Security Basics mailing list archives
RE: 802.1x RADIUS Deployment in Wireless LAN
From: shankarnarayan.d () netsol co in
Date: Wed, 26 Nov 2003 13:10:16 +0530
Hi, I assume that all who are reading this have knowledge of Wireless LAN (802.11b), its Security issues and packet formats. Forgive me if not, as this digs into technology a little. To talk about WPA in Wi-Fi Alliance's own terms it is WPA = 802.1X + EAP + TKIP + MIC 1. EAP in combination with 802.1X is used for Authentication. Temporal keys or use Pre-shared keys (typically in homes where you can't have a RADIUS Server installed) to derive Temporal keys 2. MIC (short for Message Integrity Check, commonly called Michael and created by Niels Fergusson - apologies if that is wrongly spelt) is used for Integrity check 3. TKIP has 3 algorithms to it - they overcome weak key generation, collision attacks and sequence key problem To cut this short, because WPA uses MIC and TKIP as additional algorithms, such features need to be built on the cards as the cards use these features along with the AP/ RADIUS to help implement WPA. Hence cards, client software and AP need to understand WPA and therefore need to be upgraded to support such algorithms. WPA authentication follows EAP with 802.1X for authentication, so I am not sure encapsulation is the right word to use. Hope this helps............. Shankar -----Original Message----- From: Eric Hagen [mailto:eric () sandpile net] Sent: Wednesday, November 26, 2003 2:21 AM To: David J. Jackson Cc: security-basics () securityfocus com Subject: Re: 802.1x RADIUS Deployment in Wireless LAN Well, I can relay a bit of experience using Cisco's "Secure Access Control" platform. You need version 3.2 to properly support the EAP that is required for authentication over 802.1x. It's a Windows package, but I it's not that inexpensive compared to the open-source route. We used Cisco Aironet 1200 access points and got the WPA/TKIP authentication to work. That's a dynamic key system and has 100% of it's authentication through the SAC server. We standardized on 3com client cards because they include strong software support for WPA as well as the 802.11i draft standard with AES encryption. The Cisco client card was good too, but the range wasn't as good for one reason or another. Difficulty? Fortunately, we had a few experts on hand, so it wasn't all that difficult at all. Unfortunately, for those unfamiliar with all of the technologies (including Cisco IOS) it would be very difficult. Also, I believe that the wireless card's drivers must support the WPA authentication, since it uses a layer-2 encapsulation on the auth packets (someone correct me if I'm wrong here). Eric --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- 802.1x RADIUS Deployment in Wireless LAN David J. Jackson (Nov 25)
- Re: 802.1x RADIUS Deployment in Wireless LAN Eric Hagen (Nov 25)
- Re: 802.1x RADIUS Deployment in Wireless LAN Jimi Thompson (Nov 26)
- <Possible follow-ups>
- RE: 802.1x RADIUS Deployment in Wireless LAN Batkin, Seva (Nov 25)
- RE: 802.1x RADIUS Deployment in Wireless LAN shankarnarayan . d (Nov 26)
- RE: 802.1x RADIUS Deployment in Wireless LAN shankarnarayan . d (Nov 26)
- Re: 802.1x RADIUS Deployment in Wireless LAN Eric Hagen (Nov 25)