AirPort Blog

We've just released two ebooks: the revised version of Take Control of Your AirPort Network, and a new book, Take Control of Your Wi-Fi Security.

The AirPort book is a hands-on guide to using Wi-Fi under Mac OS X, with details covering Jaguar, Panther, and Tiger, and tips for Mac OS 9 and Windows XP. The book focuses on Apple's AirPort network hardware and software, but broadly includes details of other gear, including the most popular router from Linksys.

Each book is $10, but collectively, $17.50. Click links at upper right to visit our store.

Here's our publicity blurb on Take Control of Your Wi-Fi Network.

Learn how to keep intruders out of your wireless network and protect your sensitive communications!

It's ten o'clock - do you know who's using your wireless network? If you haven't changed the default network name or admin password someone could be eavesdropping on your email, plucking your passwords out of the air, or sending spam through your Internet connection right now! When you're using a wireless network - whether a Macintosh with AirPort gear or Windows with any Wi-Fi equipment - you're exposed to risk unless you take steps.

Wireless networking experts Glenn Fleishman and Adam Engst have spent years researching and covering wireless security issues on Glenn's Wi-Fi Networking News weblog and in two editions of The Wireless Networking Starter Kit. Now they've distilled that experience into this essential guide for anyone using wireless networks, whether at home, at work, or on the road. You'll learn how to evaluate your real security risks; the best way to restrict access to your network using WPA; how to secure your data in transit with PGP, SSL, SSH, and VPNs; and how to protect your computers from viruses and attacks. The ebook provides extra advice on how to secure your small office wireless network, including details on choosing VPN hardware and software and on setting up 802.1X for secure Wi-Fi logins. The final section of the ebook helps you determine how successful your security efforts have been by showing you how to perform a detailed security audit on your wireless network using the same freely available tools that crackers might use against you.

Read this ebook to learn the answers to questions like:

• Should I worry about someone eavesdropping on my home wireless network?
• How can I find out if someone is snooping on my wireless network right now?
• Do I need a VPN to protect my sensitive work communications?
• Can I control access to my wireless network by user name and password?
• What software can I use for secure email and file transfer?
• How does public-key encryption work?
• Our office has only 15 people in it - can we afford the best Wi-Fi security?
• Is it really possible to break a WEP key in less than a minute?
• How can I better manage all my passwords to keep them secure?

Posted by Glenn Fleishman at 09:05 PM | Permalink | Comments (0)

This post is mostly so that if you search on Google for RADIUS or 802.1X bug and AirPort Extreme, you'll find this page that explains the workaround.

RADIUS is an authentication standard that allows user logins. In the Wi-Fi world, RADIUS is typically used as part of 802.1X, another standard that restricts access to a Wi-Fi network until the login is completed. A user needs an 802.1X client--built into Panther and later--with the right security overlay to protect the login. An access point, like the AirPort Extreme Base Station, is configured to hand off the login credentials to a RADIUS server for approval.

In order for the base station to talk to the RADIUS server, they must have a shared secret, entered in both locations. This secret can be quite long. However, the AirPort Extreme Base Station cannot accept a long secret via the AirPort Admin Utility--this is a bug, which I have tried to report to Apple to no avail. It doesn't seem to be fixed after several months and multiple firmware and utility releases.

AirPort Admin Utility won't produce an error on entry but neither will it allow you to update a configuration that contains a too-long shared secret. The solution? Download and use AirPort Management Tool, available on the AirPort support page at Apple.

The tool is designed to allow the group configuration of AirPort Extreme and Express Base Stations, and it doesn't share the bug that prevents entry of the longer secret.

Posted by Glenn Fleishman at 09:54 AM | Permalink | Comments (0)

I have been asked more frequently than practically any other question on AirPort: Can I upgrade an old AirPort network to use WPA (Wi-Fi Protected Access) security? The answer: sort of. AirPort Cards installed on computer that are running Mac OS X 10.3.0 or later can use firmware and operating system upgrades that allow an AirPort Card to handle WPA correctly on Apple and non-Apple networks. Earlier versions of Mac OS X and any version of Mac OS 8 or 9 cannot handle WPA because the operating system isn't designed for it; no third party wireless card offers WPA support before 10.3, either.

The bad news: graphite and snow AirPort Base Stations cannot, under any circumstances, be firmware upgraded to handle WPA. The hardware and software combination just won't work. You'll need a new base station, either from Apple or from another firm, to handle it. Mass-market base stations like the Linksys WRT54G can be had for $50 or less. (I write extensively in Take Control of Your AirPort Network about whether a non-Apple base station can work for your network.)

WPA2, by the way, is yet a different answer. WPA uses the TKIP (Temporal Key Integrity Protocol) encryption system, while WPA2 can use either TKIP or AES-CCMP (a long acronym). TKIP works with older gear; AES-CCMP requires newer hardware--devices shipped since late 2002. Under Mac OS X 10.3.3 to 10.3.9 or Mac OS X 10.4.2 or later, you can upgrade AirPort Extreme Cards, AirPort Extreme Base Stations, and AirPort Express Base Stations to handle WPA2.

Posted by Glenn Fleishman at 12:45 PM | Permalink | Comments (0)

When you open a laptop or turn on an AirPort adapter under all recent versions of Mac OS X, you're asked if you want to join the first visible network, and then automatically reconnect to the network in the future. Until Tiger, there was no way to see which networks you had agreed to join nor change your preference as to which to join first if more than one were available.

While Tiger added this option, it's not visible for many people who upgraded from Panther. On several machines I use and have checked, the AirPort adapter (System Preferences > Network > select AirPort from the Show menu) configuration shows just the By Default, Join menu set to Automatic with no other choices. (The options used for Automatic are found by clicking the Options button.)

If you installed Tiger from scratch, the By Default, Join menu also shows Preferred Networks as an option (see screen capture below). You can see which networks you've joined, what security they employ, edit settings, delete those you no longer want to consider "preferred," and drag them to arrange the order in which you join if multiple networks are present.

If you don't see Preferred Networks in the popup menu as an option, try deleting the AirPort adapter:

1. Select Network Port Configurations from the Show menu.
2. Select AirPort.
3. Click Delete.

You may have to repeat this: we've seen and had reports that the AirPort adapter continues to be recreated after deletion. (See below for more advice on this.)

Now create a new AirPort adapter:

1. Click New.
2. Select AirPort from the Port popup menu.
3. Name it something other than AirPort (Tiger AirPort, for instance).
4. Click OK.

Back in the AirPort adapter's AirPort tab you should be able to choose Preferred network. If not, you may need to create a new Location--I've had to create one on at least one machine to make Preferred Networks appear:

1. Select New Location from the Location menu.
2. Name it.
3. Click OK.
4. Select AirPort from the Show menu.

If Preferred Networks is still not an option, we haven't found a workaround. This is so obviously a bug in the Panther-to-Tiger upgrade process, but we haven't seen tech notes or other information from Apple on how to fix this or whether it will be fixed. Or whether they're aware of it.

Posted by Glenn Fleishman at 12:22 PM | Permalink | Comments (0)

If you haven't already read it elsewhere, AirPort Software 4.2 includes support for WPA2. Here's the article I wrote a few weeks ago for TidBITS about it:

A few days after Apple pushed out Mac OS X 10.4.2, which includes client-side changes to AirPort software to support a newer, stronger encryption system, the company released AirPort Software 4.2, incorporating the necessary base station support. Separate versions are available via Software Update or as stand-alone downloads for Mac OS X 10.3.3 through 10.3.9, 10.4.2, and Windows.

This update adds full support for WPA2 (Wi-Fi Protected Access version 2), which provides an access point the capability to offer AES (Advanced Encryption System) encryption keys. Only newer hardware sold starting in late 2002 can handle the computation required, so original AirPort cards and base stations cannot be updated to handle WPA2.

The original WPA, which appeared as an update to Panther, offers a superior encryption algorithm and other improvements for Wi-Fi security for AirPort Cards, AirPort Extreme Cards, and AirPort Extreme and Express Base Stations (see "AirPort Firmware Updates Fix Major Bugs" in TidBITS-760). WPA2 is a further refinement - technically, it's the full ratified version of IEEE 802.11i - that works only with AirPort Extreme Cards when connecting to WPA2 Personal- or WPA2 Enterprise-configured networks. AirPort Cards cannot support WPA2 because of limitations in silicon; WPA was designed to be backward compatible with early 802.11b cards, such as the AirPort Card.

Some businesses have been waiting until WPA2 was released before deploying their Wi-Fi networks because of its government-grade encryption. WPA2 also has a few features that add to WPA, such as fast reauthentication, which allows a laptop using WPA2 Enterprise - a system that uses a unique login that produces a unique session key - to roam without a long delay when moving from base station to base station.

AirPort 4.2 includes new versions of AirPort Admin Utility and AirPort Setup Assistant, and firmware updates for both AirPort Extreme and AirPort Express Base Stations.

This update brings Apple current with the rest of the industry. Interestingly, older WEP (Wired Equivalent Privacy) encryption is all that is available for the software base station created through the Create Network command in the AirPort status menu. WEP is cryptographically broken; one hopes Apple will eventually offer at least WPA for improved security of ad hoc networks.

Unless otherwise noted, this article is copyright 2005 Glenn Fleishman, published in TidBITS 788, copyright 2005 TidBITS Electronic Publishing, all rights reserved. Originally published in TidBITS#788/18-Jul-05; see <http://www.tidbits.com/> for more information.

Posted by Glenn Fleishman at 08:51 AM | Permalink | Comments (0)

We've let this blog run dry for several months owing to configuration problems and time commitments. But we're trying to prime the pump again, hence the several posts you'll see today.

Posted by Glenn Fleishman at 08:44 AM | Permalink | Comments (0)