Given a scenario, install and configure wireless security settings

Question 1

Cryptographic protocols

Answer 1

WiFi Protected Access 2 (WPA2)
WiFi Protected Access 3 (WPA3)
Counter-mode/CBC-MAC protocol (CCMP)
Simultaneous Authentication of Equals (SAE)

Question 2

WiFi Protected Access 2 (WPA2)

Answer 2

Passphrase-based mechanism to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.

In WPA2, pre-shared key (PSK) authentication uses a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication because a group of users share the same secret. When the access point is set to WPA2-PSK mode, the administrator configures a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm. This HMAC is referred to as the pairwise master key (PMK). The same secret must be configured on the access point and on each node that joins the network. The PMK is used as part of WPA2’s 4-way handshake to derive various session keys.

Question 3

WiFi Protected Access 3 (WPA3)

Answer 3

While WPA3 still uses a passphrase to authenticate stations in personal mode, it changes the method by which this secret is used to agree session keys. The scheme used is also referred to as Password Authenticated Key Exchange (PAKE). In WPA3, the Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake, which has been found to be vulnerable to various attacks. SAE uses the Dragonfly handshake, which is basically Diffie-Helllman over elliptic curves key agreement, combined with a hash value derived from the password and device MAC address to authenticate the nodes. With SAE, there should be no way for an attacker to sniff the handshake to obtain the hash value and try to use an offline brute-force or dictionary attack to recover the password. Dragonfly also implements ephemeral session keys, providing forward secrecy.

Question 4

Counter-mode/CBC-MAC protocol (CCMP)

Question 5

Simultaneous Authentication of Equals (SAE)

Question 6

Authentication protocols

Answer 6

Extensible Authentication Protocol (EAP)
Protected Extensible Application Protocol (PEAP)
EAP-FAST
EAP-TLS
EAP-TTLS
IEEE 802.1X
Remote Authentication Dial-in User Service

Question 7

Extensible Authentication Protocol (EAP)

Answer 7

he Extensible Authentication Protocol (EAP) defines a framework for negotiating authentication mechanisms rather than the details of the mechanisms themselves. Vendors can write extensions to the protocol to support third-party security devices. EAP implementations can include smart cards, one-time passwords, biometric identifiers, or simpler username and password combinations.

Question 8

Protected Extensible Application Protocol (PEAP)

Answer 8

EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method.

Question 9

EAP-FAST

Answer 9

An EAP method that is expected to address the shortcomings of LEAP.

Question 10

EAP-TLS

Answer 10

An EAP method that requires server-side and client-side certificates for authentication using SSL/ TLS.

Question 11

EAP-TTLS

Answer 11

An EAP method that enables a client and server to establish a secure connection without mandating a client-side certificate.

Question 12

IEEE 802.1X

Answer 12

As an alternative to personal authentication, the enterprise authentication method implements IEEE 802.1X to use an Extensible Authentication Protocol (EAP) mechanism. 802.1X defines the use of EAP over Wireless (EAPoW) to allow an access point to forward authentication data without allowing any other type of network access. It is configured by selecting WPA2-Enterprise or WPA3-Enterprise as the security method on the access point.

Question 13

Remote Authentication Dial-in User Service

Answer 13

Most implementations of EAP use a RADIUS server to validate the authentication credentials for each user (supplicant). RADIUS federation means that multiple organizations allow access to one another’s users by joining their RADIUS servers into a RADIUS hierarchy or mesh. For example, when Bob from widget.foo needs to log on to grommet.foo’s network, the RADIUS server at grommet.foo recognizes that Bob is not a local user but has been granted access rights and routes the request to widget.foo’s RADIUS server.

Question 14

Methods

Answer 14

Pre-shared key (PSK) vs. Enterprise vs. Open
WiFi Protected Setup (WPS)
Captive portals

Question 15

Pre-shared key (PSK) vs. Enterprise vs. Open

Answer 15

Passphrase-based mechanism to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.

vs

Question 16

WiFi Protected Setup (WPS)

Question 17

Captive portals

Question 18

Installation considerations

Answer 18

Site surveys
Heat maps
WiFi analyzers
Channel overlaps
Wireless access point (WAP) placement
Controller and access point security

Question 19

Site surveys

Question 20

Heat maps

Question 21

WiFi analyzers

Question 22

Channel overlaps

Question 23

Wireless access point (WAP) placement

Question 24

Controller and access point security