Making Sense of WPA Modes

By now, you probably know that WPA and WPA2 are both excellent choices for wireless security. WPA can be configured to run in several different modes. This month, we’ll help you decide which WPA mode is right for your network.

Security selection modes in a popular access point. Most access points have modes that are similar to this.

The graphic above shows the security mode selection menu from a popular access point. “Disable,” the first option, would only be used in an open wireless network, and won’t be discussed further. “WEP”, the last option, probably doesn’t provide enough security for most networks, and should be avoided if WPA is available, which it is, so we won’t discuss it any further either.

The remaining modes consist of a combination of several factors:

• WPA vs. WPA2. WPA was the security standard released by the Wi-Fi Alliance prior to the ratification of the 802.11i standard. WPA2 was the security standard released by the Wi-Fi Alliance after the ratification of the 802.11i standard. WPA2 and 802.11i are essentially synonymous. WPA2 provides certain security and performance enhancements over WPA, the most significant of which is the option to use AES encryption instead of the TKIP encryption that is used by WPA.
• Pre-Shared Key vs. RADIUS. In Pre-Shared Key mode, the access point is configured with a passphrase—a string of text. When a station tries to connect, the user of the station is asked to type in the passphrase before the station can connect. In RADIUS mode, which is also sometimes known as Enterprise mode, the access point and the station collaborate to authenticate the station via a RADIUS server. RADIUS mode can be more secure and easier to administrate, but it requires a RADIUS server, which small businesses and home networks seldom care to afford and maintain. Pre-Shared Key mode is much simpler, but is somewhat less secure and more difficult to administrate.
• Mixed vs. Only. Some devices do not have the hardware, firmware, or drivers to support WPA2. Fortunately, the 802.11i standard (which is functionally equivalent to WPA2) defines backwards compatibility functionality, whereby a WPA2 access point can support WPA clients. If the access point is configured to a “Mixed” setting, then both WPA2 and WPA clients will be allowed to connect. In an “Only” setting, only WPA2 clients will be allowed to connect.

Picking the best option from these modes is not too difficult. Since WPA2 includes backwards compatibility for WPA clients, there isn’t much of a reason to choose one of the “WPA” settings. We’re not aware of a compelling reason to exclude WPA2 clients from a wireless network. If you’re concerned about WPA clients being able to connect, just choose one of the “WPA2 Mixed” settings, and the access point will handle both WPA and WPA2 devices. Even if you only have WPA clients today, the WPA2 option will be enabled on the access point in case a WPA2 client comes along—and don’t worry, the WPA2 client will figure it out and use the stronger encryption and authentication.

Pre-shared Key vs. Radius is also relatively simple. For home and small to medium office installations, Pre-shared key is likely to be the only option, since these sites probably won’t have a RADIUS server. Larger enterprises probably already have a RADIUS server and will want to take advantage of the increased security and central administration that it offers. Small network administrators do have some options if they want to use RADIUS mode instead of Pre-shared Key. Free RADIUS server software is available for Linux and Windows distributions. Also, some vendors have begun to target the small and medium business Wi-Fi authentication space with rudimentary RADIUS server software that is specifically designed to support 802.11 authentication. These programs tend not to have as many bells and whistles as their more full-featured counterparts, but they’re also much cheaper and easier to maintain.

Most administrators will probably prefer “Mixed” settings to “Only” settings. Unless you’re 100% sure that no WPA clients will need to connect, it’s best to leave the access points set to “Mixed” WPA/WPA2. This network was originally set to “WPA2 Only.” (the network administrator later reported that excluding WPA devices was done largely out of a misplaced sense of elitism, rather than any security concern). This worked fine until a guest visited the office and mysteriously couldn’t connect. The problem was eventually traced to the fact that the guest’s wireless card and drivers only supported WPA and did not support WPA2.

The network from which these screenshots were taken currently uses the “WPA2 Pre-Shared Key Mixed” setting. The site is a regional office of a small engineering firm. All of the firm’s computers use WPA2, but “Mixed” is enabled in case guests bring computers that only support WPA. Pre-Shared Key is used because the firm does not yet need, nor have the IT resources to support, a RADIUS server.

Selecting the encryption algorithm

The graphic above shows an additional setting that is available: the encryption algorithm that the device should use. Two options are present: TKIP and AES. As was mentioned above, WPA uses TKIP encryption, whereas WPA2 has the option of using either TKIP, AES, or both. The three options in the menu above correspond to those three settings.

As you can see in the graphic, the access point has been configured to use WPA (in the “Security Mode” pull-down menu), but note that AES is still an option in the “WPA Algorithms” menu! Some manufacturers allow the use of WPA with AES encryption, but you should realize that this is a non-standard option and might not work with all devices. The WPA standard allows for the use of TKIP and WEP encryption. AES was only added with WPA2. Therefore, in order to ensure maximum compatibility, we should not configure the access point to use AES encryption with WPA. We should only configure the access point to allow AES if the security mode is set to WPA2.

If “WPA2 Pre-Shared Key Only” or “WPA2 RADIUS Only” mode is used, then AES is the correct choice for the encryption algorithm. The “Only” setting prohibits WPA clients from connecting, so there is no need to support the weaker TKIP encryption. As discussed in the previous paragraph, if the network is using WPA only, then “TKIP” is the right choice, for compatibility reasons. If both WPA2 and WPA are available (the access point has been configured to a “Mixed” setting), then “TKIP + AES” is the right choice. This will allow WPA2 stations to use the stronger AES encryption while WPA stations use TKIP.

Although the terminology of this access point is not universal, the basic options shown here are present on most access points in some form or another:

• “Should the access point use WPA or WPA2?”
• Should the access point use Pre-shared Key or RADIUS mode?”
• If WPA2 is used, should the access point allow backwards compatibility with WPA clients?”
• Which encryption algorithms should be used?

… and now you should know what you need to know in order to answer those questions.

Below are links to some of the RADIUS server software that was mentioned in this article. Connect802 provides these links for reference only. We do not endorse or support any of these programs.

• FreeRadius, an open-source, free RADIUS server (Linux and other UNIX variants only)
• WinRadius, a free RADIUS server for Windows (specifically mentions 802.11 compatibility)
• Elektron, a commercial RADIUS server targeted at small offices
• Elektron review at WiFiNetNews.com

Free Public Wi-Fi?

Recently, I was in an airport, and I saw a wireless network called “Free Public Wi-Fi”. I was suspicious because the signal strength was very low, and I don’t think that the airport actually had free public Wi-Fi. What’s your opinion? Was this network legit?

An “Available Wireless Networks” screen showing a “Free WiFi” network. Legit or not?

An example of such a network is shown in the screen above. The Expert recommends against connecting to such a network in most cases. Notice that the icon to the right of the network indicates that this is an ad-hoc, or “computer-to-computer” network. This means that the device advertising the network is not an access point. It might be a laptop belonging to an attacker who is hoping to lure victims in with the promise of free network access. Once you connect, it’s like plugging a crossover cable in between your two machines, and any vulnerabilities in your system are the attacker’s to exploit.

Could this just be someone trying to share his or her network access? Sure. Once you’ve bought your way onto the airport’s for-pay system, you could elect to use Windows’ Internet Connection Sharing to share that connection with others. This would require some technological knowledge, but it’s definitely doable. There are also some plug-in appliances that automatically share your wireless connection. But The Expert is wary about whose networks he jumps onto, and he’d rather spend a few dollars for access via the airport’s network than risk an attack from an unverified network.