Chap 20 - Authenticating Wireless Clients

Question 1

How many versions of WPA are there?

Answer 1

3 WPA1, WPA2 and WPA3

Question 2

What does WPA stand for, who certifies it, and what 2 things does it specify?

Answer 2

• Wi-Fi Protected Access
• Certified by Wi-Fi Alliance
• Specifies data confidentiality and integrity methods

Question 3

How many modes of WPA are there?

Answer 3

• WPA Personal (pre-shared key)
• WPA Enterprise (802.1x)

Question 4

How does WPA Personal authenticate?

Answer 4

• A pre-shared key is configured on every client and AP
• Clients and APs use the pre-shared key to do a 4-way handshake to construct and exchange encryption key material without sending the PSK over the air

Question 5

What is the downside to using WPA1-Personal or WPA2-Personal

Answer 5

Malicious user can eavesdrop and capture the four-way handshake and then use a dictionary attack to guess the pre-shared key

Question 6

What has been done differently in WPA3 to avoid the problems with WPA1 and 2?

Answer 6

• Simultaneous Authentication of Equals (SAE) - key exchange strengthened
• Client and AP can initiate the authentication process equally and even simultaneously
• Forward Secrecy - even if the PSK is compromised attackers won’t be able to use it to unencrypt data that has already been transmitted over the air

Question 7

When configuring WPA2-Personal or WPA3-Personal what should you avoid?

Answer 7

Avoid any hybrid mode of WPA like weak WPA with strong AES or strong WPA2 with weak TKIP because these have been deprecated.

Question 8

What 3 parties make up the 802.1x 3 party authentication?

Answer 8

• Supplicant
• Authenticator (usually the WLC)
• Authentication Server (usually a RADIUS server)

Question 9

What does EAP stand for, what does it define, and what does it do?

Answer 9

• Extensible Authentication Protocol
• Defines a set of common functions that actual authentication methods can use
• Allows enough connectivity with the AP to allow the client to authenticate.

Question 10

In 802.1x what role does the WLC play?

Answer 10

Authenticator

Question 11

When configuring the WLC to use 802.1x do you need to select which type of EAP method?

Answer 11

No, that is configured on the RADIUS server and must be supported by the client

Question 12

What is Local EAP?

Answer 12

It allows the client EAP access to the EAP Authentication Server built into the WLC.

Question 13

When using Local EAP what 4 versions are supported?

Answer 13

• LEAP
• PEAP
• EAP-Fast
• EAP-TLS

Question 14

What is WebAuth?

Answer 14

It presents the end user with web page content to read and interact with before granting access to the network.

Question 15

What are the 2 authentication modes supported by WPA?

Answer 15

• Personal mode using PSK
• Enterprise mode using 802.1x

Question 16

How long does a layer 2 Inter-controller roam take?

Answer 16

Less than 20 ms