Implementing WiFi Protected Access (WPA)

WiFi Protected Access (WPA) is designed to provide wireless users with an encryption mechanism that is not susceptible to the vulnerabilities of Wired Equivalent Privacy (WEP). Most 802.11g access points either ship with the option to use WPA or a firmware upgrade can be downloaded from the access point manufacturer.

Before enabling WPA, you should ensure that your wireless card has WPA drivers. As with access points, you often need to update the card’s drivers, firmware, or both in order to take advantage of WPA. This section details how to set up WPA encryption on two access points: the D-Link DI-624 and the Linksys WRV54G. You will also learn how to configure your wireless client to use WPA.

Configuring the D-Link DI-624 AirPlus 2.4GHz Xtreme G Wireless Router with 4-Port Switch

The D-Link DI-624 ships with WPA capability. This means that no firmware upgrade is necessary and you can start using WPA as soon as the DI-624 comes

out of the box. First, you need to log into the DI-624 from a wired connection. Then, point your browser to 192.168.0.1 and supply the username admin with a blank password when prompted. This opens the initial configuration screen, as seen in Figure 11.1.

Figure 11.1: The DI-624 Initial Configuration Screen

Next, click the Wireless button on the left to open the wireless configuration options window, as shown in Figure 11.2.

Figure 11.2: The Wireless Configuration Options Window

WPA-PSK utilizes a 256-bit pre-shared key or a passphrase that can vary in length from 8 to 63 bytes. Short passphrase-based keys (less than 20 bytes) are vulnerable to the offline dictionary attack. The pre-shared key that is used to set up the WPA encryption can be captured during the initial communication between the access point and the client card. Once an attacker has captured the pre-shared key, he can use that to essentially “guess” the WPA key using the same concepts used in any password dictionary attack. In theory, this type of dictionary attack takes less time and effort than attacking WEP. Choosing a passphrase that is more than 20 bytes mitigates this vulnerability.

Next, choose either the WPA or WPA-PSK Authentication options. The WPA option requires a RADIUS server, whereas WPA-PSK (Pre Shared Key) sets a passphrase that must also be entered in the client WPA configuration settings. See Figures 11.3 and 11.4.

Figure 11.3: The WPA Configuration Screen

Figure 11.4: The WPA-PSK Configuration Screen

Enter either your RADIUS server information and Shared Secret for WPA or a strong passphrase that is more than 20 bytes long, and then click Apply to save your settings and enable WPA.

Configuring the Linksys WRV54G VPN Broadband Router

The Linksys WRV54G VPN-Broadband Router may require a firmware upgrade to allow WPA capability. Firmware version 2.10 or later is required for WPA functionality on the WRV54G. To enable WPA, you need to log in to the WRV54G, as shown in Figure 11.5. Point your browser to the IP address of the WRV54G. By default, this is 192.168.1.1. There is no username required and the default password is admin.

Figure 11.5: The Linksys WRV54G Initial Configuration Screen

Next, click the Wireless tab to display the Wireless Network Settings, as seen in Figure 11.6.

Figure 11.6: The Wireless Networks Settings Screen

Then, choose the Wireless Security option to display the Wireless Security settings, as seen in Figure 11.7.

Figure 11.7: The Wireless Security Settings

The Security Mode drop-down box displays the four modes of security available on the WRV54G:

• WPA Pre-Shared Key

• WPA Radius

• RADIUS

• WEP

WPA RADIUS requires a RADIUS server, as shown in Figure 11.8. WPA Pre-Shared Key (Figure 11.9) allows you to enter a strong pre-shared key. All wireless clients must also be configured to use the WPA pre-shared key in order to authenticate to the wireless network.