– 77 –
APPENDIX D:
802.1X AUTHENTICATION SETUP
There are three essential components to the 802.1x infrastructure: (1) Supplicant, (2) Authenticator and (3)
Server.
The 802.1x security supports both MD5 and TLS Extensive Authentication Protocol (EAP).
The 802.1x
Authentication is a complement to the current WEP encryption used in wireless network.
The current security
weakness of WEP encryption is that there is no key management and no limitation for the duration of key life-
time.
802.1x Authentication offers key management, which includes key per user and key per session, and
limits the lifetime of the keys to certain duration.
Thus, key decryption by unauthorized attacker becomes ex-
tremely difficult, and the wireless network is safely secured.
We will introduce the 802.1x Authentication
infrastructure as a whole and going into details of the setup for each essential component in 802.1x authentica-
tion.
802.1x Authentication Infrastructure
The Infrastructure diagram showing above illustrates that a group of 802.11 wireless clients is trying to form a
802.11 wireless network with the Access Point in order to have access to the Internet/Intranet. In 802.1x au-
thentication infrastructure, each of these wireless clients would have to be authenticated by the Radius server,
which would grant the authorized client and notified the Access Point to open up a communication port to be
used for the granted client. There are 2 Extensive Authentication Protocol (EAP) methods supported: (1) MD5
and (2) TLS.
MD5 authentication is simply a validation of existing user account and password that is stored in the server with
what are keyed in by the user. Therefore, wireless client user will be prompted for account/password validation
every time when he/she is trying to get connected. TLS authentication is a more complicated authentication,
which involves using certificate that is issued by the Radius server, for authentication. TLS authentication is a
more secure authentication, since not only the Radius server authenticates the wireless client, but also the cli-
ent can validate the Radius server by the certificate that it issues. The authentication request from wireless
clients and reply by the Radius Server and Access Point process can be briefed as follows:
1.
The client sends an EAP start message to the Access Point
2.
The Access Point replies with an EAP Request ID message
3.
The client sends its Network Access Identifier (NAI) – its user name – to the Access Point in an EAP Re-
spond message.
4.
The Access Point forwards the NAI to the RADIUS server with a RADIUS Access Request message.
802.11 Wireless
Access Points
Support 802.1X
RADIUS
Server
Authentication Request
Inter
net/I
ntra-
t
Authentication Success
802.11 Wireless
Clients
Support 802.1X
Public
802.11
Wireless
Networks
Downloaded from
www.Manualslib.com
manuals search engine
19216811.live