-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 1/13
Huawei WLAN Authentication and Encryption
The Huawei integrated Wireless Local Area Network (WLAN)
solution can provide
all-round services for municipalities at various levels and
enterprises and institutions in all walks
of life. These services include wireless access, authentication,
charging, security auditing,
intelligent O&M, and network plan and design. This solution
is widely used in various scenarios
such as the campus, office area, hotel, government, bank, energy
source, transportation, medical
care, and wireless city.
The Huawei WLAN authentication and encryption feature is a
feature of the Huawei
integrated WLAN solution. The Huawei WLAN authentication and
encryption feature ensures the
security of air interface key data using advanced encryption
algorithms such as Rivest Cipher 4
(RC4), Advanced Encryption Standard (AES), and SMS4, and
authenticates users using the portal,
802.1x, or WLAN Authentication and Privacy Infrastructure
(WAPI), preventing user data from
being stolen and user privacy from leaking, making the WLAN as
secure as the wired network,
and laying the firm foundation for mobile networks.
1. Overview
WLAN wireless data is transmitted over the air and can be
received any proper device.
Therefore, WLAN wireless data security has always been of great
concern since the emergence of
WLAN, and authentication and encryption technologies have been
developed and improved. A
series of security mechanisms has been developed, including
Wired Equivalent Privacy (WEP) at
the initial stage, Wi-Fi Protected Access (WPA), WPA2, and the
Chinese standard WAPI. Huawei
launches an integrated authentication and encryption solution to
protect users' wireless data
security in various WLAN networks, including small home
networks, campus networks, enterprise
networks and even the widely covered carrier networks.
The commonly used WLAN authentication and encryption methods are
WEP,
WPA/WPA2, WAPI, web, and MAC address authentication and
encryption. WEP: WEP is a
WLAN authentication and encryption method developed at the
initial stage. It supports two
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 2/13
authentication modes: open system authentication and shared key
authentication.
WPA/WPA2: WPA substitutes the WEP standard before IEEE 802.11i
is published. It
performs only some of the functions defined in IEEE 802.11i.
WPA2 performs all the functions
defined in IEEE 802.11i. Compared with WPA, the AES in Counter
with CBC-MAC (CCM)
mode is added. CBC-MAC is Ciphy Block Chaing Message
Authentication Code for short.
WPA and WPA2 support two authentication modes: pre-shared key
(PSK) authentication and
802.1x authentication. PSK is the simplified WPA/WPA2 without
802.1x. In the PSK mode,
authentication is performed between a user and the AC using
pre-shared keys. Similar to WEP, the
pair wise master key (PMK) is pre-installed, but all the keys
used for encryption and other
functions are generated dynamically. Therefore, WPA/WPA2 is a
powerful security solution.
802.1x: Based on IEEE 802.11 for WLAN access, 802.1x is first
introduced to solve the
problem of access authentication of WLAN users. It prevents
unauthenticated users or devices
from accessing the Local Area Network (LAN) or the Metropolitan
Area Network (MAN) through
access interfaces. The 802.1x authentication defines only an
implementation framework to
authenticate the user identity. To implement the authentication
process, you need to use other
protocols. The 802.1x authentication is also called the dot1x
authentication.
WAPI: WAPI is a Chinese national standard and it consists of two
parts: WLAN
Authentication Infrastructure (WAI) and WLAN Privacy
Infrastructure (WPI). WAI authenticates
user identity and WPI provides the encryption function to
protect data transmitted on WLANs.
WAPI can provide higher security for the WLAN system.
The portal authentication is also called the web authentication
or DHCP+WEB
authentication. DHCP is short for Dynamic Host Configuration
Protocol. The client uses the web
browser such as Internet Explorer to enter user names and
passwords on the authentication page.
Then the web server completes user authentication. In the MAC
address authentication mode, a
client sends its MAC address as the identity information to an
access device. Clients do not need
the client software in MAC address authentication. Table 1 lists
Huawei WLAN authentication
and encryption feature in details.
Table 1: Huawei WLAN authentication and encryption feature
Authentication
Mode
Description
WEP
The WEP is one part of the IEEE 802.11 standard that is passed
in
September, 1999, and ensures confidentiality using the
Rivest
Cipher 4 (RC4) serial stream encryption technology.
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 3/13
The WEP supports the open system authentication and shared
key
authentication.
The WEP is a technology for encrypting group information
between
the access points (APs) and client using RC4. After the key
is
configured, the key cannot be automatically updated. The
password
can be easily cracked. Therefore, the WEP authentication is
seldom
used currently.
The open system authentication is the most frequently used
authentication for carrier networks, and is generally used with
the
portal authentication.
WPA/WPA2-PS
K
The WPA is short for Wi-Fi Protected Access, and is a
commercial
standard introduced by the Wi-Fi alliance. The WPA
implements
most part of the IEEE 802.11i standard, and is a transitional
scheme
that replaces the WEP before the 802.11i is completely
established.
The WPA uses the Temporal Key Integrity Protocol (TKIP) for
data
encryption.
The WPA2 is a completely-established 802.11i standard and
the
second version of the WPA. The WPA2 uses Counter Mode with
CBC-MAC Protocol (CCMP) for data encryption.
The WPA/WPA2-PSK requires a key to be input in advance at
each
WLAN node, for example, the AP, wireless controller, and
network
adapter. A WLAN client can access the WLAN if its shared key
is
the same as that configured on the WLAN server. The shared key
is
used only for authentication but not for encryption. Therefore,
it will
not bring security risks as the 802.11 pre-shared key
authentication.
Do not install the client because it is seldom used and no
personnel
is available for maintaining the password required by
WPA/WPA2.
WPA/WPA2-80 The 802.1x defines only the authentication frame but
not a complete
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 4/13
2.1x set of authentication rules. Specific authentications
require other
protocols, such as Extensible Authentication Protocol (EAP),
Lightweight Extensible Authentication Protocol (LEAP),
EAP-TLS,
EAP-TTLS, and PEAP. TLS is Transport Layer Security for
short
and TTLS is Tunneled Transport Layer Security for short.
Generally specific client software must be installed. However,
if a
user performs only the admission control but not the policy
control,
all common operating systems such as ISO, Android, and
Windows
supports 802.1x, and the client does not need to be
installed.
The 802.1X is frequently used in enterprise networks and
seldom
used in carrier networks.
WAPI
The WAPI is the Chinese national WLAN standard GB15629.11.
This standard includes the new WAPI security mechanism that
is
composed of WLAN Authentication Infrastructure (WAI) and
WLAN Privacy Infrastructure (WPI).
The WAPI provides the certificate-based and
pre-shared-key-based
key management methods.
Unlike the WAP, the WAPI authenticates both users and APs,
and
uses SMS4 instead of CCMP as the encryption algorithm for
better
security.
WAPI is a national standard, and must be supported in
markets
inside China but is seldom used in markets outside China.
Portal
The portal authentication is also called the web authentication
or the
DHCP+WEB authentication. It uses the standard web browser
such
as Internet Explorer, and does not need special client
software.
The client obtains the IP address before authentication. Layer
3
devices such as routers can be available between the user and
the
access server.
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 5/13
The portal authentication is frequently used on carrier networks
and
enterprise networks.
Mac
In the MAC address authentication, a client sends its MAC
address
as the identity information to an access device.
The MAC address authentication does not require user name
and
password to be entered for login, and is used in scenarios
without
high security requirements.
Real-name
authentication
The real-name authentication is a comprehensive
authentication
solution provided by Huawei. In this authentication, each user
uses
the real name to log in to the WLAN.
This authentication is used in scenarios with high security
requirements such as the court and educational institution so
that
users can be tracked down.
2. Application
The Huawei WLAN authentication and encryption and Huawei
integrated solution can
provide WLAN networks with high security, delicate policy
control, and intelligent O&M for
customers. The Huawei WLAN authentication and encryption feature
supports leading
authentication and encryption protocols in the industry, and
provide various combined
authentication solutions, such as the solution for the carrier
WLAN, for customers based on
scenarios. On the carrier WLAN, the open system authentication
plus portal authentication are
used. After a user connects to the carrier WLAN, the portal
server automatically displays an
authentication service page. After the user is authenticated,
the user can visit the WLAN.
Generally advertisements are displayed on the authentication
service page and the MAC binding
function is pushed. After the user selects the MAC binding
function, the user can use the MAC
authentication to visit the carrier WLAN network next time
without the necessity to enter the user
name and password.
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 6/13
2.1 TKIP/CCMP Encryption Algorithm
The TKIP is an encryption protocol at the link layer provided by
802.11i to remove major
defects in Wired Equivalent Privacy (WEP) design. The major
drawback of the WEP is that the
random seed of the WEP is composed of the initial vector (IV)
and the WEP key.
To guard against attacks on the IN, the TKIP is improved in the
following points:
1. The sender device calculates the message integrity code (MIC)
to ensure the
information integrity. The plain text, source address, and
destination address are
included in the MIC calculation. The calculation result is
encrypted using the MIC
key.
2. The packet sequence number is used to prevent replay. The
sequence number is
contained in the WEP IV.
3. The Fast Packet Keying algorithm is used to generate the
packet encryption key by
combining the temporary key and packet sequence number.
4. The 802.1x EAPoL Key protocol is used to update the temporary
key and MIC key.
The TKIP is better than the WEP. However, the TKIP is also based
on the stream password,
and cannot eliminate security concerns. The CCMP is a security
protocol that is based on AES
block password and developed by the IEEE work group. The CCMP
provides the encryption,
authentication, integrity check, and anti-replay functions. It
is based on the CCM that uses the
AES algorithm and combines the Counter Mode (CTR) for encryption
and CBC-MAC for
authentication and integrity to ensure the integrity of MPDU
data and IEEE802.11 MPDU header.
2.2 802.1x Authentication
The 802.1x protocol is a network access control protocol based
on ports. On the WLAN,
ports generally refer to MAC addresses at the logical layer.
This protocol provides an
authentication process frame. In this frame, the system consists
of the authentication requester,
authentication point, and authentication server. They
respectively correspond to the client, access
server, and AAA server. The authentication point is only
responsible for the authentication and
exchange process at the link layer, and does not maintain any
user information. Any authentication
request is forwarded to the authentication server, for example,
RADIUS, for actual handling.
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 7/13
The EAP over LAN (EAPOL) protocol defined by 802.1x is used
between the authentication
requester and the authentication point. The back end transmits
EAP packets through RADIUS
encapsulation. The 802.1x protocol requires any data to be
authenticated. Unauthorized
connection ports transmit only authentication frames, and
abandon all non-EAPOL frames. Data
frames can be forwarded on after the authentication succeeds.
Figure 1 shows the entity protocol
stacks of the 802.1x authentication system.
Figure 1: Entity protocol stacks of the 802.1x authentication
system
Authentication Requester
Client
Authentication Point
Access Server
Authentication Server
AAA Server
On the WLAN, most authentication service gateways of wireless
users are configured on the
AC. Otherwise, for example, when service gateways are configured
on the Broadband Remote
Access Server (BRAS), wireless users are the same as the wired
users for service gateways. In the
802.1x authentication mode, authentication service gateways are
configured on the AC and the
local forwarding and concentrated forwarding of user data are
supported.
The 802.1x authentication is secure and reliable, can be easily
implemented and flexibly
applied, and meet industry standards. Therefore, it is
frequently used on carrier or enterprise
networks merging 3G and WLAN. Secure and reliable: In the
wireless LAN environment, 802.1x
is combined with EAP-TLS and EAP-TTLS to dynamically allocate
WEP certificate keys,
eliminating the security loopholes in wireless LAN access.
Easily implemented and flexibly
applied: The 802.1x retains the traditional AAA authentication
network architecture, and can use
existing RADIUS devices and easily implement and flexibly
control the authentication granularity.
In this authentication mode, user access, user IDs or connected
devices can be authenticated for
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 8/13
different users. Industry standards: The IEEE standard has the
same source as the Ethernet
standard, and can implement seamless merging with the Ethernet
technology. The Windows,
Linux, IOS, and Android operating systems running on clients
support the 802.1x protocol.
2.3 Portal Authentication
The portal authentication is also called the web authentication.
When a user needs to use
other information on the Internet, the user must pass the
authentication on a portal website before
using Internet resources. The user can visit an existing portal
server and enter the user name and
password for authentication. The user can also directly visit
other external networks through
HTTP. However, any external network URL visited before
authentication is forcibly pushed to the
portal server.
On the WLAN, most authentication service gateways of wireless
users are configured on the
AC. Otherwise, for example, when service gateways are located on
the BRAS, wireless users are
the same as the wired users for service gateways. In the portal
authentication mode, authentication
service gateways are configured on the AC and the local
forwarding and concentrated forwarding
of user data are supported. The Huawei WLAN product version V2R2
passes the TR5 review by
the end of October.
The portal authentication includes the Layer 2 authentication
and Layer 3 authentication. The
differences between the Layer 2 authentication and Layer 3
authentication are that in the Layer 2
authentication, the MAC address of the server to which a user is
to visit cannot be obtained and
the ARP detection cannot be performed to check whether a user is
online. The Layer 2
authentication and Layer 3 authentication processes are the
same. Figure 2 shows the process.
Figure 2: Portal authentication (web authentication) process
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 9/13
C l i e n t DHCP ServerAccess Server
Web Authentication
Server
6
AAA Server
The process is as follows:
1 to 4: A dynamic user obtains the MAC address through DHCP (a
static user can manually
configure the MAC address).
5: The user visits the authentication page of the web
authentication server, and enters the user
name and password to log in.
6: The portal authentication server notifies the access server
of the user information through
internal protocols.
7: The access server authenticates the user on the corresponding
AAA server.
8: The AAA server sends back the authentication result to the
access server.
9: The access server notifies the web authentication server of
the authentication result.
10: The web authentication server displays the authentication
result on the HTTP
authentication page to notify the user of the result.
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 10/13
11: The user accesses network resources normally after the
authentication succeeds.
The portal authentication can provide convenient management
functions. Portal websites can
develop advertisement and community services and personalized
businesses. In this manner,
carriers, device providers, and content and service providers
can form an Internet content union.
The portal authentication is frequently used on carrier or
enterprise WLANs.
2.4 Real-Name Authentication
The security of WLAN is crucial for the large-scale deployment
and widespread application
of WLAN, particularly in sensitive scenarios such as government
department and schools. Huawei
introduces the real name authentication system for such
scenarios, making the tracing and auditing
of floating personnel easier. The real-name authentication takes
the mobile number as the real
name and the network account. Figure 3 shows the real-name
authentication process.
Figure 3: Real-name authentication process
HUAWEI TECHNOLOGIES CO., LTD. Page 1
SRUN AAA
LSW
IP backbone network
(1) A visitor enters the enterprise for visit and
communication.
(5) The system sends the network account and password to the
visitor service mobile phone.
(2) The visitor connects to the WLAN. The self-service portal
page is displayed.
(3) The visitor enters the mobile number for registration and
applies for the network password.
AC
portal
Enterprise
employeeEnterprise
visitor
Enterprise WLAN
(4) The administrator authenticates the mobile number and the
visitor.
Third-Party SMS
Message Platform
5
6
(6) The visitor enters and submits the account and password, and
uses the network after authentication.
The real-name authentication makes the following tasks
easier:
Tracing and auditing visitors
Providing online self-services for visitors
Obtaining accounts and passwords automatically using Short
Message Service (SMS)
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 11/13
messages
Appointing a customer or reserving a meeting
Sending account passwords or reserved meeting notifications to
appointed customers in
emails at specified time
2.5 WAPI Authentication
The WAPI is the Chinese national WLAN standard GB15629.11. This
standard includes the
new WAPI security mechanism. WAPI is an access control method
based on Triple-Element Peer
Authentication (TePA). It implements two-way authentication, and
supports certificate
authentication and pre-shared key authentication. It also
supports unicast and multicast, and can be
widely used in wired and wireless networks. However, WAPI is
commercially immature, and is
seldom used in markets outside China.
3. Ordering Information
The authentication and encryption feature is bound to WLAN
devices, and do not need to be
separately purchased. To order the feature, you must order the
device at the same time. For details,
contact the local sales office. Table 2 lists the ordering
information.
Table 2: Ordering information of authentication and encryption
feature
Device Description
AP devices
AP6010SN/DN Built-in antenna. Indoor installation mode, 100 mW,
and supporting
802.11b/g/n and the authentication and encryption feature.
AP7110DN External antenna. Adopting leading technology, 3x3
MIMO, and
supporting 802.11b/g/n and the authentication and encryption
feature.
AP6310SN Indoor high power Data Access Service (DAS) product.
100 mW, and
supporting 802.11b/g/n and the authentication and encryption
feature.
AP6510DN Outdoor dual-frequency standard AP device. 2.4 GHz 500
mW/5 GHz
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 12/13
125 mW, and supporting 802.11b/g/n and the authentication
and
encryption feature.
AP6610DN
Outdoor dual-frequency bridge AP device. 2.4 GHz 500 mW/5 GHz
125
mW, and supporting upstream optical interfaces, 802.11b/g/n and
the
authentication and encryption feature.
AC devices
AC6605
AC6605-26-PWR host. 20 GE interfaces, 4 combo interfaces, 2
SFP+
ports, and supporting the authentication and encryption feature.
The
license must be configured.
S9300/S7700 SPU
ACU-H80D2ACMPS00-Wireless access control board. This device is
not
separately for sale. The license must be configured. The
authentication
and encryption feature must be configured.
Authentication server
Deep blue srun300 This device supports the 802.1x, portal, MAC,
and WAPI authentication,
and traffic-based and duration-based charging.
TSM This device supports the 802.1x, portal, MAC, and WAPI
authentication
and the policy control.
SMS message platform
Third-party SMS message
platform/SMS message
modem
Integrate the third-party SMS message platforms or purchase the
SMS
message modems based on the site requirements, for example,
those
produced by Montnets or Maixuntong.
4. Huawei and Partners
Huawei and partners can help you enhance network authentication
and secure deployment
experience, and speed up the establishment, O&M, innovation,
and growth of the WLAN. Huawei
has a professional team for secure authentication technology and
a senior team for WLAN design.
-
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 13/13
These teams can create a clear and replicable WLAN network with
easy O&M and optimize
services and enhance performance for you, helping you increase
operation efficiency, save funds,
reduce risks, and achieve success.
5. More Information
For more information about Huawei WLAN authentication and
encryption feature, visit
www.huawei.com/cn/enterprise or contact the local sales
office.