Appendix D Wireless LANs
P-663HN-51 User’s Guide
276
keys. This prevent all wireless devices sharing the same encryption keys. (a
weakness of WEP)
User Authentication
WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to
authenticate wireless clients using an external RADIUS database. WPA2 reduces
the number of key exchange messages from six to four (CCMP 4-way handshake)
and shortens the time required to connect to a network. Other WPA2
authentication features that are different from WPA include key caching and pre-
authentication. These two features are optional and may not be supported in all
wireless devices.
Key caching allows a wireless client to store the PMK it derived through a
successful authentication with an AP. The wireless client uses the PMK when it tries
to connect to the same AP and does not need to go with the authentication
process again.
Pre-authentication enables fast roaming by allowing the wireless client (already
connecting to an AP) to perform IEEE 802.1x authentication with another AP
before connecting to it.
Wireless Client WPA Supplicants
A wireless client supplicant is the software that runs on an operating system
instructing the wireless client how to use WPA. At the time of writing, the most
widely available supplicant is the
WPA patch for Windows XP, Funk Software's
Odyssey client.
The Windows XP patch is a free download that adds WPA capability to Windows
XP's built-in "Zero Configuration" wireless client. However, you must run Windows
XP to use it.
WPA(2) with RADIUS Application Example
To set up WPA(2), you need the IP address of the RADIUS server, its port number
(default is 1812), and the RADIUS shared secret. A WPA(2) application example
with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is
the distribution system.
1
The AP passes the wireless client's authentication request to the RADIUS server.
2
The RADIUS server then checks the user's identification against its database and
grants or denies network access accordingly.
3
A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by
the RADIUS server and the client.