RE: 802.1x RADIUS Deployment in Wireless LAN

[shankarnarayan.d () netsol co in]

Hi,

I assume that all who are reading this have knowledge of Wireless LAN
(802.11b), its Security issues and packet formats. Forgive me if not, as
this digs into technology a little. To talk about WPA in Wi-Fi Alliance's
own terms it is WPA = 802.1X + EAP + TKIP + MIC

1. EAP in combination with 802.1X is used for Authentication. Temporal keys
or use Pre-shared keys (typically in homes where you can't have a RADIUS
Server installed) to derive Temporal keys
2. MIC (short for Message Integrity Check, commonly called Michael and
created by Niels Fergusson - apologies if that is wrongly spelt) is used for
Integrity check 
3. TKIP has 3 algorithms to it - they overcome weak key generation,
collision attacks and sequence key problem

To cut this short, because WPA uses MIC and TKIP as additional algorithms,
such features need to be built on the cards as the cards use these features
along with the AP/ RADIUS to help implement WPA. Hence cards, client
software and AP need to understand WPA and therefore need to be upgraded to
support such algorithms. 

WPA authentication follows EAP with 802.1X for authentication, so I am not
sure encapsulation is the right word to use. 

Hope this helps.............

Shankar

-----Original Message-----
From: Eric Hagen [mailto:eric () sandpile net] 
Sent: Wednesday, November 26, 2003 2:21 AM
To: David J. Jackson
Cc: security-basics () securityfocus com
Subject: Re: 802.1x RADIUS Deployment in Wireless LAN

Well, I can relay a bit of experience using Cisco's "Secure Access 
Control" platform.  You need version 3.2 to properly support the EAP 
that is required for authentication over 802.1x.  It's a Windows 
package, but I it's not that inexpensive compared to the open-source route.

We used Cisco Aironet 1200 access points and got the WPA/TKIP 
authentication to work.  That's a dynamic key system and has 100% of 
it's authentication through the SAC server.

We standardized on 3com client cards because they include strong 
software support for WPA as well as the 802.11i draft standard with AES 
encryption.  The Cisco client card was good too, but the range wasn't as 
good for one reason or another.

Difficulty?  Fortunately, we had a few experts on hand, so it wasn't all 
that difficult at all.  Unfortunately, for those unfamiliar with all of 
the technologies (including Cisco IOS) it would be very difficult.

Also, I believe that the wireless card's drivers must support the WPA 
authentication, since it uses a layer-2 encapsulation on the auth 
packets (someone correct me if I'm wrong here).

Eric



---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------