Encryption wpa2 presence of lan port. Security in WiFi networks. WEP, WPA, WPA2 encryption. How WiFi protection works

Express wired Internet is becoming more and more accessible. And along with the development mobile technology becomes topical issue usage home internet on each device. A Wi-Fi router serves this purpose; its purpose is to distribute wireless connection Internet between different users.

Special attention should be paid to the security of your network.

When purchasing, you just need to configure it the first time you turn it on. A disk with a configuration utility is supplied with the router. It makes setting up your home network as easy as shelling pears. But, nevertheless, inexperienced users Problems often arise at the stage of network security settings. The system prompts you to select an authentication method, and there are at least four options to choose from. Each of them has certain advantages and disadvantages, and if you want to protect yourself from the actions of attackers, you should choose the most reliable option. This is what our article is about.

Authentication Methods

Most home router models support the following network authentication methods: no encryption, WEP, WPA/WPA2-Enterprise, WPA/WPA2-Personal (WPA/WPA2-PSK). The last three also have several encryption algorithms. Let's take a closer look.

Lack of protection

This method speaks for itself. The connection is completely open, absolutely anyone can connect to it. Typically this method is used in in public places, but it’s better not to use it at home. The minimum that this threatens you with is that your neighbors will occupy your channel when connected, and you simply will not be able to receive maximum speed according to your tariff plan. In the worst case, attackers can use this for their own purposes, stealing your confidential information or committing other illegal acts. But you don’t need to remember the password, but you must admit, this is a rather dubious advantage.

WEP

When using this network authentication method transmitted information protected with secret key. The type of protection is " Open system" and "Shared Key". In the first case, identification occurs due to filtering by MAC address without using additional key. The protection is, in fact, the most minimal, and therefore unsafe. In the second you have to come up with secret code, which will be used as the security key. It can be 64, 128 of 152 bit. The system will tell you how long the code should be, depending on its encoding - hexadecimal or ASCII. You can set several such codes. The reliability of protection is relative and has long been considered outdated.

WPA/WPA2 – Enterprise and WPA/WPA2-Personal

Very reliable method network authentication, in the first case it is used in enterprises, in the second - at home and in small offices. The difference between them is that in home version a permanent key is used, which is configured at the access point. Together with the encryption algorithm and Connection SSID forms a secure connection. To gain access to such a network, you need to know the password. Therefore, if it is reliable and you do not disclose it to anyone, this is an ideal option for an apartment or house. In addition, almost all manufacturers mark it as recommended.

In the second case, a dynamic key is used and each user is assigned an individual one. There is no point in bothering with this at home, so it is used only in large enterprises where the security of corporate data is very important.

Additional reliability also depends on the encryption algorithm. There are two of them: AES and TKIP. It's better to use the first one, since the latter is a derivative of WEP and has proven to be a failure.

How to change Wi-Fi authentication method

If you have previously configured your connection authentication but are unsure about your choice correct method, be sure to check it out now. Go to the router settings by entering its IP address, login and password in the browser (you can read more in the article IP address of the router on our website). You need to go to the network security settings tab. IN different models router, it can be located differently. Then select a network authentication method, come up with strong password, click "Save" and reboot the router. Don't forget to reconnect to the network again from all devices.

Conclusion

We hope you found this information useful. Do not neglect Wi-Fi security settings. Do not leave it open, but select the recommended authentication method and correct algorithm encryption.

What connection security method are you using? Share with us in the comments.

TKIP and AES are two alternative type encryption that is used in the WPA and WPA2 security modes. In the wireless network security settings in routers and access points, you can choose one of three options encryption:

• TKIP;
• TKIP+AES.

If you select the latter (combined) option, clients will be able to connect to the access point using either of the two algorithms.

TKIP or AES? What's better?

Answer: for modern devices, the AES algorithm is definitely more suitable.

Use TKIP only if you have problems choosing the first one (it sometimes happens that when using AES encryption The connection with the access point is interrupted or not established at all. This is usually called hardware incompatibility).

What is the difference

AES is a modern and more secure algorithm. It is compatible with the 802.11n standard and provides high speed data transmission.

TKIP is deprecated. He has more low level security and supports data transfer rates up to 54 Mbit/s.

How to switch from TKIP to AES

Case 1. The access point operates in TKIP+AES mode

In this case, you just need to change the encryption type on client devices. The easiest way to do this is to delete the network profile and connect to it again.

Case 2: The access point uses only TKIP

In this case:

1. First, go to the web interface of the access point (or router, respectively). Change the encryption to AES and save the settings (read more below).

2. Change the encryption on client devices (more details in the next paragraph). And again, it’s easier to forget the network and connect to it again by entering the security key.

Enabling AES encryption on the router

Using D-Link as an example

Go to the section Wireless Setup.

Click the button Manual Wireless Connection Setup.

Set security mode WPA2-PSK.

Find an item Cipher Type and set the value AES.

Click Save Settings.

Using TP-Link as an example

Open section Wireless.

Select an item Wireless Security.

In field Version select WPA2-PSK.

In field Encryption select AES.

Click the button Save:

Change the wireless encryption type in Windows

Windows 10 and Windows 8.1

These OS versions do not have a . Therefore, there are three options for changing encryption.

Option 1. Windows itself will detect a mismatch in network settings and prompt you to re-enter the security key. In this case, the correct encryption algorithm will be installed automatically.

Option 2. Windows will not be able to connect and will offer to forget the network by displaying the corresponding button:

After this, you will be able to connect to your network without problems, because... her profile will be deleted.

Option 3. You will have to delete the network profile manually via command line and only then connect to the network again.

Follow these steps:

1 Launch Command Prompt.

2 Enter the command:

Netsh wlan show profiles

to display a list of saved wireless network profiles.

3 Now enter the command:

Netsh wlan delete profile "your network name"

to delete the selected profile.

If the network name contains a space (for example "wifi 2"), put it in quotes.

The picture shows all the described actions:

4 Now click on the wireless network icon in the taskbar:

5 Select a network.

6 Click Connect:

7 Enter your security key.

Windows 7

Everything is simpler and clearer here.

1 Click the wireless network icon in the taskbar.

3 Click on the link Wireless Network Management:

4 Click right click mouse on the profile of the desired network.

5 Select Properties:

Attention! At this step you can also click Delete network and just connect to it again! If you decide to do this, you don't need to read any further.

6 Go to the tab Safety.

With the proliferation of wireless networks, protocols WPA encryption and WPA2 have become known to almost all owners of devices connecting to Wi-Fi. They are indicated in the connection properties, and the attention of most users who are not system administrators, attract a minimum. It is quite enough to know that WPA2 is an evolution of WPA, and therefore WPA2 is newer and more suitable for modern networks.

WPA is an encryption protocol designed to protect wireless networks of the IEEE 802.11 standard, developed by the Wi-Fi Alliance in 2003 as a replacement for the outdated and insecure WEP protocol.
WPA2- an encryption protocol that is an improved development of WPA, introduced in 2004 by the Wi-Fi Alliance.

Difference between WPA and WPA2

Finding the difference between WPA and WPA2 is not relevant for most users, since all wireless network security comes down to more or less choice complex password for access. Today the situation is such that all devices operating in Wi-Fi networks, are required to support WPA2, so the choice of WPA can only be determined by non-standard situations. Eg, OS older than Windows XP SP3 do not support WPA2 without applying patches, so machines and devices managed by such systems require the attention of a network administrator. Even some modern smartphones may not support the new encryption protocol, this mainly applies to off-brand Asian gadgets. On the other hand, some Windows versions older than XP do not support WPA2 at the object level group policy, so in this case they require more fine tuning network connections.
The technical difference between WPA and WPA2 is the encryption technology, in particular, the protocols used. WPA uses the TKIP protocol, WPA2 uses the AES protocol. In practice, this means that the more modern WPA2 provides a higher degree of network security. For example, the TKIP protocol allows you to create an authentication key up to 128 bits in size, AES - up to 256 bits.

TheDifference.ru determined that the difference between WPA2 and WPA is as follows:

WPA2 is an improvement over WPA.
WPA2 uses the AES protocol, WPA uses the TKIP protocol.
WPA2 is supported by all modern wireless devices.
WPA2 may not be supported by older operating systems.
WPA2 has a higher security level than WPA.

Hi all!

I analyzed a little of the comments that visitors leave on the site, checked the queries and realized that there is a very common problem with connecting to Wi-Fi, which I have not written about yet. But many comments were left on the site asking for help to solve this problem. I advised something there, but I don’t know if my advice helped you (rarely does anyone write about the results 🙁).

And yesterday, Roman (Thank you kind man :) I left a comment on the article in which I shared information about how he solved the problem “Saved, WPA\WPA2 protection”. This comment helped me understand the problem a little, and I decided to collect all the tips for solving this error in one article.

The essence of the problem

When connecting a phone or tablet (most likely on Android), To home network, or somewhere in a cafe, an inscription appears next to the name of the network “Saved, WPA\WPA2 protection”. And nothing else happens. If you click on this network and select To plug, then nothing will happen. You can see what this error looks like in the screenshot above.

I specifically provoked this problem on my Asus RT-N13U Wi-Fi router and tried to connect HTC phone One V (Android 4.0) . So I got this message “Saved, WPA\WPA2 protection”. Moreover, everything worked out the first time. How? Yes, very simple. In my router settings, “Wireless network mode” was set to Auto mode, and I set it to n Only. I saved the settings, disconnected the phone from Wi-Fi, but it was no longer possible to connect :)

The main causes of the error “Saved, WPA\WPA2 protection”

Friends, I cannot say exactly everything and give advice that will be one hundred percent working, I hope you understand. All devices are different, everyone has different settings and many other nuances.

But I will try to collect the reasons known to me and ways to solve them, through which such a problem with connecting to a wireless network may arise.

If, when connecting to a wireless network, you saw the message “Saved, WPA\WPA2 protected” on your phone (maybe a little different), then it’s worth checking these settings (I advise you to check in the same order):

To get started, simply reboot your router.

I have already noticed this problem several times: the Internet on the phone simply stops working, but there is a connection and the network is good. I turn Wi-Fi off and on on my phone, but it no longer connects to the network, it says “Saved, WPA2 protection.” Only rebooting the router helps.

1. Set the correct region in the router settings
2. Check the correctness of the Wi-Fi network password
3. Check (change) the wireless network operating mode in the router settings
4. Check (change) the encryption type and security type, change the password in the router settings
5. Experiment with changing the channel on which your wireless network operates.
6. Try changing the channel width.

And now in more detail on all points

Set the correct region in the router settings

Very often, this error occurs precisely because the Wi-Fi settings are set to the wrong region.

I'm on example Tp-Link I'll show you how to change the region. If you have a router from another company, then these settings are most likely changed on the same page where you set the name and other settings of the wireless network.

In Control Panel, go to the tab Wireless (Wireless mode) and opposite the point Region indicate the country you are in.

Save the settings by clicking the button Save(Save) .

Check your password and connect again

You may have simply entered your password incorrectly (though then most likely it will go permanent connection, round. But you need to check), and before getting into the router settings, I advise you to check this.

You may ask, how can I enter the password again, because the password request does not appear. You need to delete the connection. Just click on your network and select Delete.

Now, click on your network again and enter your Wi-Fi password. Just make sure it's correct. If you forgot, look at the password in the router settings, or on the connected computer (if there are any). Read more in the article.

Checking the wireless network operating mode

It seems to me that this main reason. Just your device (phone, tablet) may not support the operating mode in which the router operates.

The operating mode is those strange letters b/g/n, which you probably already noticed in the router settings. Try experimenting with changing modes. Don’t forget to restart the router after each change and turn off/on Wi-Fi on your phone (tablet).

So I installed n Only instead of Auto and an error popped up. What if, for example, you already have n Only in your settings? Here are your problems.

Changing the encryption/security type, password

It may be that your device simply does not like the type of security or encryption that the router uses. Or you don't like the password.

I advise you to set the following values:

WPA/WPA2 - Personal (Recommended)

Version: WPA-PSK

Encryption: AES

PSK Password (key) – at least eight characters and numbers only.

We save, reboot the router, delete the connection on the phone, and connect by entering a new password.

Attention! After changing the password or other security settings, problems may arise with connecting other devices that were already connected to this network (computers, laptops, TVs).

Experimenting with the channel on which the Wi-Fi network operates

It's unlikely, of course, but it could be. I wrote about what a wireless network channel is, how to change it and why in the article -.

Try experimenting and see if it helps.

Channel width

There is such a point in Wi-Fi settings router, like Channel width. If you have, for example, TP-Link and the menu is in English, then it is called Channel Width.

There you can select several options: Auto, 20MHz and 40MHz - depending on the router. Try installing first Auto(or in Asus 20MHz/40MHz), if that doesn’t help, then separately.

Where can I change the channel width?

Go to the router settings ( address 192.168.1.1, or 192.168.0.1, enter login/password - look at the bottom of the router).

Asus

Go to the tab Wireless network and change the value opposite Channel width.

TP-Link

Tab Wireless – Wireless Settings, paragraph Channel Width.

Don't forget to save the settings and reboot the router.

Afterword

It seems like I wrote everything I wanted. I really hope that my advice will help you. You will get rid of this problem and make friends with your phone or tablet Wi-Fi router 🙂 .

Perhaps you know other solutions to this problem, share them in the comments - I will be grateful!

Best wishes!

Also on the site:

The phone (tablet) does not connect to Wi-Fi, it says “Saved, WPA\WPA2 protected” updated: February 7, 2018 by: admin

IN Lately Many “exposing” publications have appeared about the hacking of some new protocol or technology that compromises the security of wireless networks. Is this really so, what should you be afraid of, and how can you ensure that access to your network is as secure as possible? Do the words WEP, WPA, 802.1x, EAP, PKI mean little to you? This short review will help bring together all the applicable encryption and radio access authorization technologies. I will try to show that a properly configured wireless network represents an insurmountable barrier for an attacker (up to a certain limit, of course).

Basics

Any interaction between the access point (network), and wireless client, built on:

• Authentication- how the client and the access point introduce themselves to each other and confirm that they have the right to communicate with each other;
• Encryption- what scrambling algorithm for transmitted data is used, how the encryption key is generated, and when it changes.

The parameters of a wireless network, primarily its name (SSID), are regularly advertised by the access point in broadcast beacon packets. In addition to the expected security settings, requests for QoS, 802.11n parameters, supported speeds, information about other neighbors, etc. are transmitted. Authentication determines how the client presents itself to the point. Possible options:

• Open- so-called open network, in which all connected devices are authorized at once
• Shared- the authenticity of the connected device must be verified with a key/password
• EAP- the authenticity of the connected device must be verified using the EAP protocol by an external server

The openness of the network does not mean that anyone can work with it with impunity. To transmit data in such a network, the encryption algorithm used must match and, accordingly, the encrypted connection must be correctly established. The encryption algorithms are:

• None- no encryption, data is transmitted in clear text
• WEP- cipher based on the RC4 algorithm with different static or dynamic key lengths (64 or 128 bits)
• CKIP- proprietary replacement for Cisco's WEP, early version of TKIP
• TKIP- Improved WEP replacement with additional checks and protection
• AES/CCMP- the most advanced algorithm based on AES256 with additional checks and protection

Combination Open Authentication, No Encryption widely used in systems guest access like providing the Internet in a cafe or hotel. To connect, you only need to know the name of the wireless network. Often this connection is combined with additional check to the Captive Portal by redirecting the user's HTTP request to additional page, where you can request confirmation (login-password, agreement with the rules, etc.).

Encryption WEP is compromised and cannot be used (even in the case of dynamic keys).

Commonly occurring terms WPA And WPA2 determine, in fact, the encryption algorithm (TKIP or AES). Due to the fact that client adapters have supported WPA2 (AES) for quite some time, there is no point in using TKIP encryption.

Difference between WPA2 Personal And WPA2 Enterprise is where the encryption keys used in mechanics come from AES algorithm. For private (home, small) applications, a static key (password, code word, PSK (Pre-Shared Key)) with a minimum length of 8 characters is used, which is set in the access point settings, and is the same for all clients of a given wireless network. Compromise of such a key (they spilled the beans to a neighbor, an employee was fired, a laptop was stolen) requires an immediate password change for all remaining users, which is only realistic if there are a small number of them. For corporate applications, as the name suggests, a dynamic key is used, individual for each working client in this moment. This key can be periodically updated during operation without breaking the connection, and is responsible for its generation additional component- an authorization server, and almost always this is a RADIUS server.

All possible parameters safety information is summarized in this plate:

If everything is clear with WPA2 Personal (WPA2 PSK), enterprise solution requires additional consideration.

WPA2 Enterprise

Here we are dealing with additional set various protocols. On the client side there is a special component software The supplicant (usually part of the OS) interacts with the authorizing part, the AAA server. IN in this example displays the operation of a unified radio network built on lightweight access points and a controller. In the case of using access points with “brains”, the entire role of an intermediary between clients and server can be taken on by the point itself. In this case, the client supplicant data is transmitted over the radio formed in the 802.1x protocol (EAPOL), and on the controller side it is wrapped in RADIUS packets.

The use of the EAP authorization mechanism in your network leads to the fact that after successful (almost certainly open) client authentication by the access point (together with the controller, if any), the latter asks the client to authorize (confirm its authority) with the infrastructure RADIUS server:

Usage WPA2 Enterprise requires a RADIUS server on your network. At the moment, the most efficient products are the following:

• Microsoft Network Policy Server (NPS), former IAS- configured via MMC, free, but you need to buy Windows
• Cisco Secure Access Control Server (ACS) 4.2, 5.3- can be configured via a web interface, is sophisticated in functionality, allows you to create distributed and fault-tolerant systems, is expensive
• FreeRADIUS- free, configured using text configs, not convenient to manage and monitor

In this case, the controller carefully monitors the ongoing exchange of information and waits for successful authorization or refusal of it. If successful, the RADIUS server is able to transmit to the access point Extra options(for example, which VLAN to place the subscriber in, which IP address to assign, QoS profile, etc.). At the end of the exchange, the RADIUS server allows the client and the access point to generate and exchange encryption keys (individual, valid only for this session):

EAP

The EAP protocol itself is containerized, that is, the actual authorization mechanism is left to the user internal protocols. On currently The following have received any significant distribution:

• EAP-FAST(Flexible Authentication via Secure Tunneling) - developed by Cisco; allows authorization using a login and password transmitted within the TLS tunnel between the supplicant and the RADIUS server
• EAP-TLS(Transport Layer Security). Uses infrastructure public keys(PKI) to authorize the client and server (applicant and RADIUS server) through certificates issued by a trusted certification authority (CA). Requires issuing and installing client certificates on each wireless device, so is only suitable for a managed corporate environment. The Windows Certificate Server has facilities that allow the client to generate its own certificate if the client is a member of a domain. Blocking a client can easily be done by revoking its certificate (or through accounts).
• EAP-TTLS(Tunneled Transport Layer Security) is similar to EAP-TLS, but does not require a client certificate when creating a tunnel. In such a tunnel, similar to a browser SSL connection, additional authorization is performed (using a password or something else).
• PEAP-MSCHAPv2(Protected EAP) - similar to EAP-TTLS in terms of the initial establishment of an encrypted TLS tunnel between the client and server, requiring a server certificate. Subsequently, such a tunnel is authorized using the well-known MSCHAPv2 protocol.
• PEAP-GTC(Generic Token Card) - similar to the previous one, but requires cards one-time passwords(and related infrastructure)

All of these methods (except EAP-FAST) require a server certificate (on the RADIUS server) issued by a certification authority (CA). In this case, the CA certificate itself must be present on the client’s device in the trusted group (which is easy to implement using Group Policy in Windows). Additionally, EAP-TLS requires an individual client certificate. Client authentication is performed as follows: digital signature, so (optional) by comparing the certificate provided by the client to the RADIUS server with what the server retrieved from the PKI infrastructure (Active Directory).

Support for any of the EAP methods must be provided by a client-side supplicant. The standard built-in Windows XP/Vista/7, iOS, Android provides at least EAP-TLS, and EAP-MSCHAPv2, which makes these methods popular. Intel client adapters for Windows come with a ProSet utility that extends available list. Cisco AnyConnect Client does the same.

How reliable is it?

After all, what does it take for an attacker to hack your network?

For Open Authentication, No Encryption - nothing. Connected to the network, and that's it. Since the radio medium is open, the signal travels in different sides, blocking it is not easy. If you have appropriate client adapters that allow you to listen to the broadcast, network traffic visible as if the attacker had connected to the wire, to the hub, to the SPAN port of the switch.
WEP-based encryption requires only IV time and one of many freely available scanning utilities.
For encryption based on TKIP or AES, direct decryption is possible in theory, but in practice there have been no cases of hacking.

Of course, you can try to guess the PSK key or password for one of the EAP methods. Common attacks against these methods are not known. You can try using methods social engineering, or thermorectal cryptanalysis.

You can gain access to a network protected by EAP-FAST, EAP-TTLS, PEAP-MSCHAPv2 only if you know the user’s login password (hacking as such is impossible). Attacks such as brute-force attacks or those aimed at vulnerabilities in MSCHAP are also not possible or difficult due to the fact that the EAP client-server channel is protected by an encrypted tunnel.

Access to a network closed by PEAP-GTC is possible either by hacking the token server or by stealing the token along with its password.

Access to a network closed by EAP-TLS is possible by stealing a user certificate (along with its private key, of course), or by issuing a valid but dummy certificate. This is only possible if the certification center is compromised, which in normal companies is protected as the most valuable IT resource.

Since all of the above methods (except PEAP-GTC) allow storing (caching) passwords/certificates, if stolen mobile device the attacker gets full access without any questions from the network. As a preventive measure, complete hard encryption disk with a password request when turning on the device.

Remember: with proper design wireless network can be protected very well; There are no means of hacking such a network (to a certain extent)