.. _example_interfaces_wlan_security:
########
Security
########
.. sidebar:: Contents
.. contents::
:depth: 1
:local:
The following scenarios show how to configure WLAN interfaces to
use different security modes. All examples will be done using the
``wifi0`` radio module and channel numer ``36``
to avoid waiting for the *cac* timer to expire. Note that an external
radius server will be required in **enterprise** scenarios and the
``testing`` user with password ``password`` must be present in its database.
.. image:: wlansecurity.svg
:width: 400
*************
Open Security
*************
Description
===========
In this example, the ``wlan1`` interface will be configured to
use no security.
Scenario
========
.. include:: security/opensecurity
.. raw:: html
********
OWE Mode
********
Description
===========
In this example, the ``wlan1`` interface will be configured to
use *OWE* (*Opportunistic Wireless Encryption*) security. The main advantage of
this mode, compared with *open security*, is that the traffic is encrypted
(making passive sniffing useless).
Scenario
========
.. include:: security/owemode
.. raw:: html
*******************
OWE-Transition Mode
*******************
Description
===========
In this example, the ``wlan1`` interface will be configured to
use *OWE* (*Opportunistic Wireless Encryption*) security and an additional one,
``wlan2``, will also be configured with *open security*. The former network is
just a transition mechanism to tell WPA3-capable devices to use the *OWE* network
in case they connect to this one.
Scenario
========
.. include:: security/owe-transitionmode
.. raw:: html
*****************
WPA-Personal Mode
*****************
Description
===========
In this example, the ``wlan1`` interface will be configured in *WPA personal*
mode, where security is ensured by means of pre-shared key ``secret-password``.
The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.
Scenario
========
.. include:: security/wpa-personalmode
.. raw:: html
******************
WPA2-Personal Mode
******************
Description
===========
In this example, the ``wlan1`` interface will be configured in *WPAv2 personal*
mode, where security is ensured by means of pre-shared key ``secret-password``.
The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.
Scenario
========
.. include:: security/wpa2-personalmode
.. raw:: html
**********************
WPA/WPA2-Personal Mode
**********************
Description
===========
In this example, the ``wlan1`` interface will be configured in *WPA/WPAv2* personal
mode, also known as WPAv2 Mixed mode. Here, security is ensured by means of pre-shared
key ``secret-password``. The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.
Scenario
========
.. include:: security/wpa/wpa2-personalmode
.. raw:: html
***********************
WPA3-Personal Only Mode
***********************
Description
===========
In this example, the ``wlan1`` interface will be configured in *WPAv3 personal*
mode, also known as *SAE* (Simultaneous Authentication of Equals), the state-of-the-art in
*PSK* mode, where the security is ensured by means of pre-shared key ``secret-password``.
The ``aes-ccmp`` cipher will be used for unicast traffic. Protected Management Frames or ``pmf``
must be set to ``required`` in this mode.
Scenario
========
.. include:: security/wpa3-personalonlymode
.. raw:: html
**********************************
WPA2/WPA3-Personal Transition Mode
**********************************
Description
===========
In this example, the ``wlan1`` interface will be configured in *WPAv2/WPAv3 personal*
mode, also known as *WPAv3 transition* mode, where the security is ensured by means of pre-shared
key ``secret-password``. The ``aes-ccmp`` cipher will be used for unicast traffic. Protected
Management Frames or ``pmf`` must be set to ``optional`` in this mode.
Scenario
========
.. include:: security/wpa2/wpa3-personaltransitionmode
.. raw:: html
*******************
WPA-Enterprise Mode
*******************
Description
===========
In this example, the ``wlan1`` interface will be configured in *WPA enterprise*
mode, where security is ensured by means of radius server ``10.215.168.1``.
The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.
Scenario
========
.. include:: security/wpa-enterprisemode
.. raw:: html
********************
WPA2-Enterprise Mode
********************
Description
===========
In this example, the ``wlan1`` interface will be configured in *WPAv2 enterprise*
mode, where security is ensured by means of radius server ``10.215.168.1``.
The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.
Scenario
========
.. include:: security/wpa2-enterprisemode
.. raw:: html
************************
WPA/WPA2-Enterprise Mode
************************
Description
===========
In this example, the ``wlan1`` interface will be configured in *WPA/WPAv2 enterprise*
mode, also known as *WPAv2 mixed* mode, where security is ensured by means of radius
server ``10.215.168.1``. The ``aes-ccmp`` and ``tkip`` ciphers will be used for unicast traffic.
Scenario
========
.. include:: security/wpa/wpa2-enterprisemode
.. raw:: html
*************************
WPA3-Enterprise Only Mode
*************************
Description
===========
In this example, the ``wlan1`` interface will be configured in *WPAv3 enterprise*
mode, where security is ensured by means of radius server ``10.215.168.1``.
The ``aes-ccmp`` cipher will be used for unicast traffic. Protected Management Frames or
``pmf`` must be set to ``required`` in this mode.
Scenario
========
.. include:: security/wpa3-enterpriseonlymode
.. raw:: html
************************************
WPA2/WPA3-Enterprise Transition Mode
************************************
Description
===========
In this example, the ``wlan1`` interface will be configured in *WPAv2/WPAv3 enterprise*
mode, also known as *WPAv3 transition* mode, where security is ensured by means of radius
server ``10.215.168.1``. The ``aes-ccmp`` cipher will be used for unicast traffic. Protected
Management Frames or ``pmf`` must be set to ``optional`` in this mode.
Scenario
========
.. include:: security/wpa2/wpa3-enterprisetransitionmode
.. raw:: html