WPA2\AES and PSK

Unanswered Question
Apr 24th, 2009
User Badges:

We have a situation that we need to implement WPA2, AES with PSK on our WLC. If I put a complex passphrase of 63 ASCI characters, how safe is my wireless network? After reading multiple forums, it seems that is quite safe, even if this setup is design for a home or medium office.


Your feedback is very much appreciated.


Thank you.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Fri, 04/24/2009 - 04:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well the maximum length is 63, but of course the more characters the more secure. WPA2/AES is very difficult to crack anyways..... With WPA/TKIP, using more characters helps since that has already been compromised.


Make sure that your devices support 63 characters.


Here is a link that talks about WPAPSK;


http://blogs.zdnet.com/Ou/?p=127


If your choice is only to use PSK, then WPA2/AES. If you have a radius server, then it would be better to use 802.1x or WPA2-Enterprise as it is called in some software.

gamccall Fri, 04/24/2009 - 05:38
User Badges:
  • Silver, 250 points or more

As far as the security algorithm itself is concerned, a very long, random PSK is extremely secure.


However, there are human factor issues that come into play: that long PSK has to be written down somewhere and that location must be kept secure; the number of people who have access to the key must be limited and all of them must carefully maintain the security of the key; if the key is compromised you must manually change the keys on all clients; etc.


Another issue is that with a PSK you have no way to map a given wireless connection to any individual user, as you would with 802.1X. So if an EAP account is compromised you at least know who to yell at, whereas if your key is compromised you have no clue.


Nobody's going to crack a 63-character passphrase using over-the-air tools. But they won't bother. They'll just find a way to get into your helpdesk office and take a picture of the whiteboard where it's written down.

grzegorz.ciolek Mon, 04/27/2009 - 23:09
User Badges:

Hi,

If this system will work with MS WZC supplicants, easy way to get psk - extract it from Windows registry.

Cheers

Actions

This Discussion

 

 

Trending Topics - Security & Network