Got it

WLAN security policies [From Beginner to Expert - WLAN Fundamentals] - Section 10 Highlighted

Latest reply: Jul 28, 2019 12:20:39 4635 3 2 0 1

Hello, everyone!

Today I'd like to share with you some information on WLAN security policies, as part of the From Beginner to Expert - WLAN Fundamentals section on the Community.

Nowadays, wireless networks are provided almost everywhere. In most cases, however, you cannot access the Internet without authentication even if you have scanned wireless networks. In the wireless network list on a mobile phone, Secured with WPA2 or Secured with 802.1x is displayed under a service set identifier (SSID). These wireless networks use the WLAN security policies that will be described in the following.

1. Why WLAN security policies are needed?

In our daily lives, we need to use access cards to access a residential building and enter passwords to open safes. Similarly, WLANs also need to be protected. WLANs are becoming more popular because of their flexibility and mobility. However, WLANs are easily attacked, resulting in user information leakage. Therefore, WLAN security is a significant issue and WLAN security policies are required.

When you enable the WLAN function on a mobile phone, select an SSID, and enter the password for authentication (the user name needs to be entered in some authentication modes). After the authentication succeeds, you can access the Internet. During this process, WLAN security policies are used containing a complete set of security mechanism, involving link authentication, access authentication, key negotiation, and data encryption.

Link authentication is performed on hardware terminal devices. A STA can connect to an AP only after passing link authentication. If open system authentication is used, users do not need to perform any operation and are unaware of link authentication. If shared-key authentication is used, a shard key must be pre-configured on the STA for link authentication.

Access authentication requires that users enter passwords for authentication. A user using a STA that has passed link authentication needs to pass access authentication to access a WLAN. If the STA passes link authentication but the STA's user is not authorized (having no password), the user cannot access the network. Access authentication ensures that users can access a WLAN only after entering correct passwords.

A large amount of interaction and transmission data is generated during the Internet access process. To prevent data tampering or interception during data transmission, the data needs to be encrypted, ensuring user information security and privacy. Encryption keys are negotiated between STAs and access devices in advance through dynamic interactions. Password negotiation and data encryption are automatically implemented by the system, requiring no intervention of users.

This set of security mechanism ensures basic security of WLANs.

2. What WLAN security policies are available?

Four WLAN security policies are available: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, and WLAN Authentication and Privacy Infrastructure (WAPI). Now, let's see how these WLAN security policies are evolved.

1) WEP

WEP is the first WLAN security protocol defined in the IEEE 802.11 standard and using the Rivest Cipher (RC4) algorithm. RC4 is a stream cipher algorithm that uses variable-length keys for data encryption. A key contains a 24-bit initialization vector (IV) generated by the system, and a 40-bit, 104-bit, or 128-bit key is configured on the WLAN server and client. These two keys are verified to obtain a 64-bit, 128-bit, or 152-bit key for data encryption.

A WEP encryption policy involves only link authentication and data encryption, but does not involve access authentication or key negotiation.

Link Authentication

WEP supports two link authentication modes: open system authentication and shared key authentication.

  • Open system authentication requires no authentication. Any STAs that send authentication requests to an AP using open system authentication are successfully authenticated.

    You can directly connect to a WLAN using open system authentication without entering a password.

  • Shared key authentication requires that the same shared key is pre-configured on a STA and an AP. During link authentication, the AP checks whether the STA has the same shared key to determine whether the STA can pass authentication. If the STA has the same shared key as the AP, the authentication succeeds; otherwise, the authentication fails.


Note that the key pre-configured on the STA is used only for link authentication but not for access authentication. Any users can use the STA on which the correct shared key is pre-configured to associate with a WLAN. If access authentication is configured for the WLAN, users need to enter the SSID access password to access the WLAN (assuming that the STA does not automatically record the SSID access password).

If you want to know more information about link authentication, see technical post (From Beginner to Expert  WLAN Fundamentals) Section 8  STA Access.

Data Encryption

  • If open system authentication is used, you can configure whether to encrypt service data after users go online. If service data is encrypted, an encryption key must be configured.

For example, perform the following configurations on an AP in V200R005 to configure open system authentication:
Run the wep authentication-method open-system command to configure open system authentication but not to encrypt data packets.

Run the wep authentication-method open-system data-encrypt command to configure open system authentication and to encrypt data packets.

  •  If shared key authentication is used, a shared key is used to encrypt service data after users go online.

When a WEP security policy is used, all users share the same encryption key.

In practice, if open system authentication is used in the WEP security policy, MAC address authentication or Portal authentication is usually used to control user access, improving WLAN security.

For details about network admission control (NAC), see the technical post (All About Switches) Section 28- NAC.

MAC address authentication is generally used by STAs where the 802.1x client software cannot be installed or mobile phones where 802.1x dial-up can be performed without the 802.1x client software. MAC address authentication controls users’ network access rights based on port numbers and MAC addresses. Users can be authenticated automatically only by their STAs’ MAC addresses that have been added to the authentication server, without the need to enter any authentication information.

MAC address authentication can be implemented by an access device or an authentication server. To ensure security, an authentication server is recommended.

Next, let's learn the MAC address authentication process. The following process uses the centralized WLAN architecture (AC + Fit AP) as an example.


As shown in the preceding figure, the AC sends the user name and password (usually a MAC address) to the authentication server. If authentication succeeds, the AC authorizes a port so that the STA can access the network through this port.

To authenticate users only through web pages, use Portal authentication. Portal authentication is also called web authentication. When users attempt to access the Internet, they need to enter authentication information on Portal pages and are authenticated on the authentication server. Portal authentication can be used on computers and mobile phones, requiring only a browser but no authentication client software.

WLANs are not encrypted in many public areas. However, when you attempt to access the Internet, a Portal page is displayed to request you to enter the user name and password. You can access only specified pages without authentication. This means that these WLANs use Portal authentication.

For example, the following figure shows the Portal authentication page for user authentication on an education campus network.


During initial development of WLANs, WEP ensures network security. However, it has the following potential risks:

  • WEP uses a static key. That is, all STAs associating with the same SSID use the same key to connect to a WLAN. If the key of a STA is disclosed, the keys of all STAs are disclosed.
  • The 24-bit IVs may be reused and data is transmitted in plain text. If hackers intercept and parse packets carrying a specified IV, they easily obtain the authentication key.
  • The RC4 algorithm used by WEP is subject to security risks.

Both the WEP encryption mechanism and the encryption algorithm are subject to security threats. Therefore, the IEEE 802.11 work group develops new security standards.


To overcome security weaknesses of WEP security policies, the Wi-Fi Alliance launched WPA security policies before new security policies with higher security were released. WPA uses the Temporal Key Integrity Protocol (TKIP) encryption algorithm, provides a key reset mechanism, and increases the valid key length, overcoming weaknesses of WEP.

Later, 802.11i defined WPA2. WPA2 uses the Counter Mode with CBC-MAC Protocol (CCMP) encryption mechanism that uses Advanced Encryption Standard (AES) encryption algorithm. The AES algorithm is a block encryption technology and is more difficult to crack than TKIP.

Currently, both WPA and WPA2 can use the TKIP or AES encryption algorithm, ensuring better compatibility and providing almost the same security level.

The WPA or WPA2 security policy involves link authentication, access authentication, key negotiation, and data encryption.

Link Authentication

WPA and WPA2 support only open system authentication that is the same as that used in WEP.

Access Authentication

WPA and WPA2 provide two authentication modes:

  • WPA/WPA2 enterprise edition: 802.1x authentication is usually used on large-sized enterprise networks. 802.1x authentication is an interface-based network access control mode. In this mode, an authentication server (usually a RADIUS server) uses the Extensible Authentication Protocol (EAP) to authenticate users based on their authentication credentials such as user names and passwords.

WPA and WPA2 support 802.1x authentication based on EAP-Transport Layer Security (EAP-TLS) and EAP-Protected Extensible Authentication Protocol (EAP-PEAP).

The following figure shows the EAP-TLS 802.1x authentication process.


The following figure shows the EAP-PEAP 802.1x authentication process.


EAP-TLS is based on the public key infrastructure (PKI) certificate system. EAP-PEAP, however, does not require the PKI system, ensuring security, reducing costs, and simplifying authentication. In practice, we do not need to know details about the preceding authentication processes. We only need to select an authentication mode on the 802.1x client, leaving other processes to the authentication server.


WPA/WPA2 personal edition: A dedicated authentication server is expensive and difficult to maintain for small- or medium-sized enterprises and home users. WPA/WPA2 personal edition provides a simplified authentication mode: pre-shared key authentication (WPA/WPA2-PSK). PSK authentication requires that a STA and a WLAN device be pre-configured with the same PSK. The STA and WLAN device use their PSKs to decrypt messages exchanged between them. If the messages are successfully decrypted, the STA and WLAN device have the same PSK and PSK authentication succeeds; otherwise, PSK authentication fails.

Key Negotiation

During key negotiation, a STA and an AC use the Pairwise master key (PMK) to generate a pairwise transient key (PTK) and a group temporal key (GTK). The PTK is used to encrypt unicast packets, and the GTK is used to encrypt multicast and broadcast packets.

  •  Unicast key negotiation is completed through a four-way handshake between a STA and an AC.


  • Multicast key negotiation is completed through a two-way handshake and begins after unicast key negotiation.


Data Encryption

After completing key negotiation, the communication parties start to transmit data encrypted using the TKIP or AES encryption algorithm and the negotiated key.

WPA/WPA2 overcomes weaknesses of WEP, but supports only STA authentication on ACs and does not allow AC authentication.


WAPI is a Chinese national standard for WLANs. It uses the Elliptic Curve Digital Signature Algorithm (ECDSA) based on the public key cryptography and the block key algorithm SMS4 based on the symmetric-key cryptography. ECDSA is used for digital certificate authentication and key negotiation between wireless devices. SMS4 is used to encrypt and decrypt data transmitted between wireless devices. WAPI supports bidirectional identity authentication and uses a digital certificate as identity information and well-developed authentication protocols to ensure higher security than WPA/WPA2.

The WAPI security policy involves link authentication, access authentication, key negotiation, and data encryption.

Link Authentication

WAPI supports only open system authentication.

Access Authentication

WAPI provides two access authentication modes: 

  •  Certificate authentication: applicable to large-sized enterprise networks. A STA and an AC must load certificates and verify the identity of each other through an authentication service unit (ASU).


As shown in the preceding figure, WAPI provides bidirectional identity authentication. The ASU identifies both the STA and AC. The AC controls the STA access based on the STA certificate authentication result, and the STA determines whether to associate with the AC based on the AC certificate authentication result. This prevents access from unauthorized STAs and protects WLANs against attacks from unauthorized WLAN devices.

  •  Pre-shared key-based authentication: applicable to networks of small- or medium-scale enterprises and home users, requiring no expensive certificate system. (The authentication process is the same as that for the WPA/WPA2 personal edition.)

Key Negotiation
After successful identity authentication, the AC initiates key negotiation with the STA. The AC and STA first negotiate the unicast key used to encrypt unicast packets, and then negotiate the multicast key used to encrypt multicast packets.


In addition to dynamic key negotiation, WAPI also provides time-based and packet-based key update mechanisms, preventing security risks resulting from the use of an unchanged key.

Data Encryption

After completing key negotiation, the communication parties start to transmit data encrypted using the SMS4 encryption algorithm and the negotiated key.

3. Which WLAN security policy should be selected?

Among so many WLAN security policies, which WLAN security policy should be selected? The following table lists usage scenarios and security level of each WLAN security policy.

Security Policy

Link Authentication

Access Authentication

Encryption Algorithm

Recommended Application Scenario



Open system authentication

No access authentication is required. Portal authentication or MAC address authentication is used.

No encryption or RC4 encryption

Public places where users move frequently, such as airports, stations, business centers, conference centers, and stadiums

It is not secure to use open system authentication independently. Any wireless terminals can access a WLAN without authentication. You are advised to configure open system authentication together with Portal authentication or MAC address authentication.


Shared key authentication

Not involved


Networks with low security requirements

The WEP security policy is not recommended due to its low security.


Open system authentication

PSK authentication


Networks of home users and medium- or small-sized enterprises

This security policy has higher security than WEP. Additionally, no third-party server is required, reducing the cost.


Open system authentication

802.1x authentication


Large-sized enterprise networks with high security requirements

This security policy provides high security, but requires a third-party server, increasing the cost.


Open system authentication

PSK authentication


Networks of home users and medium- or small-sized enterprises

This security policy has higher security than WEP. Additionally, no third-party server is required, reducing the cost. This security policy is supported by only some STAs and is rarely used.

WAPI- certificate

Open system authentication

Certificate authentication


Large-sized enterprise networks with high security requirements

This security policy provides high security, but requires a third-party server, increasing the cost. This security policy is supported by only some STAs and is rarely used.

In a summary, select a WLAN security policy based on scenarios, security requirements, and costs.

In addition to these security policies, WLANs also provide security mechanisms, which will be shared with you in follow-up technical posts. 

This is what I want to share with you today, thank you!

The post is synchronized to: From Beginner to Expert-WLAN Fundamentals

  • x
  • convention:

Created Jun 25, 2016 06:12:02

very detailed
View more
  • x
  • convention:

MVE Created Apr 11, 2018 10:12:31

useful document, thanks
View more
  • x
  • convention:

Created Jul 28, 2019 12:20:39

View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.