WEP shared key authentication uses the Rivest Cipher 4 (RC4) symmetric stream cipher to encrypt data; therefore, the same static key must be preconfigured on the server and clients. Both the encryption mechanism and cipher, however, are prone to security threats. The Wi-Fi Alliance developed WPA to overcome WEP defects. Still using RC4 as the core cipher algorithm, WPA defines the Temporal Key Integrity Protocol (TKIP) encryption algorithm based on WEP, uses an 802.1x authentication framework, and supports Extensible Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer Security (EAP-TLS) authentication. Later, 802.11i defined WPA2. WPA2 uses the Counter Mode with CBC-MAC Protocol (CCMP) encryption algorithm that features higher security.
Both WPA and WPA2 support 802.1X access authentication and the TKIP and CCMP encryption algorithms, giving better compatibility. With almost the same security level, they mainly differ in the protocol packet format.
The WPA/WPA2 security policy involves four phases: link authentication, access authentication, key negotiation, and data encryption.
Two authentication methods are available: WPA/WPA2-PSK authentication and WPA/WPA2-802.1X authentication.
WPA/WPA2-PSK authentication
Both WPA and WPA2 support PSK authentication and the TKIP or AES encryption algorithm. They have almost the same security level and mainly differ in the protocol packet format.
WPA/WPA2-PSK authentication applies to individual, home, and Small Office and Home Office (SOHO) networks that do not require high security. No authentication server is required. If a wireless terminal supports only WEP encryption, PSK+TKIP can be implemented without a hardware upgrade, whereas PSK+AES may be implemented only after a hardware upgrade.
WPA/WPA2-802.1X authentication
Both WPA and WPA2 support 802.1X authentication and the TKIP or AES encryption algorithm. They have almost the same security level and mainly differ in the protocol packet format.
WPA/WPA2-802.1x authentication applies to networks that require high security, such as enterprise networks. An independent authentication server is required. If user devices support only WEP encryption, 802.1X+TKIP can be implemented without a hardware upgrade, whereas 802.1X+AES may be implemented only after a hardware upgrade.
Wireless terminals vary and support different authentication and encryption modes. To enable various types of terminals to access the network and facilitate management by network administrators, configure both WPA and WPA2. If the security policy is WPA-WPA2, terminals supporting WPA or WPA2 can be authenticated. If the encryption mode is TKIP-AES, any terminals supporting TKIP or AES can encrypt service packets.
Configure WPA/WPA2-PSK authentication.
Configure WPA-WPA2, TKIP-AES, and PSK authentication.
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] security-profile name p1 [HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 psk pass-phrase abcdfffffg123 aes-tkip
Configure WPA/WPA2-802.1X authentication.
Configure WPA-WPA2, TKIP-AES, and 802.1X authentication.
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] security-profile name p1 [HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip