Various wireless security protocols were developed to protect home wireless networks. These wireless security protocols include WEP, WPA, and WPA2, each with their own strengths — and weaknesses. In addition to preventing uninvited guests from connecting to your wireless network, wireless security protocols encrypt your private data as it is being transmitted over the airwaves.
Wireless networks are inherently insecure. In the early days of wireless networking, manufacturers tried to make it as easy as possible for end users. The out-of-the-box configuration for most wireless networking equipment provided easy (but insecure) access to a wireless network.
Although many of these issues have since been addressed, wireless networks are generally not as secure as wired networks. Wired networks, at their most basic level, send data between two points, A and B, which are connected by a network cable. Wireless networks, on the other hand, broadcast data in every direction to every device that happens to be listening, within a limited range.
Following are descriptions of the WEP, WPA, and WPA2 wireless security protocols:
Wired Equivalent Privacy (WEP): The original encryption protocol developed for wireless networks. As its name implies, WEP was designed to provide the same level of security as wired networks. However, WEP has many well-known security flaws, is difficult to configure, and is easily broken.
Wi-Fi Protected Access (WPA): Introduced as an interim security enhancement over WEP while the 802.11i wireless security standard was being developed. Most current WPA implementations use a preshared key (PSK), commonly referred to as WPA Personal, and the Temporal Key Integrity Protocol (TKIP, pronounced tee-kip) for encryption. WPA Enterprise uses an authentication server to generate keys or certificates.
Wi-Fi Protected Access version 2 (WPA2): Based on the 802.11i wireless security standard, which was finalized in 2004. The most significant enhancement to WPA2 over WPA is the use of the Advanced Encryption Standard (AES) for encryption. The security provided by AES is sufficient (and approved) for use by the U.S. government to encrypt information classified as top secret — it’s probably good enough to protect your secrets as well!
- 1Advanced MikroTik Wireless networks
- 1.4Wireless Bridge
In this section, we offer more advanced information that related to wireless networks. Here we will discuss how to implement security into the wireless networks (how set up authentication type, encryption protocols, pre-shared key (password) etc.), and how to restrict access others devices.
Various wireless security protocols were developed to protect home wireless networks. These wireless security protocols include WEP, WPA, and WPA2, each with their own strengths — and weaknesses. In addition to preventing uninvited guests from connecting to your wireless network, wireless security protocols encrypt your private data as it is being transmitted over the. Dynamic Key Management in WPA through Radius server. Ask Question. Then how does the server process further things like generating the master key, pair-wise master key, finally to session key (which algorithm are they using to generate these?). I looked in the following sources, but didn't find the exact answer. Jan 31, 2020 Routing protocols are special-purpose protocols designed specifically for use by network routers on the internet. A routing protocol can identify other routers, manage the pathways (called routes) between sources and destinations of network messages, and make dynamic routing decisions. Common routing protocols include EIGRP, OSPF, and BGP. A switch is required to connect the two host devices and any IP phones or network devices such as a printer or a scanner. The switch may be integrated into the router. A firewall is needed to protect the business computing assets. Which WLAN security protocol generates a new dynamic key each time a client from EADS 3 at Harvard University.
IEEE 802.11 is part of the IEEE 802 set of LAN protocols, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) Wi-Fi computer communication in various frequencies, including but not limited to 2.4 GHz, 5 GHz, and 60 GHz frequency bands.
Section includes also information about wireless bridge and mesh networks as well as provides simple configuration examples.
Wireless data protection (Security Profile)
There are more steps how to implement secure wireless network:
- Set up password for wireless administration interfaceAdministrator password is available almost on any wireless router and is used to log into the device for monitoring and changing configuration. Most producers by default set up a weak password like “pass” “password” or “admin” on MikroTik routers there is no any password by default. Therefore is recommended to change administration password to something else if you do not use this password very often, then to write it down and keep in a safe place. If you lost your password on MikroTik devices there is no way how you can recover it, as only reset router configuration to factory default settings.
- Use encryption to protect data sent between access point and client stationThe Wired Equivalent Privacy (WEP) encrypts data only between 802.11 devices, using static keys. WEP includes static key in data encryption algorithm. This is not considered a very secure wireless data encryption mechanism, though it is better than no encryption at all. If some of your wireless devices only support WEP encryption, remember that WEP is better than nothing, only choose static encryption key that’s not easy to guess and is not very short (recommended more than 8 symbols) and change it time by time if it is possible.WPA (Wi-Fi Protected Access) provides much better protection to your Wireless network. WPA is combination of 802.1X, EAP, MIC, TKIP and AES protocols. Where:
- 802.1X is used as authentication framework – users can be authenticate individually using Radius server
- EAP is a protocol for wireless networks that expands on authentication methods. EAP can support multiple authentication mechanisms, such as one-time passwords, certificates, smart cards and public key encryption authentication.
- MIC (message integrity code) or cryptographic checksum, verifies that messages have not been altered in transit (check whether received message is the same as sent message).
- And TKIP and AES are data encryption algorithms. TKIP generates keys dynamically different for each client and alters keys for each successive packet.
- Use MAC address filtering for access controlAs we know MAC addresses unique to specify each network devices, so MAC address filtering allows you to limit network access only from specific MAC addresses or restrict access form specific MAC addresses. If you implement full MAC address filtering on your network you need to know entire list of your client MAC addresses, so it can be very complicated when you have hundreds of clients or if clients often change devices or MAC addresses. Remember that MAC addresses can be “spoofed” (imitated) by knowledgeable persons, so this mechanism is not guarantee perfect security, it only makes difficult access from undesirable persons and improve network security. How to configure access filtering is discussed below in the next paragraph 14.2.
Security profile configuration example on MikroTik
Security profiles are used to create security policies for wireless interfaces and allows to define such security parameters as authentication type, encryption algorithm, pre-shared keys and more others specific parameters. Full commands reference can be found here.
Security profiles are configured under the /interface wireless security-profiles menu when we use command line interface or Wireless > Security Profiles tab from WinBox configuration tool. Security profiles are referenced by the wireless interface (/interface wireless [name of wlan interface]) as security-profile parameter it means we can create different security profiles for different wireless interfaces (each wireless card is separate interface) as well as security-profile can be specified as parameter of connect list (/interface wireless connect-list).
Basic parameters required to specify to any security profile are:
- name – profile name
- mode – security profile mode. There are available four modes:
- none - encryption is not used. Encrypted frames are not accepted.
- static-keys-required - WEP mode. Do not accept and do not send unencrypted frames. Station in static-keys-required mode will not connect to an access point in static-keys-optional mode.
- static-keys-optional - WEP mode. Support encryption and decryption, allows also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as none.
Station in static-keys-optional mode will not connect to an access point in static-keys-required mode. - dynamic-keys - WPA mode.
Configuring WEP with (40bit) static key
Create new WEP security profile named “wep_profile”:
Statically configured WEP keys:
Different algorithms require different length of keys:
- 40bit-wep (static-key-1) - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.
- 104bit-wep (static-key-2) - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.
- tkip(static-key-3)- At least 64 hexadecimal digits (256 bits).
- aes-ccm(static-key-3)- At least 32 hexadecimal digits (128 bits).
Key must contain even number of hexadecimal digits.
static-transmit-key – define which key is used. We can specify different key static-key-1 static-key-2 static-key-3 and static-key-4, this option allows to specify which of we want to use.
Assign profile to wireless interface:
Configuring WPA protection(authentication type – WPA-PSK, encryption protocol – AES)
Create WPA security profile named “wpa_profile”:
Specify encryption algorithm:
unicast-ciphers(multiple choice of tkip, aes-ccm; default value is empty) : Access point advertises that it supports specified ciphers. Client attempts connection only to access points that supports at least one of the specified ciphers. Encrypt unicast frames that are sent between access point and station.
group-ciphers (multiple choice of tkip, aes-ccm; default value is empty) : Access point advertises one of these ciphers, and uses it to encrypt all broadcast and multicast frames.
wpa-pre-shared-key, wpa2-pre-shared-key: WPA and WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. These properties have effect only when authentication-types contains either wpa-psk or wpa2-psk
Wireless Access List
Access list is used by Access Point (AP) todeny or allow access for specific clients as well as control connection parameters.
Authentication can be rejected or allowed by MAC address, Signal strength, Time (which days and how long per day you can be connected by AP).
Available access-list matching properties:
mac-address – rule matches client with the specified MAC address. Default value 00:00:00:00:00:00 matches always.
interface (by default value: all) – rules with interface=all are used for all wireless interfaces. To make rule that applies only to one wireless interface, specify that interface as a value of this property.
Match properties that also set connection parameters.
signal-range (default range: -120.120) – rule matches if signal strength of the station is within the range. If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.
time – rule will match only during specified time. Time is indicated in format [start TIME – end TIME,days. For example, set time on Monday from 8:00 a.m. to 5:00 p.m. [time=28800-62100, mon]; (default value is not set) Station will be disconnected after specified time ends. Both start and end time is expressed as time since midnight, 00:00. Rule will match only during specified days of the week.
Connection properties:
authentication (can assume values: yes or no)
- no - Client connection always will be rejected.
- yes - Use authentication procedure that is specified in the security-profile of the interface.
forwarding (yes or no) – control frames forwarding between clients that are connected to the same access point.
- no - Client cannot send frames to other station that are connected to same access point.
- yes - Client can send frames to other stations on the same access point.
ap-tx-limit (default value: 0bits/s (unlimited)/monster-hunter-generations-ultimate-kiranico-key-quests.html. ) : Rate limit of data transmission to this client. (download traffic limitation for client)
client-tx-limit (default value: 0bits/s (unlimited)) : Ask client to limit rate of data transmission.
This is a proprietary extension that is supported by RouterOS clients, for example, between two MikroTik routers.
The association procedure is as follows: when a new client wants to connect to the AP that is configured on interface wlanN, an entry with client's MAC address and interface wlanN is looked up in the access-list. If such entry is found, action specified in the access list is performed, else there is no impact, default-authentication and default-forwarding arguments of interface wlanN are taken.
How set up wireless access list:
To reject client with MAC address 00:11:22:33:44:55:01 to authenticate on the access point.
To allow client with MAC address: 00:11:22:33:44:55:02 to authenticate to the access point on the wlan1 interface on working days from 8:00 a.m. to 5:00 p.m.
Wireless connect list
The Connect-list is can be configured on wireless interface which works in station mode (mode=station) and determine to which AP the station should connect to. The Connect List is organized as a list of rules that can assign priority and security settings to connections with remote access points or restrict connection to specific access point.
At first, the station is searching for APs all frequencies in the respective band and makes a list of Access Points. If the SSID is set under /interface wireless, the router removes all Access Points from its AP list which do not have such SSID (SSID under /interface wireless menu must be the same on Station and Access point). After that occur rule matching that is defined under connect-list, rule list is checked sequentially until the first matching rule is found. Rule can includes two actions, connection on AP is allowed or not:
connect=yes - connect to access point that matches this rule.
connect=no - do not connect to any access point that matches this rule, we jump to the next rule.
If we have gone through all rules and haven't connected to any AP, yet. The router chooses an AP with the best signal and SSID that is set under /interface wireless.
In case when the station has not connected to any AP, this process repeats from beginning.
There are several values that can be matched into connect-list:
interface – name of wireless interface (required). Each rule in connect list applies only to one wireless interface that is specified by this setting.
area-prefix – rule matches if ‘area’ value under AP configuration begins with such value of ‘area-prefix’.
mac-address – rule matches only AP with the specified MAC address. (default value: 00:00:00:00:00:00 – MAC address of APs is not important)
SSID – rule matches access points that have this SSID. Empty value matches any SSID. This property has effect only when station mode interface SSID is empty, or when access point mode interface has ‘wds-ignore-ssid=yes’.
signal-range – matches if signal strength of the access point is within the range. (is indicated in the following format NUM.NUM - both NUM are numbers in the range -120.120). If signal strength is in this range connection will be accept, it will disconnect from that access point when signal strength goes out of the specified range.
security-profile – name of security profile that is used when connecting to matching access points, If value of this property is none, then security profile specified in the interface configuration will be used.In station mode, rule will match only access points that can support specified security profile.
Configuring examples:
Allow station connect only to specific access points:
Set value of default-authentication interface property to no under /interface wireless menu.
The default-authentication interface property determines whether station will attempt to connect to any access point if there is not matched any rules. In this case interface wlan1 works in station mode.
Create rules that matches allowed access points. These rules must have connect=yes and interface equal to the name of station wireless interface. As you can see then connecting to second AP signal strength is checked too.
Each rule in connect-list is attached to specific wireless interface, specified in the interface'''property of that rule (this is unlike access-list, where rules can be applied to all interfaces).
Note: Remember that connect-list rules are always checked sequentially, starting from the first, so put rules in the order of preference. Access is not rejected if connect-list does not have any rule that matches remote access then the default values from the wireless interface configuration are used to make connection to access point.
Wireless Bridge
To Bridge two networks using WDS
Remote network that is connected using wireless network can be easily bridged using WDS feature of MikroTik RouterOS. WDS works only on Prism and Atheros based cards. This example is given for the case when the networks are connected through Atheros wireless interface.
The same example can be found:
To better understand the main purpose of this example you have to be sure that you know what is the “Bridge” and what is the major benefit of it. So, I remind simple definition of Bridge.
- Ethernet bridges represent the software analog to a physical Ethernet switch. The Ethernet bridge can be thought of as a kind of software switch which can be used to connect multiple Ethernet interfaces (physical or virtual) on a single router and share a single IP subnet.
The major benefit of bridge (also wireless bridge) is found in a phrase “to share a single IP subnet”. It means that local and remote networks can use IP address from the same subnet as well as obtain full connectivity between local and remote LAN. Look at figure bellow.
Simple configuring example
In this example I assume that wireless communication is implemented between both sites.
In this case IP address is already assigned, on Access Point (AP) wireless interface 10.10.0.1 and on wireless station 10.10.0.2.
Wlan Protocol That Generates A New Dynamic Key List
Configuration on AP router:
Create the bridge interface on AP and add ether1 to the bridge:
Configure wlan1 interface (mode=bridge or mode=ap-bridge)
Create WDS interface on AP (with setup wds-mode=dynamic, wds-default-bridge=wds-bridge):
Add IP address on the bridge interface (in this case the name of bridge interface is wireless_bridge):
Configuration on wireless station:
Create bridge and add ether1 and wlan1 interface to the bridge
Configure wlan1 interface (mode=station-wds):
Add IP address on the bridge interface (in this case the name of bridge interface is wireless_bridge):
Add DHCP server on the bridge interface (optional configuration '– this is not mandatory):
The first we need to define IP pool:
Create DHCP server:
Check and test your configuration:
Check wds interface on AP router:
Test the bridge by pinging from 10.0.0.128 to 10.0.0.129.
As well as you can ping workstations (PCs) from one LAN to remote.
To Bridge two wireless networks using EoIP
The similar configuration can be implemented using EoIP feature. EoIP functionality is discussed in section 9.2.
Set up IP address on ether1 and wlan1 (on both site)
Setup wlan1 interface configuration (on both site)
(mode=ap-bridge for access point, client side – set mode=station)
Create EoIP interface on both endpoints (tunnel IP is the same on both ends, as remote address point out wlan1 address of remote router. (on both site)
Create Bridge interface and to bridge EoIP and ether1 interface (on both site)
This setup is based on the same principles as given section 9.2. “EoIP” there you find another example.
Wireless Mesh
What is Wireless Mesh network?
Wireless Mesh network is based on mesh clients (basically wireless routers (AP) and gateways to wired network) that is organized in a mesh topology and can act as communication network.
What is mesh topology?
Decentralized network structure that can be created by independent wireless access points that installed at each network user and each of these access points can forward traffic to other wireless access point. Full wireless mesh network is network where each wireless device can communicates with each other.
If some of mesh device goes down, network topology is changed immediately and alternative routes can be found. To provide such dynamic mesh network operation is necessary protocol that provides network topology re-calculation and loops free network.
What is loop-free network?
Network, where data packets cannot get loop when are transmitted among two or more switches or routers.
Here can be layer 2 and layer 3 network loops, redundant links can be cause of the layer 2 loops, layer 3 network loop can occur by incorrect routing table. Assume that we have two different paths (redundant links) to particular destination. In such case packet (frame) from the same host can be sent through all redundant links simultaneously and destination device can receive multiple frame copies. Such process can totally confuse MAC (ARP) table of mesh node that contain information about other devices location. MAC table is constantly updated with information about what MAC addresses are reachable behind each port so if failed information can cause the layer 2 network loops.
Which protocol re-calculate mesh topology if something change happen as well as provides loop-free network?
Protocols as STP, RSTP, HWMP+ and others provide a mechanism for disabling redundant links. Disabling process is made dynamically in logical level, it means that if there are two links on the same destination one of links becomes inactive, but if primary links goes down then the second (redundant) link become active (goes up). Each node maintains topology database which is updated according to the selected protocol algorithm. Redundancy is good practice in your network to reduce congestion to provide availability and prevent complete network failure if one of links go down, but that is recommended to be configured together with some of these protocols.
HWMP+ is a MikroTik specific layer-2 routing protocol for wireless mesh networks. But instead of to ensure only loop-free network HWMP+ also provides optimal routing mechanism.
- It is based on Hybrid Wireless Mesh Protocol (HWMP) from IEEE 802.11s draft standard.
- It can be used instead of (Rapid) Spanning Tree protocols (RSTP) in mesh setups to ensure loop-free network and optimal routing.
- HWMP+ works not only with WDS (Wireless Distributed Interface) interface but among wired Ethernet interfaces as well.
- Main configuration occurs under /interface mesh menu.
The HWMP+ protocol however is not compatible with HWMP from IEEE 802.11s draft standard.
Here are two operation modes of HWMP+:
- Reactive mode – path to destination node are discovered on demand by flooding special message in the network. This mode is recommended for mobile networks (rapidly changing networks) when communication happens between mesh node.
- Proactive mode – in case when network includes one or more general entry/exit point (portal nodes) to mesh network, these portal nodes are chosen as roots for logical network topology creation (loop-free network).
Proactive mode is recommended when most of traffic goes between internal mesh nodes and few portal nodes.
More information about reactive and proactive modes can be found:
How the HWMP+ makes route selection?
The route with best metric is always selected after the discovery process. There is also a configuration option to periodically re-optimize already known routes.
Route metric is calculated as sum of individual link metrics.
Link metric is calculated in the same way as for (R)STP protocols:
- For Ethernet links the metric is configured statically (like for OSPF, for example).
- For WDS links the metric is updated dynamically depending on actual link bandwidth, which in turn is influenced by wireless signal strength, and the selected data transfer rate.
Currently the protocol does not take in account the amount of bandwidth being used on a link, but that might be also used in future.
Wireless mesh configuration example:
Mesh configuration in RouterOS allows to setup WDS interface dynamically (automatically) when we using wds-mode=dynamic-mesh under /interface wireless menu, or add WDS interface manually when wds-mode=static-mesh is used. WDS is necessary to bridge wireless interface together to mesh network can shares the same subnet.
Two different frequencies are used: one for AP interconnections, and one for client connections to APs, so the AP must have at least two wireless interfaces.
In this example show mesh configuring between RouterA and RouterB because configuration on other mesh nodes are very similar main difference is IP address.
Configuration on RouterA:
The first we are going to create mesh interface with name “mesh1” and add interfaces to mesh interface, this configuration is very similar to bridge configuring in the RouterOS.
Configuring dynamic mesh interface for AP interconnection on RouterA:
wds-mode'=dynamic-mesh – means that all WDS interfaces will be created automatically.
Set up IP address on mesh interface:
Configuring interface for client connection on Router A:
Configuration on RouterB:
Configuring dynamic mesh interface for AP interconnection on RouterB:
Set up IP address on mesh interface:
Check dynamically created WDS interface on RouterA:
As you can see WDS interface is running and wds-address=00:0C:42:1F:9F:FD – is MAC address of remote node.
Which Wlan Security Protocol Generates A New Dynamic Key
Show mesh interface ports on RouterA:
Wlan Protocol That Generates A New Dynamic Keyboard
Test using ping:
Wlan Protocol That Generates A New Dynamic Key Exchange
If you want more security in your network you have to configure wireless security profile under /interface wireless security-profile menu.