The Different Flavors of WPA

That's enough background. Let's start talking about WPA. WPA stands for Wi-Fi Protected Access. The original version—WPA—was created by a group organized by the Wi-Fi Alliance. WPA was a stop-gap measure, intended to restore confidence in 802.11 wireless technology that was lost when it was shown that its original security technology—WEP—could be easily compromised.

WPA is based on a subset of IEEE 802.11i, which was slowly crawling toward completion.

WPA2 is an enhanced version of WPA, based on the final, ratified version of IEEE 802.11i. The key difference between WPA and WPA2 is that WPA uses TKIP encryption while WPA2 uses the stronger AES.

Both WPA and WPA2 come in two versions: "Personal" and "Enterprise". The Personal versions are typically referred to as WPA-PSK and WPA2-PSK, with "PSK" meaning "Pre-Shared Key", which is a fancy term for password. The Enterprise versions are commonly referred to as WPA-RADIUS and WPA2-RADIUS because they require a RADIUS server employing one of five different EAP standards. If you want the long story behind why five EAP standards, George Ou's article is suggested reading.

Table 1: Summary of WPA / WPA2 Key Features

Table 1 summarizes the key features and attributes of the four versions. The short story is that you should be using WPA2 if your hardware supports it and WPA2 Enterprise for the most security.

Tip: Our testing of Draft 802.11n products show significant throughput reduction when using WEP or WPA wireless security. You'll need to use WPA2 (either Personal or Enterprise) in order to minimize throughput loss—which can still run up to around 20% with some products.

The good news is that, with a few exceptions, all current-generation "Wi-Fi" products support at least WPA2 Personal. The bad news is that there are many wireless LAN products out there that can't be upgraded to support WPA2. Sometimes this is because their vendors have not produced the required driver and firmware updates. But there are also older products such as Wi-Fi VoIP phones and media players whose chipsets can't handle the higher number-crunching requirements of AES.

If you find yourself in this situation, your only options are to contact the problem product's vendor and ask if there is a WPA2 update available. If there isn't, see if there is a WPA upgrade. Newer Wi-Fi access points and routers will allow you to run a mix of WPA and WPA2 clients. (They won't allow you to mix WEP and either WPA or WPA2.) If neither WPA or WPA2 is available, you'll need to replace the product with one that supports WPA2.

Conclusion

I have set up the basic concepts behind why your wireless network needs strong encryption and authentication and provided some background on how the authentication and encryption process works. In Part 2, I'll show you how to tie all of this together and set up FreeRADIUS (which really is Free, except for the computer you need to run it on) to implement WPA2-Enterprise and add industrial-strength security to your wireless network.

Tags: FreeRADIUS, How To, RADIUS, WiFi, WPA, WPA2,

Related Articles: