1 8 9 16 17 18 15 24 19 25 26 27 20 22 23 21 3 4 5 6 7 11 10 12 13 14 14 2 Wi-Fi Authentication Demystified Tutorial Across Down 2. EAP over LAN 6. Conveys data between points 8. Pipe diameter 9. Number of 802.11a non- overlapping channels 11. Receive/send radio signal 13. Extensible Authentication Protocol 15. End of the link that responds 17. Amount of data sent in a given time 18. Manages addressing and protocol information 21 109 Hz 22. Only Wi-Fi Power Play 24. Supersedes WEP for 802.11 26. Contiguous frequencies 27. Opposite of transmitter 1. Highest performing access device 3. Packet requesting information 4. Xirrus language 5. Circuitry to interpret and execute 7. Path for signals 10. Fragment of data 12. Specification implementing TKIP and AES 14. End of link initiating EAP authentication 15. Type of medium in 802.11 16. Number of 802.11b/g non- overlapping channels 19. One-million cycles per second 20. Rate at which a repeating event occurs 23. Standard for port-based access control 25. Institute of engineers
12
Embed
2008_WiFi Authentication and Roaming Authentication
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
8
9
16
17
18
15
24
19
25
26
27
20
22
23
21
3
4
5 6 7
11
10
12 13 14
14
2
Wi-Fi Authentication DemystifiedTutorial
Across Down2. EAPoverLAN6. Conveysdatabetweenpoints8. Pipediameter9. Numberof802.11anon-
or delayedby theattacker. Theseattackscanbedesigned tosteal informationoreffect thenormal
operation,suchasadenialofserviceattack.
Typical Wi-Fi Infrastructure
In a typical Wi-Fi infrastructure, stations associate to an Access Point. The Access Point is the Authenticator and interfaces with the Authentication Server to validate the stationsidentity and then allow access to the network.
Authenticator Field contains challenge text and MD5 hashed responses(passwords)
Length(2 Bytes)
Authenticator(16 Bytes)
RADIUS (RFC 2138) defines the backend authentication process between the Authenticator and Authentication Server. RADIUS Attributes carry specific authentication, authorization, information and configuration detail for the Access request and response types.
Example Attributes include: – User Name (Type Field = 1)– Password (Type Field = 2)
Items such as which VLAN the user is to be assigned to or what wireless user group policies to use can be defined by the use of Vendor Specific Attributes (VSAs) (Type Field = 26).
802.11i is the official security standard for 802.11 Wireless LANs as ratified by the IEEE in 2004. Its operation consists of 4 primary phases to establish secure communications. Phase 2 and portion of Phase 3 are addressed in this poster; Phase 4 and a portion of Phase 3 are addressed in the companion Wi-Fi Encryption poster.
Authenticator AuthenticationServer
Additionally, mutual authentication and key exchange processes were added to the standard. All these
additions allowed the authentication process to scale and also provided for dynamic key creation and
1. The authentication process starts with a virtual port in the Array set to “unauthorized” such that only authentication protocols are forwarded.
7. 802.11i adds 4-way handshake to generate and verify encryption keys for the supplicant station (see Wi-Fi Encryption Poster).
8. Upon successful authentication and key exchange, the Access Point allows traffic to be forwarded from the station to the network.
6. If the station has the correct credentials, a RADIUS Access Accept packet is returned, which also includes a Master Key used by WPA to generate unique per user encryption keys (see Wi-Fi Encryption Poster).
802.11i Packet Exchange describes the wireless authentication process, and begins with a supplicant (the wireless station) associating to the access point and initiating an 802.1X exchange.
5. An EAP packet with the encryptedchallenge text is sent back to the Server.
4. An EAP packet with challenge text is sent from the Authentication Server.
3. The users identity is passed to the Authenticator and then forwarded to the Authentication Server.
2. The station starts the authentication process with an EAPOL Start message.
Port Authorized
Port Unauthorized
EAP-Logoff
Wireless InfrastructureNow let’s talkabouthowauthenticationworks ina
Wi-Finetworktoday.Atahigh level, theWi-Ficlient
associatestoanAP,alsoknownastheauthenticator.
The station then sends an authentication request
to the authenticator. The authenticator is designed
so that prior to proper authentication all standard
packetsarediscarded.WhileinthisstatetheAPwill
onlyforwardEAPpackets.Thesepacketsareallowed
totransversetothewiredsideinordertoreachthe
authenticationserver.Next,theclientsandserveruse
theEAPpacketstocompleteafour-wayhandshake.
The result of which is the authenticator and client
define session keys, and finally, the authenticator
movesitsportintoanauthorizedmodeandnormal
accesstothenetworkensues.
As mentioned before, the 802.1x framework uses
EAP to exchange information; however there are
several typesofEAPmethodsused today.Sevenof
these types are approved for interoperability by the
Wi-Fi Alliance. The first is EAP-TLS,which requires a
server-site certificate and a client-site certificate for
credentials.ThesecondmostpopulartypeisEAP-TTLS
wherebyausermusthaveaserver-sitecertificate,and
usesjustausernameandpassword.Typicallyathird-
partysupplicantisneededforthismethod.
Wireless Authentication Framework
Wi-Fi Authentication (802.11i) is built on top of 802.1X and EAP.
EAP (RFC 3748)Extensible
AuthenticationProtocol
IEEE 802.1X Wired port-based
authenticationuses EAP and EAPOL
as the underlyingauthentication protocol
IEEE 802.11i wireless authentication
extends 802.1X to a wireless network and
generates a Master Key.The Master Key is used by
the Access Point and station to derive per session keys
protocols. One is LEAP (Lightweight Extensible Authentication Protocols), which was widely used early on,
but isnot recommendedanymoreduetoadictionaryattackthatcanbeeasilyharnessedagainst it.LEAP
didnot requirecertificatesonbothsidesof the linkasonlyapasswordwasneeded.TofixLEAP, fast-EAP
was deployed. It is still password based and also does not require certificates on either side of the link.
EAP Types
Server Side Client Side User Credentials User Database Security EAP Type Description Certificate Certificate Used Access Issues
EAP-PEAP Protected EAP Required Optional Windows XP, 2000, CE, Windows Domains, (widely used) Username/Passwords and Active Directory other 3rd party Supplicants EAP-TLS EAP with Transport Layer Security Required Required Certificate Windows Domains, User Identity Active Directory, Exposed Novel NDS OTP EAP-TTLS EAP with Tunneled Transport Required None Password Windows Domains, Layer Security Active Directory EAP-PEAP-GTC Protected EAP with Generic Required None Windows, Novell NDS, Token Card One Time Password Token EAP-SIM EAP – Subscriber Identity Module Required None Subscriber Identity Module (SIM). Uses SIM card found in (SIM Card) GSM mobile phone handsets LEAP Lightweight EAP. Not recommended None None Password Windows Domains, Dictionary Attack due to dictionary attacks Active Directory User Identity Exposed Fast EAP Cisco EAP based on PEAP None None Password Windows Domains, Active Directory
1. A user associates to an open Wi-Fi network2. User’s web session is captured and redirected to a
landing page in the Access Point3. The user is prompted for a username and password4. The Access Point uses these credentials to
authenticate the user with the Authentication Server5. Access is granted and the user’s original URL
is reloaded
Web-Based Authentication eliminates need to configure client software but requires manual entry of username/password. It is not used toconfigure an encrypted wireless link.
Roaming and AuthenticationClientsusing802.11icanpre-authenticatewithmultipleaccesspointsatthesametimeprovidingforfaster
Stations can pre-authenticatewith new Access Pointprior to roaming
AuthenticationServer
EthernetSwitch
Supplicant
Authenticator
Access Points can share Pairwise Master Keys (PMK) in advance of stations roaming to themStations can use existing PMK when roaming to a new Access Point that has pre-shared it with prior Access PointIf Access Point has PMK, only the 4-way handshake needs to take place, otherwise full 802.11X exchange takes place