Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Where's my gigabit Internet, anyway?
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch


Enterprise Networks / Product tests/info /
Send to a friend Feedback

802.1X authenticates 802.11 wireless

IEEE standard is based on Extensible Authentication Protocol.


Wireless provides convenience and mobility, but it also poses security challenges for network executives and security administrators.

Security for 802.11 networks can be broken down into three components: the authentication mechanism or framework, the authentication algorithm and data frame encryption. This story will focus on the authentication mechanism or framework.

Current authentication in the 802.11 standard is focused more on wireless LAN connectivity than on verifying user or station identity. For enterprise wireless security to scale to hundreds or thousands of users, the current method of authentication must be replaced by an authentication framework that supports centralized user authentication.

Task Group I of the IEEE 802.11 committee is working on 802.1X, an IEEE standard that provides an authentication framework for 802-based LANs. 802.1X will let wireless LANs scale by allowing centralized authentication of wireless users or stations. The standard is flexible enough to allow multiple authentication algorithms, and because it is an open standard, multiple vendors can innovate and offer enhancements.


How it works
Subscribe to the Tech Update newsletter
  Here is a weekly newsletter to help you stay abreast of new networking standards and technologies by providing down-to-earth explanations of how they work.

It is important to note that 802.1X alone lacks the components that 802.11-based LANs need for user-based authentication. Task Group I is drafting amendments to the 802.11 specifications to incorporate 802.1X services.

802.1X takes advantage of an existing authentication protocol known as the Extensible Authentication Protocol (EAP [RFC 2284]). 802.1X takes EAP, which is written around PPP, and ties it to the physical medium, be it Ethernet, Token Ring or wireless LAN. EAP messages are encapsulated in 802.1X messages and referred to as EAPOL, or EAP over LAN.

802.1X authentication for wireless LANs has three main components: The supplicant (usually the client software); the authenticator (usually the access point); and the authentication server (usually a Remote Authentication Dial-In User Service server, although RADIUS is not specifically required by 802.1X).

The client tries to connect to the access point. The access point detects the client and enables the client's port. It forces the port into an unauthorized state, so only 802.1X traffic is forwarded. Traffic such as Dynamic Host Configuration Protocol, HTTP, FTP, Simple Mail Transfer Protocol and Post Office Protocol 3 is blocked. The client then sends an EAP-start message.

The access point will then reply with an EAP-request identity message to obtain the client's identity. The client's EAP-response packet containing the client's identity is forwarded to the authentication server.

The authentication server is configured to authenticate clients with a specific authentication algorithm. The result is an accept or reject packet from the authentication server to the access point.

Upon receiving the accept packet, the access point will transition the client's port to an authorized state, and traffic will be forwarded.

802.1X for wireless LANs makes no mention of key distribution or management. This is left for vendor implementation.

At logoff, the client will send an EAP-logoff message. This will force the access point to transition the client port to an unauthorized state.

802.1X for 802.11 networks has the potential to simplify security management for large wireless deployments. It is important to remember that it is not the only piece of the security puzzle for 802.11 networks. Coupled with an authentication algorithm and data frame encryption, network administrators can provide scalable, manageable and mobile network services.



Related Links

Roshan is technical marketing engineer at Cisco. He can be reached at proshan@cisco.com.

The scoop on wireless LAN snoops
What's that unknown person with the laptop sitting on a bench outside your office doing? If you're running an 802.11-based wireless LAN, that person could be watching.
Network World, 09/17/01.

Dell: Future of wireless is 802.11
The future of wireless is in the IEEE 802.11 international standard for wireless LAN communications, at least if you ask Michael Dell.
Network World, 03/20/01.

Security alternatives
The weaknesses of the IEEE 802.11 wireless LAN standards for security involve two basic issues.
Network World, 08/15/01.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.