Forum

qotw

4 posts by 3 authors in: Forums > CWSP - Enterprise Wi-Fi Security
Last Post: May 16, 2007:
  • Here's the question of the week.

    You have a WLAN controller with two WLAN profiles - one supporting only WEP, one supporting only 802.1X/PEAP with CCMP.

    Do you have an RSN? Explain your answer.

    Devinator

  • By WLAN profile I will assume you mean VLAN.

    Yes, you have a (TSN) RSN.

    http://www.tech-faq.com/rsn-robust-secure-network.shtml


    Edit:
    (Legacy/devices that can't support CCMP) Page 416 of the CWSP study guide.

  • By (Deleted User)

    Accoding to IEEE 802.11i-2004, an RSN is defined as:

    3.106 robust security network (RSN): A security network that allows only the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of Beacon frames that the group cipher suite specified is not wired equivalent privacy (WEP).


    and a RSNA is:

    3.107 robust security network association (RSNA): The type of association used by a pair of stations (STAs) if the procedure to establish authentication or association between them includes the 4-Way Handshake. Note that the existence of a RSNA by a pair of devices does not of itself provide robust security. Robust security is provided when all devices in the network use RSNAs.



    So, given the above, unless something has changed in the standard (certainly possible), I would say, no, you do not have a RSN because the existance of the WEP-enabled WLAN kills it. If you just had the PEAP-enabled WLAN or if the WEP WLAN was WPA2 with AES instead, then you'd have an RSN. By definintion, to have an RSN, you must employ security mechanisms that use 4-way Handshake authentication methods.

    Joel

  • Joel is mostly right. It's true that the presence of WEP negates the possibility of an RSN....for that profile.

    Brett C. - A WLAN Profile is defined here:
    http://www.cwnp.com/exams/cwnp_exam_terms.pdf

    Each profile is a "virtual" ESS when it comes to use of WLAN controllers. Therefore, if one profile meets the requirements of being an RSN - which are:

    * If 802.1X/EAP is used, then mutual authentication has to be used
    * CCMP or TKIP or both may be used, but not WEP - as noted in the RSN IE of the Beacon, Probe Response, and (Re)Association Request frames.
    * A 4-Way Handshake must be used.
    * Only RSNAs are used in an ESS.

    So the final answer is:

    You have both a Pre-RSNA and an RSN in this configuration.

    Thanks for playing. :-D

    Devinator

Page 1 of 1
  • 1