Wi-Fi

Update DEMYSTIFIED
TM

REFERENCE
SERIES
Wi-Fi AUTHENTICATION
802.11n SECURITY WIRELESS AUTHENTICATION FRAMEWORK RADIUS
802.11i is the official security standard for 802.11 Wireless LANs as ratified by the IEEE in 2004. Its operation consists of 4 primary phases Wi-Fi Authentication (802.11i) is built on top of 802.1X and EAP. RADIUS (RFC 2138) defines the backend authentication process between the Authenticator and Authentication Server. RADIUS Attributes
to establish secure communications. Phase 2 and portion of Phase 3 are addressed in this poster; Phase 4 and a portion of Phase 3 are
carry specific authentication, authorization, information and configuration detail for the Access request and response types.
addressed in the companion Wi-Fi Encryption poster.
IEEE 802.11i
Station wireless authentication Code Identifier
(1 Byte) (1 Byte)
Length
(2 Bytes)
Authenticator
(16 Bytes)
Attribute 1 ... Attribute ...N
Authenticator Authentication IEEE 802.1X extends 802.1X to a
Server Wired port-based wireless network and
Phase 1 Security Discovery/Negotiation EAP (RFC 3748) authentication generates a Master Key.
xValue Description
Extensible uses EAP and EAPOL The Master Key is used by
0 Access-Request Authenticator Example Attributes include: Type
Phase 2 802.1X Authentication Authentication as the underlying the Access Point and station Value
2 Access-Accept Field contains – User Name (Type Field = 1) (1 Byte) Length (1 or
Protocol authentication protocol to derive per session keys Values= (1 Byte)
3 Access-Reject challenge text – Password (Type Field = 2) more Bytes)
Phase 3 Key Management 1 to 63
RADIUS Key Distribution 4 Accounting-Request and MD5 Items such as which VLAN the user is to be
5 Accounting-Response
hashed assigned to or what wireless user group policies Attribute Field
Phase 4 Data Confidentiality and Integrity 11 Access-Challenge
responses to use can be defined by the use of Vendor
12 Status-Server (experimental)
(passwords) Specific Attributes (VSAs) (Type Field = 26).
13 Status-Client (experimental)
802.11i PACKET EXCHANGE 255 Reserved

TYPICAL Wi-Fi INFRASTRUCTURE 802.11i Packet Exchange describes the wireless authentication process, and begins with a supplicant (the wireless
station) associating to the access point and initiating an 802.1X exchange.

In a typical Wi-Fi Ethernet Supplicant

Authenticator
Authentication
Server
WEB-BASED AUTHENTICATION
infrastructure, stations Switch
associate to an Access
Router Web-Based Authentication eliminates need to configure client software but requires manual entry of username/password. It is not used
Point. The Access Point Authentication
Server to configure an encrypted wireless link.
is the Authenticator and
interfaces with the
Authentication Server to
validate the stations Port Unauthorized Authenticator
identity and then allow
access to the network. Authentication
1. The authentication process starts with 1. A user associates to an open Wi-Fi network Server
Probe Request
a virtual port in the Array set to 2. User’s web session is captured and redirected to
Authenticator Authenticator “unauthorized” such that only authentication a landing page in the Access Point
Probe Response protocols are forwarded. 3. The user is prompted for a username and password
4. The Access Point uses these credentials to
Authentication Request authenticate the user with the Authentication Server
Wireless Stations 5. Access is granted and the user’s original URL Captive Portal Original URL
(Supplicant) Authentication Response is reloaded

Association Request

Association Response
802.11i FAST ROAMING
EAPOL-Start (Start Process) 2. The station starts the authentication process
EAPOL/EAP FRAME FORMAT EAP-Request (Identity)
with an EAPOL Start message.

EAPOL (EAP Over LAN) is used by 802.1X to encapsulate the EAP protocol. The EAP protocol defines a number of methods for authentication. Authenticator
EAP-Response (Identity) RADIUS Access Request
EAPOL Packet Value Description Supplicant Ethernet Authentication
3. The users identity is passed to the
0 EAP Packet Switch Server
Ethertype Protocol Packet Body Authenticator and then forwarded to the
Destination MAC Source MAC Code Version Type Length Packet Body 1 EAPOL Start Authentication Server. PMK Caching
(6 Bytes) (6 Bytes) (2 Bytes) (1 Byte) (2 Bytes) 2 EAPOL Logoff
(1 Byte) Stations can
0x888e 1 # of Bytes
3 EAPOL Key EAP-Request (Challenge) RADIUS Access Challenge Pre- • Access Points can share Pairwise Master Keys (PMK)
pre-authenticate Authenticate
4 EAPOL Alert in advance of stations roaming to them
4. An EAP packet with challenge text is with new Access then
sent from the Authentication Server. Point prior to roaming Roam • Stations can use existing PMK when roaming to a new
Value Description Access Point that has pre-shared it with prior Access Point
Length Value Description
1 Request Code ID Type
(2 Bytes) Data 1 Identity 5 One Time Password • If Access Point has PMK, only the 4-way handshake needs
2 Response (1 Byte) (1 Byte) (1 Byte) EAP-Response (Credentials) RADIUS Access Request
# of Bytes
2 Notification 6 Generic Token Card to take place, otherwise full 802.11X exchange takes place
3 Success 5. An EAP packet with the encrypted
EAP Packet 3 NAK 13 TLS
4 Failure challenge text is sent back to the Server.
4 MD5 Challenge RADIUS Access Accept

EAP-Success
6. If the station has the correct credentials,
a RADIUS Access Accept packet is returned,
GLOSSARY
which also includes a Master Key used by
EAP TYPES WPA to generate unique per user encryption
keys (see Wi-Fi Encryption Poster). 802.1X—An IEEE standard for port-based network access control. EAP—Extensible Authentication Protocol is defined by RFC 3748
EAPOL Key 1 It provides authentication services for devices attached to a wired and is a framework for authentication. EAP itself does not define
Server Side Client Side User Credentials User Database Security the underlying authentication protocol to be used.
network port.
EAP Type Description Certificate Certificate Used Access Issues
EAPOL Key 2 EAPOL—EAP Over LAN is the 802.1X encapsulation of EAP messages.
EAP-PEAP Protected EAP Required Optional Windows XP, 2000, CE, Windows Domains, 802.11i—An 802.11i is a 2004 IEEE standard that specifies TKIP
(widely used) Username/Passwords and Active Directory 7. 802.11i adds 4-way handshake to and AES encryption, and 802.1X authentication for 802.11
EAPOL Key 3 Pairwise Master Key—A unique per-user encryption key that is
other 3rd party Supplicants generate and verify encryption keys for networks. This supersedes the previous WEP (Wired Equivalent derived from the station’s 802.1X exchange from which transient
EAP-TLS EAP with Transport Layer Security Required Required Certificate Windows Domains, User Identity the supplicant station (see Wi-Fi Privacy) specification from the original 802.11 specification which keys are created and used to encrypt data between the station and
Active Directory, Exposed EAPOL Key 4 Encryption Poster). has since been found to be easily compromised. the Access Point.
Novel NDS OTP
EAP-TTLS EAP with Tunneled Transport Required None Password Windows Domains, Authenticator—The end of the link initiating EAP authentication. Remote Authentication Dial In User Service (RADIUS)—An
Layer Security Active Directory Normally, this is the Access Point in an 802.11 environment. Authentication, Authorization and Accounting (AAA) protocol for
Port Authorized user access to a wired or wireless network.
EAP-PEAP-GTC Protected EAP with Generic Required None Windows, Novell NDS,
Token Card One Time Password Token Authentication Server—An entity that provides an authentication
service to an authenticator. When used, this server typically Supplicant—The end of the link that responds to the authenticator.
EAP-SIM EAP – Subscriber Identity Module Required None Subscriber Identity Module In an 802.11 environment this is normally the wireless station.
(SIM). Uses SIM card found in (SIM Card) 8. Upon successful authentication and key executes EAP methods for the authenticator. In an 802.11
EAP-Logoff
GSM mobile phone handsets exchange, the Access Point allows traffic to environment this is normally a RADIUS server. WPA—Wi-Fi Protected Access (WPA/WPA2). A Wi-Fi Alliance
LEAP Lightweight EAP. Not recommended None None Password Windows Domains, Dictionary Attack be forwarded from the station to the network. specification implementing TKIP and AES encryption plus 802.1X
Certificate—An element used to authenticate the identity and authentication for 802.11 networks. This supersedes the previous
due to dictionary attacks Active Directory User Identity Exposed
Port Unauthorized source of a message. Public-private key cryptography is used to WEP (Wired Equivalent Privacy) specification from the original 802.11
Fast EAP Cisco EAP based on PEAP None None Password Windows Domains,
create and digitally sign the certificate. specification which has since been found to be easily compromised.
Active Directory

P7.v5 • © 2011 Xirrus. All Rights Reserved. Wi-Fi is a trademark of the Wi-Fi Alliance.
+805.262.1600 • 800.947.7871 • [email protected] • www.xirrus.com