Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Report: US FCC to allow payments for speedier traffic
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Report: US FCC to allow payments for speedier traffic
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs


Enterprise Networks / Product tests/info /
Send to a friend Feedback

802.1X authenticates 802.11 wireless

IEEE standard is based on Extensible Authentication Protocol.


Wireless provides convenience and mobility, but it also poses security challenges for network executives and security administrators.

Security for 802.11 networks can be broken down into three components: the authentication mechanism or framework, the authentication algorithm and data frame encryption. This story will focus on the authentication mechanism or framework.

Current authentication in the 802.11 standard is focused more on wireless LAN connectivity than on verifying user or station identity. For enterprise wireless security to scale to hundreds or thousands of users, the current method of authentication must be replaced by an authentication framework that supports centralized user authentication.

Task Group I of the IEEE 802.11 committee is working on 802.1X, an IEEE standard that provides an authentication framework for 802-based LANs. 802.1X will let wireless LANs scale by allowing centralized authentication of wireless users or stations. The standard is flexible enough to allow multiple authentication algorithms, and because it is an open standard, multiple vendors can innovate and offer enhancements.


How it works
Subscribe to the Tech Update newsletter
  Here is a weekly newsletter to help you stay abreast of new networking standards and technologies by providing down-to-earth explanations of how they work.

It is important to note that 802.1X alone lacks the components that 802.11-based LANs need for user-based authentication. Task Group I is drafting amendments to the 802.11 specifications to incorporate 802.1X services.

802.1X takes advantage of an existing authentication protocol known as the Extensible Authentication Protocol (EAP [RFC 2284]). 802.1X takes EAP, which is written around PPP, and ties it to the physical medium, be it Ethernet, Token Ring or wireless LAN. EAP messages are encapsulated in 802.1X messages and referred to as EAPOL, or EAP over LAN.

802.1X authentication for wireless LANs has three main components: The supplicant (usually the client software); the authenticator (usually the access point); and the authentication server (usually a Remote Authentication Dial-In User Service server, although RADIUS is not specifically required by 802.1X).

The client tries to connect to the access point. The access point detects the client and enables the client's port. It forces the port into an unauthorized state, so only 802.1X traffic is forwarded. Traffic such as Dynamic Host Configuration Protocol, HTTP, FTP, Simple Mail Transfer Protocol and Post Office Protocol 3 is blocked. The client then sends an EAP-start message.

The access point will then reply with an EAP-request identity message to obtain the client's identity. The client's EAP-response packet containing the client's identity is forwarded to the authentication server.

The authentication server is configured to authenticate clients with a specific authentication algorithm. The result is an accept or reject packet from the authentication server to the access point.

Upon receiving the accept packet, the access point will transition the client's port to an authorized state, and traffic will be forwarded.

802.1X for wireless LANs makes no mention of key distribution or management. This is left for vendor implementation.

At logoff, the client will send an EAP-logoff message. This will force the access point to transition the client port to an unauthorized state.

802.1X for 802.11 networks has the potential to simplify security management for large wireless deployments. It is important to remember that it is not the only piece of the security puzzle for 802.11 networks. Coupled with an authentication algorithm and data frame encryption, network administrators can provide scalable, manageable and mobile network services.



Related Links

Roshan is technical marketing engineer at Cisco. He can be reached at proshan@cisco.com.

The scoop on wireless LAN snoops
What's that unknown person with the laptop sitting on a bench outside your office doing? If you're running an 802.11-based wireless LAN, that person could be watching.
Network World, 09/17/01.

Dell: Future of wireless is 802.11
The future of wireless is in the IEEE 802.11 international standard for wireless LAN communications, at least if you ask Michael Dell.
Network World, 03/20/01.

Security alternatives
The weaknesses of the IEEE 802.11 wireless LAN standards for security involve two basic issues.
Network World, 08/15/01.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.