Hi everybody.
during the last day I did my first Mikrotik wifi experiences and I need your help to clarify some doubts.
I set up an hotspot in my RB751 following the step by step instructions in the wiki. Hotspit user authentication works great with UserManager.
As seconf goal I want to have secure wifi connection between clients and access point to avoid simple network sniffing. The device will be installed in a school.
I tried to use WPA-PSK to encrypt wifi traffic. In this scenario, could an attacker decrypt user wifi traffic simply using/knowing the shared key?
If the response to the above question is “yes”, does it exist a centralized solution to assign a dynamic key to every user connecting to the access point? I’m referring, for example, to WPA-EAP even though I dont’t understand exactly how it works and how it has to be configured on Mikrotik. To reduce administative task, no password configuration has to be done on clients side (if possible!).
If you are using WPA, then every client gets a uniquely different encryption stream, therefore knowing the passphrase key is not enough to decrypt the traffic. Try to use AES not TKIP! It is more secure and provides a higher data throughput.
If someone knows the pass phrase, wouldn’t they just join the network and use other methods to sniff the traffic? No need to decrypt the unique streams if they have network access. If someone recorded the packets for later decryption, then it’s good protection. Some access points support L2 isolation, which in conjunction with WPA limits sniffing.
If your worried about people who have the WPA key sniffing the traffic then you need to treat that part of the network as untrusted. Use SSL and VPN over it whenever possible. Also consider if it’s worth worrying about. Just how secure do you need grades and lesson plans to be?
If someone knows the pass phrase, wouldn’t they just join the network and use other methods to sniff the traffic?
If I correctly understood WPA/2 mechanism, the pass phrase should give access to the access point with unique encrypted stream for each client.
Then users have to be authenticated by the hotspot using, for example, a html form, to gain access to the network resources (I’m referring to Mikrotik hotspot solution).
Some access points support L2 isolation, which in conjunction with WPA limits sniffing.
I looked at an interesting Mikrotik feature called “default-forwarding” available on wlan interfaces. With this option you are free to enable/disable the communication between the wireless clients. Unfortunally I didn’t tried it yet therefore I don’t now if it works at L2 or L3.
Just how secure do you need grades and lesson plans to be?
I would have the highest security grade with the minor impact/trouble on client configuration.
How can someone ‘join the network’ if the connection is a point to point WPA encrypted wireless connection? Sniffing does not allow one to obtain the clear text from the cipher stream, even if one was on the same wireless network.
Despite your statement, even using the same password will create a completely different encryption stream for each client connection as the password is not the only parameter used to create that encryption stream.
Also, as an aside, double enciphering with a single cipher algorithm can often lower security. However using two completely different cipher algorithms will increase security, but also worsen latency and slow throughput. It’s always a trade off.
Yeah, You’ve got a good understanding of WPA. The encryption at this level is over the air encryption only. Hotspot only prevents traffic from escaping the network.
Default forwarding is exactly what I was referring to. You should look into it. It’s L2 afaik.
What I said still stands, which is; knowledge of the Preshared Key does not provide access to the data from another client connection (and yes, agreed if forwarding is enabled or an access rule enables forwarding between those two clients then all L2 traffic will be shared on the wireless interface itself to any other clients that are permitted to forward). But if forwarding is disabled, knowing the WPA key gets you nowhere which is the point I was trying to make as that was what he was specifically asking about.
In this scenario, could an attacker decrypt user wifi traffic simply using/knowing the shared key?
