Wireless security

Wireless security is the protection of devices and networks connected in a wireless environment. Without Wi-Fi security, a networking device such as a wireless access point or a router can be accessed by anyone using a computer or mobile device within range of the router's wireless signal.

In this article, we’ll cover a baseline of authentication protocols: PAP, CHAP, and EAP. We’ll cover what the protocol is, give a detailed example, and talk through some of the weaknesses.

EAP is really more of an authentication framework than a security protocol. Within the framework, there are a set of 40 different authentication methods that can be used. 

In each request or response between the server and the client, a “type” for authentication is specified. Some of the types include EAP-MD-5, EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-Fast.

EAPoL is the abbreviation of Extensible Authentication Protocol over LAN. EAPoL (Extensible Authentication Protocol over LAN) is a network authentication protocol used in 802.1x (Port Based Natwork Access Control). In other words, it is the encapsulation protocol used between Supplicant and Authenticator.

 in 802.1x and also in EAPoL architecture, there are three main components. These are :

• Supplicant is the host device that need to be authenticated.
• Authenticator is the relay device that connects Supplicant to the Authentication Server and controls the network access.
• Authentication Server is the AAA Server (Radius Server etc.).

What is PAP?

Of the two Point-to-Point Protocol (PPP) authentication methods, PAP is older. It was standardized in 1992 by way of IETF Request for Comments 1334. PAP is a client-server, password-based authentication protocol. Authentication occurs only one time at the beginning of a session establishment process.

What is CHAP?

CHAP uses a three-way handshake process to protect the authentication password from bad actors

Instead of a two-way handshake, CHAP uses a three-way handshake and doesn't send the password across the network. CHAP uses an encrypted hash for which both the client and server know the shared secret key. This extra step helps eliminate the security weaknesses found in PAP.

Another difference is CHAP can be set up to do repeated midsession authentications. This is useful for certain PPP sessions that leave a port open even though the remote device has disconnected. In that case, someone else could pick up the connection midsession by establishing physical connectivity.