Page 66 / 88 Scroll up to view Page 61 - 65
Reference Manual for the NETGEAR RangeMax™ Wireless Access Point WPN802
B-12
Wireless Networking Basics
202-10101-01, May 2005
WPA/WPA2 Authentication: Enterprise-level User
Authentication via 802.1x/EAP and RADIUS
Figure B-3:
WPA/WPA2 Overview
IEEE 802.1x offers an effective framework for authenticating and controlling user traffic to a
protected network, as well as providing a vehicle for dynamically varying data encryption keys via
EAP from a RADIUS server, for example. This framework enables using a central authentication
server, which employs mutual authentication so that a rogue wireless user does not join the
network.
It is important to note that 802.1x does not provide the actual authentication mechanisms. When
using 802.1x, the EAP type, such as Transport Layer Security (EAP-TLS), or EAP Tunneled
Transport Layer Security (EAP-TTLS), defines how the authentication takes place.
Note
: For environments with a Remote Authentication Dial-In User Service (RADIUS)
infrastructure, WPA supports Extensible Authentication Protocol (EAP). For environments
without a RADIUS infrastructure, WPA supports the use of a pre-shared key.
Together, these technologies provide a framework for strong user authentication.
Windows XP implements 802.1x natively, and several NETGEAR switch and wireless access
point products support 802.1x.
Certificate
Authority
(for
example
Win Server,
VeriSign)
WPA/WPA2
enabled
wireless
client with
“supplicant”
TCP/IP
Ports Closed
Until
Authenticated
RADIUS Server
Wired Network with Optional
802.1x Port Based Network
Access Control
WPA/WPA2
enabled
Access Point
using
pre-shared key
or
802.1x
TCP/IP
Ports Opened
After
Authenticated
Wireless LAN
Login
Authentication
Page 67 / 88
Reference Manual for the NETGEAR RangeMax™ Wireless Access Point WPN802
Wireless Networking Basics
B-13
202-10101-01, May 2005
Figure B-4:
802.1x Authentication Sequence
The AP sends Beacon Frames with WPA/WPA2 information element to the stations in the service
set. Information elements include the required authentication method (802.1x or Pre-shared key)
and the preferred cipher suite (WEP, TKIP, or AES). Probe Responses (AP to station) and
Association Requests (station to AP) also contain WPA information elements.
1.
Initial 802.1x communications begin with an unauthenticated supplicant (client device)
attempting to connect with an authenticator (802.11 access point). The client sends an
EAP-start message. This begins a series of message exchanges to authenticate the client.
2.
The access point replies with an EAP-request identity message.
Client with a WPA/
WPA2-enabled wireless
adapter and supplicant
(Win XP, Funk,
Meetinghouse)
For example, a
WPA/WPA2-enabled
AP
For example, a
RADIUS server
Controlled Port
Page 68 / 88
Reference Manual for the NETGEAR RangeMax™ Wireless Access Point WPN802
B-14
Wireless Networking Basics
202-10101-01, May 2005
3.
The client sends an EAP-response packet containing the identity to the authentication server.
The access point responds by enabling a port for passing only EAP packets from the client to
an authentication server located on the wired side of the access point. The access point blocks
all other traffic, such as HTTP, DHCP, and POP3 packets, until the access point can verify the
client's identity using an authentication server (for example, RADIUS).
4.
The authentication server uses a specific authentication algorithm to verify the client's identity.
This could be through the use of digital certificates or some other EAP authentication type.
5.
The authentication server will either send an accept or reject message to the access point.
6.
The access point sends an EAP-success packet (or reject packet) to the client.
7.
If the authentication server accepts the client, then the access point will transition the client's
port to an authorized state and forward additional traffic.
The important part to know at this point is that the software supporting the specific EAP type
resides on the authentication server and within the operating system or application “supplicant”
software on the client devices. The access point acts as a “pass through” for 802.1x messages,
which means that you can specify any EAP type without needing to upgrade an 802.1x-compliant
access point. As a result, you can update the EAP authentication type to such devices as token
cards (Smart Cards), Kerberos, one-time passwords, certificates, and public key authentication, or
as newer types become available and your requirements for security change.
WPA/WPA2 Data Encryption Key Management
With 802.1x, the rekeying of unicast encryption keys is optional. Additionally, 802.11 and 802.1x
provide no mechanism to change the global encryption key used for multicast and broadcast
traffic. With WPA/WPA2, rekeying of both unicast and global encryption keys is required.
For the unicast encryption key, the Temporal Key Integrity Protocol (TKIP) changes the key for
every frame, and the change is synchronized between the wireless client and the wireless access
point (AP). For the global encryption key, WPA includes a facility (the Information Element) for
the wireless AP to advertise the changed key to the connected wireless clients.
If configured to implement dynamic key exchange, the 802.1x authentication server can return
session keys to the access point along with the accept message. The access point uses the session
keys to build, sign and encrypt an EAP key message that is sent to the client immediately after
sending the success message. The client can then use contents of the key message to define
applicable encryption keys. In typical 802.1x implementations, the client can automatically change
encryption keys as often as necessary to minimize the possibility of eavesdroppers having enough
time to crack the key in current use.
Page 69 / 88
Reference Manual for the NETGEAR RangeMax™ Wireless Access Point WPN802
Wireless Networking Basics
B-15
202-10101-01, May 2005
Temporal Key Integrity Protocol (TKIP)
WPA uses TKIP to provide important data encryption enhancements including a per-packet key
mixing function, a message integrity check (MIC) named Michael, an extended initialization
vector (IV) with sequencing rules, and a re-keying mechanism. TKIP also provides for the
following:
The verification of the security configuration after the encryption keys are determined.
The synchronized changing of the unicast encryption key for each frame.
The determination of a unique starting unicast encryption key for each preshared key
authentication.
Michael
With 802.11 and WEP, data integrity is provided by a 32-bit
integrity check value
(ICV) that is
appended to the 802.11 payload and encrypted with WEP. Although the ICV is encrypted, you can
use cryptanalysis to change bits in the encrypted payload and update the encrypted ICV without
being detected by the receiver.
With WPA, a method known as
Michael
specifies a new algorithm that calculates an 8-byte
message integrity check (MIC) using the calculation facilities available on existing wireless
devices. The MIC is placed between the data portion of the IEEE 802.11 frame and the 4-byte ICV.
The MIC field is encrypted together with the frame data and the ICV.
Michael also provides replay protection. A new frame counter in the IEEE 802.11 frame is used to
prevent replay attacks.
AES Support for WPA2
One of the encryption methods supported by WPA2 is the advanced encryption standard (AES),
although AES support will not be required initially for Wi-Fi certification. This is viewed as the
optimal choice for security conscience organizations, but the problem with AES is that it requires a
fundamental redesign of the NIC’s hardware in both the station and the access point. TKIP is a
pragmatic compromise that allows organizations to deploy better security while AES capable
equipment is being designed, manufactured, and incrementally deployed.
Page 70 / 88
Reference Manual for the NETGEAR RangeMax™ Wireless Access Point WPN802
B-16
Wireless Networking Basics
202-10101-01, May 2005
Is WPA/WPA2 Perfect?
WPA/WPA2 is not without its vulnerabilities. Specifically, it is susceptible to denial of service
(DoS) attacks. If the access point receives two data packets that fail the message integrity code
(MIC) within 60 seconds of each other, then the network is under an active attack, and as a result,
the access point employs counter measures, which include disassociating each station using the
access point. This prevents an attacker from gleaning information about the encryption key and
alerts administrators, but it also causes users to lose network connectivity for 60 seconds. More
than anything else, this may just prove that no single security tactic is completely invulnerable.
WPA/WPA2 is a definite step forward in WLAN security over WEP and has to be thought of as a
single part of an end-to-end network security strategy.
Product Support for WPA/WPA2
Starting in August, 2003, NETGEAR, Inc. wireless Wi-Fi certified products will support the WPA
standard. NETGEAR, Inc. wireless products that had their Wi-Fi certification approved before
August, 2003 will have one year to add WPA so as to maintain their Wi-Fi certification.
WPA/WPA2 requires software changes to the following:
Wireless access points
Wireless network adapters
Wireless client programs
Supporting a Mixture of WPA, WPA2, and WEP
Wireless Clients is Discouraged
To support the gradual transition of WEP-based wireless networks to WPA/WPA2, a wireless AP
can support both WEP and WPA/WPA2 clients at the same time. During the association, the
wireless AP determines which clients use WEP and which clients use WPA/WPA2. The
disadvantage to supporting a mixture of WEP and WPA/WPA2 clients is that the global encryption
key is not dynamic. This is because WEP-based clients cannot support it. All other benefits to the
WPA clients, such as integrity, are maintained.
However, a mixed mode supporting WPA/WPA2 and non-WPA/WPA2 clients would offer
network security that is no better than that obtained with a non-WPA/WPA2 network, and thus this
mode of operation is discouraged.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top