Wireless (WLAN)

This section lets you configure the wireless part of the router. This usually includes the SSID, channel, and encryption settings.

Channel and SSID

The SSID sets the name for your wireless router. Pick a fairly unique SSID. When you’re traveling, you’ll see many “linksys” “default” “smc” and other router names where the owners didn’t change the SSID. This draws people who believe the network may be easily accessible. SO CHANGE IT.

Even though you’ll see several options for channels (1-11 in US/Canada and 1-13 in Europe/Australia). The channels overlap so most people only end up using the 3 non-overlapping channels: 1, 6, and 11. Overlapping channels might work, but it’s generally best to stick to the non-overlapping channels.

Encryption

With encryption disabled, everything is transferred wirelessly in plaintext. This means that anyone that is within range of your access point can view all traffic to and from the access point. This includes email and forum logins and passwords. HTTPS/SSL traffic (online stores, credit cards, and banks) is pretty well encrypted and pretty tough to break, but everything else is wide open.

The advantages of having encryption disabled are 1) It’s usually a little faster than with encryption enabled and 2) It’s easier to configure because you don’t have to worry about typing the key perfectly into every client computer. Nearly all public wireless access points are unencrypted for this reason.

It is generally best to enable encryption. However, it is not perfect solution because current wireless encryption is weak. It is estimated that encryption can be broken on the order of a few days to a month or so. So if someone really wants into your access point, they’ll probably be able to get it without too much effort.

Current encryption has two levels: WEP and WPA. WEP is the original form of encryption, and WPA makes WEP more difficult to crack and also adds user authentication. You can also use WPA in a standalone form.

WEP

WEP Encryption is the standard for wireless encryption. The two most common levels of encryption are 64-bit and 128-bit. 192-bit and 256-bit are also out there, but many routers and wireless cards don’t support them, so they aren’t commonly used. However, if both your router and wireless cards support stronger encryption, such as 256-bit WEP, then by all means use it.

The key is important to be as random as possible. Many routers have programs in their control panel to assist with creating a random key. Others require you to type in the key. The key is longer if the encryption is stronger. Once you’ve created the key, it’s best to write it down so you always have it available. It might be a good idea to tape the key to the bottom of the wireless router, unless someone who you don’t want to have wireless access might have physical access to the router.

You’ll need to enter this key into each wireless computer’s setup so that computer can connect to the router.

WPA

WPA’s two main advantages are that it uses the Temporal Key Integrity Protocol (TKIP) and 802.1x user authentication. This means that in order to connect to your wireless network, a user will have to enter their user ID and password, and it’s more secure because the keys are temporary. That makes it more challenging for an attacker to break. To have 802.1x authentication, you do need to have a RADIUS server installed on your network. Setting up a RADIUS server is well beyond the scope because you’ll need a computer dedicated to authentication for your wireless network.

Microsoft does a good job discussing wireless network security options.

802.1x authentication

If you do have a RADIUS server on your wired network, you’ll need to configure the router to use it. The re-authentication period sets the amount of time until you require a user to log in again. The shorter this time is, the more secure it is but also the more annoying it is. I’d recommend leaving the setting at at least an hour or two.

The rest of the config is simply to set up the IP, port, and key for the RADIUS server. The key is a text string that must be the same on both the RADIUS server and the router. The NAS ID defines the request identifier for the Network Access Server (NAS).