WPA-PSK: Step-by-Step

By Jeremy deVries

September 30, 2005

Not sure how to implement security on your home or small office network? Here's instructions to get you secured.

Security is all the talk in wireless networks today, whether at home or in the office -- and for good reason. Which security is best for you? WEP (Wired Equivalent Privacy) used to be the standard, but newer and arguably better security standards have been implemented for wireless. Wi-Fi Protected Access (WPA), so named by the Wi-Fi Alliance, is taking the lead alongside an even newer version, WPA2. Both are based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i ratified amendment.

WEP was never a strong protection mechanism, and was easily broken. WPA builds upon WEP, making it more secure by adding extra security algorithms and mechanisms to fight intrusion. With WPA’s more advanced features come more options for configuring security on your network, but the added complexity can turn securing a network into a giant headache. Still, with the right approach, it needn’t be painful.

WPA allows for two kinds of security authentication types, WPA-802.1x (AKA WPA-Enterprise) and WPA-PSK (or WPA-Home). WPA-802.1x (RADIUS) signifies that there is a RADIUS (Remote Authentication Dial-in User Service) server on the network. A RADIUS server isn't just for dial-up connections — it is a certificate authenticator that only allows client stations to connect with the Access Point (AP) if it sees a valid certificate on the client, which the server provided earlier. This use of WPA is generally for medium to large businesses, and is generally not used in SOHO (small office/home office) setups.

Many APs now come with integrated Authentication Servers (AS) which act as RADIUS servers, giving SOHO users the ability to use WPA-802.1x authentication schemes if they want, even for small groups. But WPA-PSK is the better choice for SOHO users, because of its simple setup and deployment across a multi-vendor environment. WPA-PSK (Wi-Fi Protected Access with Pre-Shared Key) enables users to easily set up and manage a secured WLAN.

WPA-PSK uses a pass-phrase, which is between 8 and 63 characters long. This pass-phrase is created and entered by the user into any client station’s configuration utility, as well as into the AP. (A recommendation: do not pick a password already in use within the network, and do not use a variation of your office address.) Generally, when creating or setting up a wireless LAN, the first thing to be configured is the AP, which is then followed by the configuration of client stations. Configuring an AP depends largely upon the manufacturer’s instructions; client station configuration is where the real choices about security come into play. First, we’ll turn to setting up the AP.

Access Point Configuration

It is my solemn duty to recommend, if you are buying a new access point, that you read through the manual on how it is to be configured as you take it out of the box. Methods for configuring client stations and APs vary widely depending on the manufacturer and configuration utilities; some have their own configuration programs, others are configured by using a Web browser, and still others use a command line interface (CLI), so reading the manual is important. For ease of explanation, I will refer to APs that are configured using Web browsers, and will not go into all the features APs offer.

Most APs have a separate page for setting the Network Name, otherwise known as the SSID (Service Set Identifier). On this page, you must specify the same Network Name as on the client stations. For example, if you set the name "My Network SSID" on the client stations, you should therefore use it on the AP as well (or vice versa — most people set up the AP first).

AP ConfigurationAfter setting the SSID on the AP, navigate to the Security or Encryption page. This page, as shown to the left (click for larger view), holds a host of security settings. As with the client stations, we configure the AP to use WPA-PSK, and enter the exact WPA-PSK pass-phrase entered on the client station. Again, they must be exactly the same phrase.

Some APs automatically assume the use of TKIP (temporal key integrity protocol)  when WPA-PSK is selected. It is a data encryption method used for WPA-PSK which adds extra security ciphers and algorithms to the preexisting WEP encryption. If it's not automatic, specify TKIP as the encryption type. TKIP isn’t the only data encryption method that can be used, but it's best for our purposes.

On some APs, when you select WPA-PSK, a note will pop up suggesting that RADIUS be enabled. Even though WPA-PSK doesn’t require a RADIUS server, you can enable RADIUS (if needed). In these cases, leaving the RADIUS configuration blank, or leaving it as originally configured when you enabled it, should not cause any issues.

If the AP you’re configuring doesn’t show any settings for WPA (PSK or other), try upgrading the firmware on the AP. Do this by navigating to the correct location on the AP or on the manufacturer’s Web site. In any event, the user manual should include directions on how to upgrade the AP.

Client Station Configuration

Configuring the client stations and access points isn’t as daunting a task as it might seem. The ease of configuring client stations depends principally on the configuration utility you are using. Windows XP comes with its own configuration utility built in, Windows Zero Configuration Utility (WZC). However, there are other configuration utilities that offer better efficiency, easier configuration, and better wireless network monitoring. Most client cards come with their own wireless configuration utility, though others depend on Windows. Here we'll describe the configuration of client stations using WZC, which is the lowest common denominator for most users.

WZCDespite the charms of its rivals, Windows does make the task of configuring a client station fairly painless. When configuring a station, one first needs to add a preferred network; in this case, as shown in figure 2 (right), the preferred network is called “My Network SSID.”

Security in WZCThe next step is configuring the client station to the same settings as those on the AP; to do so, go to the ‘Properties’ button, as indicated by the yellow arrow in figure 2. This will bring up the network security properties setting screen for your preferred network (figure 3, left), with a handful of settings to choose from and empty fields to fill. The first text box shows the network name (SSID). This will already be filled in with the name you specified for your preferred network.

The next step is specifying the type of security that will be used to connect to the network. In the Network Authentication field, scroll until WPA-PSK is selected. With WZC, there are two WPA authentications listed: to use WPA with a RADIUS server (802.1x), you would pick the first option of just WPA.

The second WPA listed is WPA-PSK; for our setup, we select this to continue configuring a WPA-PSK network. The Data Encryption field below the Network Authentication field specifies the protocol that WPA-PSK will use; choose TKIP. The last step needed to configure the client station is very important, in that the Network Key entered into the client station must be the same as the network key (pass-phrase) that is entered on the AP. Network keys are case-sensitive; capitals, lower-case, numbers, non-alphanumeric symbols ($#!+, etc.) must all be exactly the same. This might sound like a walk in the park, but when setting up a wireless network, many neglect this minute but crucial detail.

In some cases, after configuring the client station, issues with connecting to the AP may still arise. In these cases, there are three things to check:

  1. Whether Windows Firewall is turned on.  Even if Windows Firewall is disabled, the wireless card might still be under control of Windows Firewall. To check this, go to Windows Firewall in the Control Panel: under the Advanced tab, make sure the Wireless Connection check box is unchecked.
  2. Whether multiple configuration utilities are enabled at once. This could cause configuration conflicts.
  3. Whether you are trying to use the wrong type of security to connect to the WLAN. Double-check to ensure that the network you’re attempting to connect to uses the same method of authentication as the one you have selected.

In today’s age of ubiquitous SOHO networks and ever more Wi-Fi in laptops, security is a paramount concern. Unsecured or improperly set up wireless networks can leave you vulnerable to intrusion, viruses, hijacking of bandwidth, and more problems than one can list, which is why properly setting up your secured network using an authentication mechanism such as WPA-PSK is a crucial step in creating a wireless network.

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.