WLAN Authentication

Authentication is the verification of user identity and credentials. Users must identify themselves and present credentials such as passwords or digital certificates. Authorization involves granting access to network resources and services.

Before authorization to network resources can be granted, proper authentication must occur. The following detail more advanced authentication and authorization defenses. You will also learn that dynamic encryption capabilities are also possible as a byproduct of these stronger authentication solutions.

802.1X/EAP Framework

The IEEE 802.1X standard is not specifically a wireless standard and often is mistakenly referred to as 802.11x. The 802.1X standard is a port-based access control standard.

802.1X provides an authorization framework that allows or disallows traffic to pass through a port and thereby access network resources. An 802.1X framework may be implemented in either a wireless or wired environment.

The 802.1X framework consists of three main components:

  • Supplicant A host with software that is requesting authentication and access to network resources.
  • Authenticator A device that blocks or allows traffic to pass through its port entity. Authentication traffic is normally allowed to pass through the authenticator while all other traffic is blocked until the identity of the supplicant has been verified.

The authenticator maintains two virtual ports: an uncontrolled port and a controlled port. The uncontrolled port allows EAP authentication traffic to pass through, while the controlled port blocks all other traffic until the supplicant has been authenticated.

  • Authentication server (AS) A server that validates the credentials of the supplicant that is requesting access and notifies the authenticator that the supplicant has been authorized.

The authentication server will maintain a user database or may proxy with an external user database to authenticate user credentials.

Within an 802.3 Ethernet network, the supplicant would be a desktop host, the authenticator would be a managed switch, and the authentication server would normally be a Remote Authentication Dial-In User Service (RADIUS) server.

In an 802.11 wireless environment, the supplicant would be a client station requesting access to network resources. An access point or wireless switch would be the authenticator, blocking access via virtual ports.

The AS is typically a RADIUS server. Although the supplicant, authenticator, and authentication server work together to provide the framework for 802.1X port-based access control, an authentication protocol is needed to actually perform the authentication process.

Extensible Authentication Protocol (EAP) is used to provide user authentication. EAP is a flexible layer 2 authentication protocol that resides under Point-to-Point Protocol (PPP).

The supplicant and the authentication server communicate with each other using the EAP protocol. The authenticator allows the EAP traffic to pass through its virtual uncontrolled port.

Once the AS has verified the credentials of the supplicant, the server sends a message to the authenticator that the supplicant has been authenticated and the authenticator is now authorized to open the virtual controlled port, allowing all other traffic to pass through.

Figure below depicts the generic 802.1X/EAP frame exchanges.

The 802.1X/EAP framework, when used with wireless networks, provides the necessary means of validating user identity as well as authorizing client stations onto the wired network infrastructure.

EAP Types

EAP stands for Extensible Authentication Protocol. The key word in EAP is Extensible. The protocol is very flexible, and many different flavors of EAP exist.

Some, such as Cisco’s Lightweight Extensible Authentication Protocol (LEAP), are proprietary, while others, such as Protected Extensible Authentication Protocol (PEAP), are considered standard-based.

Some may provide for only one-way authentication, while others provide two-way authentication. Mutual authentication not only requires that the authentication server validate the client credentials, but the supplicant must also authenticate the validity of the authentication server.

Most types of EAP that require mutual authentication use a server-side digital certificate to validate the authentication server.

Dynamic Encryption Key Generation

Although the 802.1X/EAP framework does not require encryption, it highly suggests the use of encryption. A side benefit of EAP protocols that utilize mutual authentication is the generation and distribution of dynamic encryption keys.

Until now, you have learned about only static or preshared WEP keys. The use of static keys is typically an administrative nightmare, and when the same static key is shared between multiple users, the secret is easy to compromise via social engineering.

After an EAP frame exchange where mutual authentication is required, both the AS and the supplicant now know information about each other due to the exchange of credentials.

This new-found information is used as seeding material or keying material to generate a matching dynamic encryption key for both the supplicant and the authentication server.

These dynamic keys are generated per session per user, meaning that every time a client station authenticates, a new key is generated and every user has a unique and separate key.

This dynamic session key is often referred to as the unicast key because it is the dynamically generated key that is used to encrypt and decrypt all unicast data frames.

After the key is created, the AS delivers its copy of the unicast key to the access point. The access point and the client station now both have unique unicast keys that can be used.

A second static key exists on the access point known as the broadcast key. The broadcast key is used to encrypt and decrypt all broadcast and multicast data frames.

Each client station has a unique and separate unicast key, but every station must share the same broadcast key. The broadcast key is delivered from the access point in a unicast frame encrypted with each individual client station’s unicast key.