From the Encryption (Authentication) drop-down list in the wireless access point configuration, you can select the level of the authentication method for your wireless connections. The eight available authentication methods, from least secure to most secure, are explained in this topic. Select the most secure authentication method that is supported by your wireless network clients.
KRACK WPA/WPA2 Vulnerabilities
WatchGuard has addressed recent KRACK WPA/WPA2 vulnerabilities for Firebox wireless devices in Fireware v12.0.1 and higher.
In Fireware v12.0.2 and higher, you can enable the WPA/WPA2 vulnerability mitigation check box in the Wireless settings to mitigate KRACK WPA/WPA2 vulnerabilities in unpatched wireless clients. For more information, see About Firebox Wireless Configuration.
WPA and WPA2 with Pre-Shared Keys
WPA (PSK) and WPA2 (PSK) Wi-Fi Protected Access methods use pre-shared keys for authentication. WPA (PSK) and WPA2 (PSK) are more secure than WEP shared key authentication. When you choose one of these methods, you configure a pre-shared key that all wireless devices must use to authenticate to the wireless access point.
Your wireless Firebox supports three wireless authentication settings that use pre-shared keys:
- WPA ONLY (PSK) — Accepts connections from wireless devices configured to use WPA with pre-shared keys.
- WPA/WPA2 (PSK) — Accepts connections from wireless devices configured to use WPA or WPA2 with pre-shared keys.
- WPA2 ONLY (PSK) — Accepts connections from wireless devices configured to use WPA2 with pre-shared keys authentication. WPA2 implements the full 802.11i standard; it does not work with some older wireless network cards.
WPA and WPA2 with Enterprise Authentication
The WPA Enterprise and WPA2 Enterprise authentication methods use the IEEE 802.1X standard for network authentication. These authentication methods use the EAP (Extensible Authentication Protocol) framework to enable user authentication to an external RADIUS authentication server or to the Firebox (Firebox-DB). The WPA Enterprise and WPA2 Enterprise authentication methods are more secure than WPA/WPA2 (PSK) because users authenticate with their own credentials instead of a shared key.
Wireless Fireboxes that run Fireware v11.4 and higher support three WPA and WPA2 Enterprise wireless authentication methods:
- WPA Enterprise — Accepts connections from wireless devices configured to use WPA Enterprise authentication.
- WPA/WPA2 Enterprise — Accepts connections from wireless devices configured to use WPA Enterprise or WPA2 Enterprise authentication.
- WPA2 Enterprise — Accepts connections from wireless devices configured to use WPA2 Enterprise authentication. WPA2 implements the full 802.11i standard; it does not work with some older wireless network cards.
For more information about these authentication methods, see WPA/WPA2 Enterprise Authentication with RADIUS.
To use the Enterprise authentication methods, you must configure an external RADIUS authentication server, or configure the Firebox as an authentication server.
For more information about how to configure the settings for these authentication methods, see
- Use a RADIUS Server for Wireless Authentication
- Use the Firebox as an Authentication Server for Wireless Authentication
Open System and Shared Key
The Open System and Shared Key authentication methods use WEP encryption. WEP is not as secure as WPA2 and WPA (Wi-Fi Protected Access). We recommend you do not use these less secure methods unless your wireless clients do not support WPA or WPA2.
- Open System — Open System authentication allows any user to authenticate to the access point. This method can be used with no encryption or with WEP encryption.
- Shared Key — Only those wireless clients that have the shared key can connect. Shared Key authentication can be used only with WEP encryption.
See Also
Set the Encryption Level
WPA/WPA2 Enterprise Authentication with RADIUS
Select Your Region
Sign In to access restricted content
Using Intel.com Search
You can easily search the entire Intel.com site in several ways.
- Brand Name: Core i9
- Document Number: 123456
- Code Name: Alder Lake
- Special Operators: “Ice Lake”, Ice AND Lake, Ice OR Lake, Ice*
Quick Links
You can also try the quick links below to see results for most popular searches.
- Product Information
- Support
- Drivers & Software
Recent Searches
Sign In to access restricted content
Advanced Search
Only search in
Title Description Content ID
Sign in to access restricted content.
- Product Support
- Product Support
- Graphics
- Processors
- Intel® NUCs
- Software
- Wireless
- Memory and Storage
- Boards and Kits
- Ethernet Products
- Intel® FPGAs
- Server Products
- Technologies
- Other Intel® Brands
- Wireless
- Wireless
- Intel® Killer™ Wi-Fi Products
- Intel® Wi-Fi 6 Products
- Intel® Wi-Fi 6E Products
- Intel® Wireless-AC Products
- Legacy Intel® Wireless Products
- Wireless Software
- Legacy Intel® Wireless Products
The browser version you are using is not recommended
for this site.
Please consider upgrading to the latest version of your browser by clicking one of the following links.
- Safari
- Chrome
- Edge
- Firefox
802.1X Overview and EAP Types
Documentation
Content Type Product Information & Documentation
Article ID 000006999
Last Reviewed 10/28/2021
802.1X overview 802.1X is a port access protocol for protecting networks via authentication. As a result, this type of authentication method is extremely useful in the Wi-Fi environment due to the nature of the medium. If a Wi-Fi user is authenticated via 802.1X for network access, a virtual port is opened on the access point allowing for communication. If not successfully authorized, a virtual port isn't made available and
communications are blocked. There are three basic pieces to 802.1X authentication: Extensible Authentication Protocol (EAP) is used to
pass the authentication information between the supplicant (the Wi-Fi workstation) and the authentication server (Microsoft IAS or other). The EAP type actually handles and defines the authentication. The access point acting as authenticator is only a proxy to allow the supplicant and the authentication server to communicate. Which should I use? Which EAP type to implement, or whether to implement 802.1X at all, depends on the level of security that the
organization needs, the administrative overhead, and features desired. Hopefully the descriptions here and a comparative chart will ease the difficulties in understanding the variety of EAP types available. Extensible Authentication Protocol (EAP) authentication types Because Wi-Fi Local Area Network (WLAN) security is essential and EAP authentication types provide a potentially better means of securing the WLAN connection, vendors are rapidly developing and adding
EAP authentication types to their WLAN access points. Some of the most commonly deployed EAP authentication types include EAP-MD-5, EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-Fast, and Cisco LEAP. 802.1X EAP Types Feature / Benefit FAST A review of the above discussions and table usually provides the following conclusions: Another option is VPN Instead of relying on Wi-Fi LAN for authentication and privacy (encryption), many enterprises implement a VPN. This is done by placing the access points outside the corporate firewall and having the user tunnel in via a VPN Gateway -
just as if they were a remote user. The downsides of implementing a VPN solution are cost, initial installation complexities, and ongoing administration overhead.Note
This data isn't intended for home or small-office users who typically don't use advanced security features such as those discussed within this page. However, these users may find the topics interesting for informational purposes.
MD5
---
Message Digest 5
TLS
---
Transport Level Security
TTLS
---
Tunneled Transport Level Security
PEAP
---
Protected Transport Level Security
---
Flexible Authentication via Secure TunnelingLEAP
---
Lightweight Extensible Authentication Protocol
Client-side certificate required
no
yes
no
no
no
(PAC)
no
Server-side certificate required
no
yes
yes
yes
no
(PAC)
no
WEP key management
no
yes
yes
yes
yes
yes
Rogue AP detection
no
no
no
no
yes
yes
Provider
MS
MS
Funk
MS
Cisco
Cisco
Authentication Attributes
One way
Mutual
Mutual
Mutual
Mutual
Mutual
Deployment Difficulty
Easy
Difficult (because of client certificate deployment)
Moderate
Moderate
Moderate
Moderate
Wi-Fi Security
Poor
Very High
High
High
High
High when strong passwords are used.
Related Products
This article applies to 140 products.
Intel® Killer™ Wi-Fi 6E AX1675 (i/s)
Intel® Killer™ Wi-Fi 6E AX1675 (i/s)
Discontinued Products
Need more help?