Securing AirPort Extreme Networks with WPA

With the release of Mac OS X 10.3 Panther, Apple provided a firmware upgrade for the AirPort Extreme Base Station and AirPort Extreme clients, which support the WPA (Wireless Protected Access) security standard for securing your wireless network. WPA is far more secure than WEP (Wireless Equivalent Privacy).

However, before you rejoice in this news, make sure you meet the following requirements:

• You must be running Mac OS X v10.3 or later. If you still have not upgraded, well, time to do so.
• You must be using an AirPort Extreme wireless network. That means your base station must be an AirPort Extreme one, and so must be your AirPort card. If you are using the 802.11b AirPort network, then you have to stick to WEP.

Upgrading your AirPort Extreme Base Station

Download the firmware upgrade for your AirPort Extreme base station, from Apple's web site. The file to download is AirPort Extreme FW 5.2.bin.

Here are the steps to upgrade your AirPort Extreme base station:

1. Open the AirPort Admin Utility (located in /Applications/Utilities/).
2. Select your base station from the list.
3. Click Configure.
4. Enter the password of the base station if prompted.
5. Click the Upload icon in the toolbar or select Upload from the Base Station menu.
6. Select the file AirPort Extreme FW 5.2.bin and click OK.

When the base station is finished updating, it will restart.

What is WPA?

WPA is an enhanced security standard developed by the Wi-Fi Alliance and IEEE to increase the security of wireless networks. As you probably know by now, WEP is inherently insecure, which means that any person intent on eavesdropping on your network communication can do so with the appropriate tools. To address this concern, WPA was designed as an interim solution (the longer-term solution lies in the 802.11i work group) to protect the privacy of wireless networks.

WPA contains the following components:

• Use of TKIP (Temporal Key Integrity Protocol) for encrypting wireless packets.
• Use of 802.1X and EAP (Extensible Authentication Protocol) for user authentication.
• Use of MIC (Message Integrity Check) for checking the integrity of the packets sent over the air.

To log on to a WPA-protected network, you first need to supply a network password. TKIP then uses this password to mathematically generate an initial encryption key. All packets sent over the air now use this encryption key. To prevent this key from being discovered (by collecting and analyzing many packets), TKIP routinely changes and rotates this key so that it is never used twice.

In AirPort Extreme, WPA supports two modes:

• Enterprise mode -- this mode uses a RADIUS (Remote Authentication Dial-In User Service) for user authentication.
• Personal mode -- this mode uses a network password for user authentication.

802.1X

The 802.1X specification is a port-based network access control mechanism: when a client is authenticated, the port is granted access; if not, access to the port is denied. Although 802.1X was originally designed for ethernet networks, it can be applied to wireless networks as well.

Configuring for WPA Access

Let's now configure our AirPort Extreme base station to enable WPA. As usual, configure your base station using the AirPort Admin Utility.

Click on the Name and Password button on the left. On the right pane, click on the Change Wireless Security... button to change the security standard used for securing your AirPort Extreme network (see Figure 1).

Figure 1. Changing the wireless security mode.

In the Wireless Security drop-down list box, select WPA Personal if you do not have a RADIUS server in your network. This option is useful for home or small business networks (see Figure 2).

Select the Password option and key in the password twice. This password will be used to authenticate you on the network when you log on to the network for the first time. When you enter a password in the configuration dialog, an industry-standard hashing algorithm is applied to generate the full 64 byte pre-shared key.

Figure 2. Using WPA Personal with a password.

You can also select the Pre-Shared Key option to manually enter a key (see Figure 3). This option is really provided just as an additional option in case you are using non-Apple client software that does not do the proper hashing.The Pre-Shared Key is 64 hexadecimal (0-9, A-F) digits.

Figure 3. Configuring a Pre-Shared Key.

You can also click on the Show Options button to review more information about the encryption information. You can change the Group Key Timeout textbox to change the frequency of key rotation (see Figure 4).

Figure 4. Viewing options for changing Group Key Timeout.

For users with a RADIUS server for authentication, you should select the WPA Enterprise option (see Figure 5). Using a RADIUS server, your AirPort Extreme network will use 802.1X authentication to authenticate your wireless users. Your RADIUS server will contain user login credentials.

Figure 5. Using WPA Enterprise mode.

Once the AirPort Extreme base station is configured and updated, you should now be able to see the network on your Mac (see Figure 6).

Figure 6. Connecting to an AirPort Extreme network.

Select the Apple Extreme wireless network and you will be prompted to enter the password to log on to the network (see Figure 7).

Figure 7. Entering the password to connect to an AirPort Extreme network.

WPA Enterprise Mode and MAC Address Filtering Using a RADIUS Server

Note that if you use the WPA Enterprise mode, you will no longer be able to configure your AirPort Extreme base station to use MAC address filtering using a RADIUS server.

Summary

One thing to note about the use of WPA is that it greatly reduces the ability of people to eavesdrop on your wireless conversations. In security terms, it means the integrity of your wireless packets is protected. It does not, however, provide a strong authentication mechanism (since all users have to use a common network password, as shown in our example using WPA Personal). To ensure that only authorized users are connected to the wireless network, you need to use 802.1X authentication together with a RADIUS server.

Wei-Meng Lee (Microsoft MVP) http://weimenglee.blogspot.com is a technologist and founder of Developer Learning Solutions http://www.developerlearningsolutions.com, a technology company specializing in hands-on training on the latest Microsoft technologies.

Return to the Wireless DevCenter

Comments on this article

Showing messages 1 through 6 of 6.

• Wired EQUIVALENCY, not security
  2004-01-06 09:13:09  csoto [View]
  
  
  As mentioned by someone else, WEP and WPA only encrypt WIRELESS packets. Once they're on the 'Net, they're back in plaintext.
  
  Wireless encryption is pretty useless. Just let your network move packets around. Encrypt your data at the APPLICATION layer (remember the OSI 7-layer dip?).
  
  Charles
  

• Don't trust the network
  2003-12-23 11:36:39  acdha [View]
  
  
  "One thing to note about the use of WPA is that it greatly reduces the ability of people to eavesdrop on your wireless conversations. In security terms, it means the integrity of your wireless packets is protected."
  
  It's extremely important to remember that packets are only protected on the wireless network - once they head onto the general internet they're completely insecure again. If you're entering anything you wouldn't want to become public you should be using SSL, SSH or another protocol with strong encryption. As a bonus, your wireless network setup becomes much easier since you can treat it just like the internet.

• WEP security
  2003-12-23 07:55:34  anonymous2 [View]
  
  
  I have an airport extreme base station, but only a regular airport card. I'm concerned that my wireless network may be compromised (even though I have the network closed, password protected and only my machine added in the access control). Is there a tool I can use to see if anyone else is using my wireless net connection (other than turning my machine off and watching the lights on the base station)?

• WPA and WDS
  2003-12-21 04:28:20  anonymous2 [View]
  
  
  There is a problem with WPA, however; you cannot enable WPA and WDS. If you need WDS, better resort to IPsec.
  

• What about those "other" guys
  2003-12-19 22:01:37  anonymous2 [View]
  
  
  If I set up my wireless network with WPA, what about Windoze machines?

• great article
  2003-12-19 15:26:30  anonymous2 [View]
  
  
  I searched for weeks for info about WPA and WEP... nothing on Apple's site or just about anywhere else. Mr. Lee's article explained the thing concisely and clearly. Thanks.
  
  BTW, I had changed the security from WPA Personal to 128 bit WEP because everything said that WEP was the highest standard. I've now changed the security back to WPA, otherwise the default on my new PB. But I still appreciate the info from Mr. Lee.