.. _example_interfaces_wlan_security:

########
Security
########


.. sidebar:: Contents

  .. contents::
    :depth: 1
    :local:

The following scenarios show how to configure WLAN interfaces to
use different security modes. All examples will be done using the
``wifi0`` radio module and channel numer ``36``
to avoid waiting for the *cac* timer to exhaust. Note that an external
radius server will be required in **enterprise** scenarios.

.. image:: wlansecurity.svg
  :width: 400

*************
Open Security
*************

Description
===========

In this example, the ``wlan1`` interface will be configured to
use no security.

Scenario
========

.. include:: security/opensecurity

.. raw:: html

  <hr>

********
OWE Mode
********

Description
===========

In this example, the ``wlan1`` interface will be configured to
use *OWE* security (*Opportunistic Wireless Encryption*). The main advantage of
this mode compared with *open security* is that the traffic is encrypted
making passive sniffing useless.

Scenario
========

.. include:: security/owemode

.. raw:: html

  <hr>

*******************
OWE-Transition Mode
*******************

Description
===========

In this example, the ``wlan1`` interface will be configured to
use *OWE* security (*Opportunistic Wireless Encryption*) and an additional one,
``wlan2``, will be also configured with *open security*. The former network is
just a transition mechanism to tell WPA3 capable devices to use the *OWE* network
in case they connect to this one.

Scenario
========

.. include:: security/owe-transitionmode

.. raw:: html

  <hr>

*****************
WPA-Personal Mode
*****************

Description
===========

In this example, the ``wlan1`` interface will be configured in *WPA personal*
mode where the security is ensured by mean of the pre-shared key ``secret-password``.
The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.

Scenario
========

.. include:: security/wpa-personalmode

.. raw:: html

  <hr>

******************
WPA2-Personal Mode
******************

Description
===========

In this example, the ``wlan1`` interface will be configured in *WPAv2 personal*
mode where the security is ensured by mean of the pre-shared key ``secret-password``.
The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.

Scenario
========

.. include:: security/wpa2-personalmode

.. raw:: html

  <hr>

**********************
WPA/WPA2-Personal Mode
**********************

Description
===========

In this example, the ``wlan1`` interface will be configured in *WPA/WPAv2* personal
mode, also known as WPAv2 Mixed mode, where the security is ensured by mean of the pre-shared
key ``secret-password``. The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.

Scenario
========

.. include:: security/wpa/wpa2-personalmode

.. raw:: html

  <hr>

***********************
WPA3-Personal Only Mode
***********************

Description
===========

In this example, the ``wlan1`` interface will be configured in *WPAv3 personal*
mode, also known as *SAE* (Simultaneous Authentication of Equals), the state-of-the-art in
*PSK* mode, where the security is ensured by mean of the pre-shared key ``secret-password``.
The ``aes-ccmp`` cipher will be used for unicast traffic. Protected Management Frames or ``pmf``
must be set to ``required`` in this mode.

Scenario
========

.. include:: security/wpa3-personalonlymode

.. raw:: html

  <hr>

**********************************
WPA2/WPA3-Personal Transition Mode
**********************************

Description
===========

In this example, the ``wlan1`` interface will be configured in *WPAv2/WPAv3 personal*
mode, also known as *WPAv3 transition* mode, where the security is ensured by mean of the pre-shared
key ``secret-password``. The ``aes-ccmp`` cipher will be used for unicast traffic. Protected
Management Frames or ``pmf`` must be set to ``optional`` in this mode.

Scenario
========

.. include:: security/wpa2/wpa3-personaltransitionmode

.. raw:: html

  <hr>

*******************
WPA-Enterprise Mode
*******************

Description
===========

In this example, the ``wlan1`` interface will be configured in *WPA enterprise*
mode where the security is ensured by mean of the radius server ``192.168.100.20``.
The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.

Scenario
========

.. include:: security/wpa-enterprisemode

.. raw:: html

  <hr>

********************
WPA2-Enterprise Mode
********************

Description
===========

In this example, the ``wlan1`` interface will be configured in *WPAv2 enterprise*
mode where the security is ensured by mean of the radius server ``192.168.100.20``.
The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.

Scenario
========

.. include:: security/wpa2-enterprisemode

.. raw:: html

  <hr>

************************
WPA/WPA2-Enterprise Mode
************************

Description
===========

In this example, the ``wlan1`` interface will be configured in *WPA/WPAv2 enterprise*
mode, also known as *WPAv2 mixed* mode, where the security is ensured by mean of the radius
server ``192.168.100.20``. The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.

Scenario
========

.. include:: security/wpa/wpa2-enterprisemode

.. raw:: html

  <hr>

*************************
WPA3-Enterprise Only Mode
*************************

Description
===========

In this example, the ``wlan1`` interface will be configured in *WPAv3 enterprise*
mode where the security is ensured by mean of the radius server ``192.168.100.20``.
The ``aes-ccmp`` cipher will be used for unicast traffic. Protected Management Frames or
``pmf`` must be set to ``required`` in this mode.

Scenario
========

.. include:: security/wpa3-enterpriseonlymode

.. raw:: html

  <hr>

************************************
WPA2/WPA3-Enterprise Transition Mode
************************************

Description
===========

In this example, the ``wlan1`` interface will be configured in *WPAv2/WPAv3 enterprise*
mode, also known as *WPAv3 transition* mode, where the security is ensured by mean of the radius
server ``192.168.100.20``. The ``aes-ccmp`` cipher will be used for unicast traffic. Protected
Management Frames or ``pmf`` must be set to ``optional`` in this mode.

Scenario
========

.. include:: security/wpa2/wpa3-enterprisetransitionmode

.. raw:: html

  <hr>

*************************************
WPA3-Enterprise “192-bit” (CNSA) Mode
*************************************

Description
===========

In this example, the ``wlan1`` interface will be configured in *CNSA WPAv3-enterprise*
mode (``CNSA`` or *Commercial National Security Algorithm*), the most secure WLAN mode today available,
where the security is ensured by mean of the radius server ``192.168.100.20``.
The ``aes-gcmp-256`` cipher will be used for unicast traffic. Protected Management Frames or
``pmf`` must be set to ``required`` in this mode.

Scenario
========

.. include:: security/wpa3-enterprise“192-bit”(cnsa)mode

.. raw:: html

  <hr>