Connect802 is a nationwide wireless data equipment reseller providing system design consulting, equipment configuration, and installation services.

CSS Mega Menu



Winter 2009

Product Focus
Exploring the Connect802 value proposition...
Essential Wi-Fi
For those who are new to Wi-Fi networking...
Technology and Engineering
For the engineer and Wi-Fi network administrator...
Ask the Expert
Questions from our readers...
To Infinity... and Beyond!
News from the wireless marketplace...

Product Focus

No-Cost Network Management Webinar - January 14th 2009 - Register Today!

Please join us on January 14 at 10AM Pacific Time for an hour-long on-line seminar “Best Practices for Wireless Network Management” when we will discuss this product and other key issues associated with maximizing productivity and minimizing management costs.

Windows supports only PEAP and EAP-TLS by default, but the client manager software that comes with the Intel Centrino wireless chipset in this laptop adds support for TLS, TTLS, LEAP, and EAP-FAST. Also notice that the Windows supplicant doesn’t actually say “EAP-TLS”. Rather, it confusingly says, “Smart Card or Other Certificate.” This use of non-standard terminology could complicate configuration of the same EAP type in the RADIUS server, because it might not be obvious to the administrator what EAP type, “Smart Card or Other Certificate” is referring to. After all, EAP-TTLS and EAP-FAST also use certificates, and EAP-GTC uses smart cards.
On the server side, things are less flexible. RADIUS servers typically support specific EAP types, and the only option for supporting additional EAP types may be to switch to a different RADIUS server. At the very least, this would be a significant investment in money and time. For this reason, it is usually best to resolve EAP incompatibilities by installing a compatible supplicant on the clients. In most cases, however, the best course of action is to avoid incompatibilities altogether by only choosing an EAP type that you know is supported by both your RADIUS server and your client devices. Unfortunately, this can narrow your selection of EAP types down to just one or two, and sometimes might exclude an EAP type that you would like to use.

Summary and Conclusion
WPA-Enterprise has advantages over WPA-PSK, in terms of security, scalability, and manageability. Wireless clients and RADIUS servers often support more than one EAP type, but if they don’t have at least one EAP type that they share, the system won’t work. If you are already locked into a particular RADIUS server (often the case in large enterprises), you will likely be limited to EAP types that are supported by that server. Client-side incompatibility issues may be able to be resolved by installing a third-party supplicant on the client. On the other hand, if you have not yet selected a RADIUS server, it may be to your benefit to only consider ones that support EAP types that are natively supported by your client devices, so as to avoid the workload of installing custom software on all of the client devices.

 Technology and Engineering

Ask the Expert

Cisco wireless LAN controllers use the numbers 1 through 5 to refer to the signal strength configuration for an access point. What do these number mean?

The maximum transmit power for the access points should generally not be greater than the maximum transmit power of the weakest client. An Unbalanced Power Effect (UPE) occurs when a client can hear a strong access point but the client doesn't have enough transmit power to get back to the access point. This is the situation that occurs when you see an SSID (on your notebook computer) with excellent signal strength (because the AP is strong) but you can't connect to it (because your transmit power is weaker.)

To Infinity... and Beyond!

New WEP and WPA exploits
A new record has been set in cracking WEP. Two German researches combined a variety of WEP-cracking techniques to extract a key in only 24,000 packets. Previous attacks required from 32,000 to 40,000 packets to be processed in order to gain a 50% likelihood of recovering the key. Although WEP has largely been abandoned in corporate circles, many retailers still use WEP with older credit-card processing equipment, which is expensive to replace and impossible to upgrade. Retailers who accept credit cards may not deploy new systems with WEP starting April 1, 2009 and must discontinue all use of WEP by June 30, 2010, according to new guidelines set by credit card processors.

Link to paper describing the WEP exploit (PDF):“Practical Attacks against WEP and WPA”

Advances have been made in attacking WPA as well, although they are not nearly as significant as attacks against WEP. The same research paper linked above describes a method for cracking TKIP encryption, but the method does not actually recover the encryption key, and only allows injection of single short packets into the data stream. Currently, the most viable WPA exploit uses a brute-force dictionary attack to attempt to learn the pre-shared key that is used in WPA-PSK. One way of avoiding this attack is to use WPA-Enterprise instead of WPA-PSK, but if you do choose to use WPA-PSK, make sure your passphrase is at least 20 characters long (longer passphrases make it harder to use a dictionary attack) and contains no words found in any dictionaries of any language. Additionally, switching from WPA with TKIP to WPA2 with AES will circumvent any exploits that attack the weaker TKIP encryption.

At Connect802 we're your PAGE ONE resource for wireless networking!