Upgrading Wi-Fi Security from WEP to WPA2
By Eric Geier (NoWiresSecurity Founder
& CEO) - originally published on
As you may already know, WEP security
can easily be cracked. It only protects your wireless network from
average users. Even newbie hackers can download free tools and
follow a tutorial to crack your WEP key. This enables them to
connect to your Wi-Fi network and possibly access network shares.
Plus it gives them the ability to decode real-time traffic on the
You should use the most secure option available to adequately
protect your wireless network: Wi-Fi Protected Access 2 (WPA2),
which uses AES/CCMP encryption. There are two flavors of WPA and
WPA2: Personal or Pre-shared Key (PSK) for home-use and Enterprise
The Personal mode is easy to setup and use. You create an encryption
passphrase (like a password) on the wireless router and/or access
points. Then you must enter the passphrase on your computers and
devices in order to connect to the Wi-Fi network.
The Enterprise mode is much more complex and requires an external
server, called a RADIUS server, to enable the required 802.1X
authentication. However, this mode should be used by all businesses
with employees. You can create usernames and passwords for users to
enter when connecting. The actual encryption keys aren’t stored on
the computers and devices, better protecting your network if they
become lost or stolen.
When using the Enterprise mode, access can also be easily revoked
for employees leaving the organization. If using the Personal mode,
you’d have to change the encryption passphrase (on all the access
points and all computers) each time a computer or device becomes
lost or stolen and when an employee leaves the organization.
Check your current security
If you aren’t positive of what
security method you’re using, you can quickly check in Windows by
bringing up the list of available wireless networks.
In Windows XP (with at least Service Pack 2), networks using some
type of security will say “Security-enabled wireless network”. If
WPA or WPA2 is being used it will be shown in parentheses; otherwise
WEP is being used. In Windows Vista and Windows 7, hover over the
network on the list to see more details, including the security
Verify WPA2 compatibly
Most Wi-Fi products bought in 2005 or
after should support WPA2. If you have a wireless router, access
points, computers, or other Wi-Fi devices that were purchased in
2005 or before, you might want to double-check the support of WPA2.
To check a wireless router or access point, enter its IP address
into a web browser, login to the control panel, and check the
Note: If you don’t know the IP address of your router, bring up the
Wireless Network Connection Status dialog in Windows, click the
Details button, and then refer to the Default Gateway. See Figure 1.
Note: If you don’t remember the password, refer to the product
manual or search Google for the default password. If you changed it
from the default, you can reset it back to factory defaults by
holding in the small reset button on the back of the wireless router
or access point.
If you don’t see WPA2 in the wireless security settings of your
wireless router or access points, support may have been added in
firmware updates by the manufacturer. On the control panel, find the
system or status details to check the firmware version installed.
Then go to the support section of the manufacturer’s website and
check the downloads for your particular model. If a newer firmware
release is available, download it and upload via the firmware page
on the control panel.
If you have any computers with Windows XP, ensure you have Service
Pack 3 installed, which adds WPA2 support. Click Start, right-click
My Computer, and select Properties. If installed, you should see
“Windows XP Service Pack 3”. If you don’t see it, download and
install it using Windows Updates.
If you’re using an old wireless adapter, it could lack WPA2 support
even if Windows supports it. To double-check its support in Windows
XP, open the Wireless Network Connection Properties dialog, select
the Wireless Networks tab, and click Add. Then ensure WPA2 is listed
in the drop-down menu for Network Authentication. See Figure 2.
If you don’t see WPA2, support may have been added in driver updates
by the manufacturer. Check the driver version that’s installed: open
the Wireless Network Connection Properties dialog in Windows, click
the Configure button, and select the Driver tab. Then go to the
support section of the manufacturer’s website and check the
downloads for your particular model.
If a newer driver version is available, download it and update it by
following the manufacturer’s instructions or via the Driver tab.
Using WPA2-Personal (PSK)
enable WPA2-Personal security, start by entering the IP address of
your wireless router and/or access points into a web browser, login
to the control panel, and find the wireless security settings.
If you don’t know the IP address of your router or don’t remember
the password, refer to the notes in the previous section.
Once you find the wireless security settings, select WPA2 security
and AES encryption. Then enter a Pre-Shared Key or Passphrase of 8
to 63 alphanumeric characters. The longer and more complex the more
secure. Try to upper and lower case letters and numbers. Write this
down and keep it safe. Don’t forget to save/apply the changes.
Now you must enter the same passphrase on your Wi-Fi equipped
computers and devices. In Windows, you should be prompted to enter
it when connecting. However, if you were previously using WEP or
WPA, Windows may not connect until you edit the saved security
In Windows XP, double-click the wireless network icon in the lower
right corner of Windows, click Change the order of preferred
networks. Then double-click the network name and change the Network
Authentication to WPA2-PSK, Data Encryption to AES, and enter the
passphrase twice in the Network Key felids. See Figure 4 for an
In Windows Vista and 7, bring up the list of available wireless
networks, right-click the network, and select Properties. Then
change Security Type to WPA2-Personal, Encryption Type to AES, and
enter the passphrase as the Network Security Key. See Figure 5 for
you can use WPA2-Enterprise, you must choose and setup a RADIUS
server. If you have a Windows Server, you should be able to use the
IAS or NPS server. Other RADIUS servers include FreeRADIUS, Elektron,
and ClearBox. Keep in mind; some business-class access points (such
as theZyXEL ZyAIR G-2000 Plus v2) include integrated RADIUS servers.
If you don’t have the money or expertise to run your own server, you
can use a hosted service, such as AuthenticateMyWiFi.
For more help on deploying WPA2-Enterprise and 802.1X, refer a
previous article of mine that discusses overcoming the common
roadblocks. I’ve also written a series targeted toward deployment in