access the
Internet again after going offline.) 3. The account exists,
and MAC address
authentication is
successful.

22 Huawei Confidential
Authentication Mode Comparison
 NAC provides three authentication modes: 802.1X authentication, MAC address authentication, and portal authentication. The three
authentication modes are implemented differently and are applicable to different scenarios. In practice, you can use a proper
authentication mode or multiple authentication modes (mixed authentication) based on scenarios. The combination of
authentication modes depends on device specifications.

MAC Address
Item 802.1X Authentication Portal Authentication
Authentication
New network with Authentication of dumb Scenario where users are
Application scenario concentrated users and high terminals such as printers sparsely distributed or
requirements for security and fax machines move freely
Client Required Not required Not required
Advantage High security No client required Flexible deployment
MAC address registration
Disadvantage Inflexible deployment required, making Low security
management complex

23 Huawei Confidential
 Contents

1. WLAN Security

2. WLAN Network Access Control

3. WLAN Security Configuration

24 Huawei Confidential
Configuring Open Authentication
 Create a security profile.
[AC] wlan
[AC-wlan-view] security-profile name profile-name

 Create a security profile and enter the security profile view. By default, security profiles default, default-wds,
and default-mesh are created.

 Set the security policy to open authentication.

[AC-wlan-sec-prof-wlan] security open
 Set the security policy to open authentication. By default, the security policy is open.

25 Huawei Confidential
Configuring a WEP Security Policy
 Create a security profile.
[AC] wlan
[AC-wlan-view] security-profile name profile-name

 Set the security policy to WEP.

[AC-wlan-sec-prof-wlan] security wep share-key

 Configure a WEP shared key.

[AC-wlan-sec-prof-wlan] wep key key-id { wep-40 | wep-104 | wep-128 } { pass-phrase | hex } key-value

 Configure a shared key and a key index for static WEP.

26 Huawei Confidential
Configuring WPA/WPA2-PSK Authentication
 Create a security profile.
[AC] wlan
[AC-wlan-view] security-profile name profile-name
 Set the security policy to WPA/WPA2-PSK.
[AC-wlan-sec-prof-wlan] security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value { aes | tkip | aes-tkip }

27 Huawei Confidential
Configuring WPA/WPA2-PPSK Authentication
 Create a security profile.
[AC] wlan
[AC-wlan-view] security-profile name profile-name
 Set the security policy to WPA/WPA2-PPSK.
[AC-wlan-sec-prof-wlan] security { wpa | wpa2 | wpa-wpa2 } ppsk { aes | tkip | aes-tkip }
[AC-wlan-sec-prof-wlan] quit
 Set key PPSK parameters.
[AC-wlan-view] ppsk-user psk { pass-phrase | hex } key-value [ user-name user-name | user-group user-group | vlan vlan-id |
expire-date expire-date [ expire-hour expire-hour ] | max-device max-device-number | branch-group branch-group | mac-
address mac-address ]* ssid ssid
 Create a PPSK user, and configure the password, user name, user group, authorized VLAN, expiration time,
maximum number of access users, branch group, MAC address, and SSID for the PPSK user.

28 Huawei Confidential
Case: PSK and PPSK
 As shown in the figure, the customer requires that the WLAN be able to provide network services for both the R&D
department and finance department. For employees in the finance department, the unified password authentication
mode with high password security is needed. For employees in the R&D department, each employee requires one
password for authentication.

GE0/0/2
SSID1: Finance
GE0/0/1 Security policy: WPA2+PSK+AES
GE0/0/1 GE0/0/3 Password: Finance@123
SSID2: RD
GE0/0/2 Security policy: WPA2+PPSK+AES
Password 1: Huawei@123
Password 2: Huawei12#$

29 Huawei Confidential
Creating Security Profiles

 Create security profiles Finance and RD, and set

corresponding security policies.

[AC-wlan-view] security-profile name Finance

[AC-wlan-sec-prof-Finance] security wpa2 psk pass-phrase

Finance@123 aes
GE0/0/2

[AC-wlan-sec-prof-Finance] quit
GE0/0/1
[AC-wlan-view] security-profile name Employee
GE0/0/1 GE0/0/3
[AC-wlan-sec-prof-RD] security wpa2 ppsk aes
GE0/0/2
[AC-wlan-sec-prof-RD] quit
[AC-wlan-view] ppsk-user psk pass-phrase Huawei@123 max-

device 1 ssid RD

[AC-wlan-view] ppsk-user psk pass-phrase Huawei12#$ max-

device 1 ssid RD

30 Huawei Confidential
Binding Profiles

 Bind the two security profiles to the corresponding

VAP profiles.

[AC-wlan-view] vap-profile name Finance

GE0/0/2

[AC-wlan-vap-prof-Finance] security-profile Finance

GE0/0/1 [AC-wlan-vap-prof-Finance] quit

GE0/0/1 GE0/0/3 [AC-wlan-view] vap-profile name RD
[AC-wlan-vap-prof-RD] security-profile Guest
GE0/0/2
[AC-wlan-vap-prof-RD] quit

31 Huawei Confidential
Viewing AP Signal Information
 WLAN service configurations are automatically delivered to APs. After the configurations are complete,
run the “display vap ssid RD” command to check the authentication type (Auth type).
[AC-wlan-view]display vap ssid RD
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
--------------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------------
0 AP1 0 1 00E0-FC41-6340 ON WPA/WPA2-PPSK 0 RD
0 AP1 1 1 00E0-FC41-6350 ON WPA/WPA2-PPSK 0 RD
1 AP2 0 1 00E0-FCA2-5970 ON WPA/WPA2-PPSK 0 RD
1 AP2 1 1 00E0-FCA2-5980 ON WPA/WPA2-PPSK 0 RD
--------------------------------------------------------------------------------------

32 Huawei Confidential
 Quiz

1. (Multi-Answer Question) Which of the following belong to link authentication?

( )
A. Open system authentication

B. Shared key authentication

C. WPA/WPA2 PSK

D. WPA/WPA2 PPSK

33 Huawei Confidential
 Summary

 WLAN uses radio waves instead of network cables to transmit data.

Compared with a wired network, a WLAN is easier to deploy. However, due
to the particularity of transmission media, WLAN security issues are
prominent.
 This course describes the security threats facing the WLAN and details
common security mechanisms for reducing such threats.

34 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.