Help Center User GuideGetting StartedFAQsRelease Notes
User Guide
Getting Started
Release Notes

Understanding Wireless Encryption and Ciphers

Wireless network security relies on a combination of encryption, authentication, and authorization to provide maximum protection for a WLAN. Encryption is focused on protecting the information within a session, reading information in a data stream and altering it to make it unreadable to users outside the network. This topic discusses encryption.

Figure 44: Network Security Is Provided by Encryption, Authentication, and Authorization

Network Security Is Provided by Encryption, Authentication,
and Authorization

Juniper Networks access points support all three standard types of wireless access point-client encryption: the legacy encryption Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and WPA2 (also called RSN). Encryption type is configured in WLAN Service profiles under the Security Settings tab. For information about applying encryption, see Creating and Managing a WLAN Service Profile.

This topic describes:

Wired Equivalent Privacy (WEP) was the Original Wireless Encryption

WEP was the original security algorithm for IEEE 802.11 wireless networks, introduced as part of the original 802.11 standard.

WPA Encryption Replaced WEP

WPA addressed the vulnerabilities of WEP, the original, less secure 40 or 104-bit encryption scheme in the IEEE 802.11 standard. WPA also provides user authentication—WEP lacks any means of authentication.

WPA replaced WEP with a stronger encryption technology called Temporal Key Integrity Protocol (TKIP) with Message Integrity Check (MIC). It also provides a scheme of mutual authentication using either IEEE 802.1X/Extensible Authentication Protocol (EAP) authentication or pre-shared key (PSK) technology.

Note: You can simultaneously apply both WPA and WPA2 to an SSID. Clients use WPA2 if they have the capability—otherwise the client uses WPA. WPA2 is recommended unless you need to provide access to for legacy devices. All 802.11n devices support WPA2.

WPA2 Is the Strongest Encryption Available

WPA2 is the certified version of the full IEEE 802.11i specification. Like WPA, WPA2 supports either IEEE 802.1X/EAP authentication or PSK technology. It also includes a new advanced encryption mechanism using the Counter-Mode/CBC-MAC Protocol (CCMP) called the Advanced Encryption Standard (AES).

WPA was based on the 802.11i draft, while WPA2 is based on 802.11i final standard. Where WPA encryption was specifically designed to work with some wireless hardware that supported WEP, WPA2 offers stronger security but is not supported by earlier hardware designed for WEP.

Note: The Wi-Fi Alliance requires that high-throughput (802.11n) transmissions use WPA2 and CCMP. You can simultaneously apply both WPA and WPA2 to an SSID. Clients use WPA2 if they have the capability—otherwise the client uses WPA.

Security Ciphers for WPA and WPA2

Standard security ciphers are part of both WPA and WPA2 encryption. You choose whether you want to apply either the newer CCMP, or TKIP (an upgrade of original WEP programming), or both for each WLAN Service profile. Both cipher suites dynamically generate unique session keys for each session and periodically change the keys to reduce the likelihood of a network intruder intercepting enough frames to decode a key. The two available ciphers are:

Which Encryption Method Should I Use?

WPA2 is the most secure encryption method available for wireless networks—we recommend using WPA2 with the CCMP cipher whenever possible. WPA2 with CCMP is the only option permitted for high throughput 802.11n transmissions. Eventually, WPA encryption with TKIP will be obsolete as you replace older devices that use only TKIP.

If you need to accommodate legacy devices with an SSID, enable WPA encryption with the TKIP cipher. Keep in mind that this has an effect on performance. The additional AES cipher takes more computing power to run than simple TKIP does, therefore older, smaller devices may not support it.

Note: You can create different WLAN Service profiles (SSIDs) for different levels of encryption. This maximizes the use of WPA2 security.

Security always affects performance, so it is really up to you how much bandwidth and processing time you want to devote to it. With newer devices, this is much less of an issue because new devices have plenty of resources for the highest level of security, WPA2 with CCMP.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support