IEEE standard is based on Extensible Authentication Protocol.
Wireless provides convenience and mobility, but it also poses security challenges for network executives and security administrators.
Security for 802.11 networks can be broken down into three components: the authentication mechanism or framework, the authentication algorithm and data frame encryption. This story will focus on the authentication mechanism or framework.
Current authentication in the 802.11 standard is focused more on wireless LAN connectivity than on verifying user or station identity. For enterprise wireless security to scale to hundreds or thousands of users, the current method of authentication must be replaced by an authentication framework that supports centralized user authentication.
Task Group I of the IEEE 802.11 committee is working on 802.1X, an IEEE standard that provides an authentication framework for 802-based LANs. 802.1X will let wireless LANs scale by allowing centralized authentication of wireless users or stations. The standard is flexible enough to allow multiple authentication algorithms, and because it is an open standard, multiple vendors can innovate and offer enhancements.
How it works
Subscribe to the Tech Update newsletter Here is a weekly newsletter to help you stay abreast of new networking standards and technologies by providing down-to-earth explanations of how they work.
It is important to note that 802.1X alone lacks the components that 802.11-based LANs need for user-based authentication. Task Group I is drafting amendments to the 802.11 specifications to incorporate 802.1X services.
802.1X takes advantage of an existing authentication protocol known as the Extensible Authentication Protocol (EAP [RFC 2284]). 802.1X takes EAP, which is written around PPP, and ties it to the physical medium, be it Ethernet, Token Ring or wireless LAN. EAP messages are encapsulated in 802.1X messages and referred to as EAPOL, or EAP over LAN.
802.1X authentication for wireless LANs has three main components: The supplicant (usually the client software); the authenticator (usually the access point); and the authentication server (usually a Remote Authentication Dial-In User Service server, although RADIUS is not specifically required by 802.1X).
The client tries to connect to the access point. The access point detects the client and enables the client's port. It forces the port into an unauthorized state, so only 802.1X traffic is forwarded. Traffic such as Dynamic Host Configuration Protocol, HTTP, FTP, Simple Mail Transfer Protocol and Post Office Protocol 3 is blocked. The client then sends an EAP-start message.
The access point will then reply with an EAP-request identity message to obtain the client's identity. The client's EAP-response packet containing the client's identity is forwarded to the authentication server.
The authentication server is configured to authenticate clients with a specific authentication algorithm. The result is an accept or reject packet from the authentication server to the access point.
Upon receiving the accept packet, the access point will transition the client's port to an authorized state, and traffic will be forwarded.
802.1X for wireless LANs makes no mention of key distribution or management. This is left for vendor implementation.
At logoff, the client will send an EAP-logoff message. This will force the access point to transition the client port to an unauthorized state.
802.1X for 802.11 networks has the potential to simplify security management for large wireless deployments. It is important to remember that it is not the only piece of the security puzzle for 802.11 networks. Coupled with an authentication algorithm and data frame encryption, network administrators can provide scalable, manageable and mobile network services.
Roshan is technical marketing engineer at Cisco. He can be reached at firstname.lastname@example.org.
The scoop on wireless LAN snoops
What's that unknown person with the laptop sitting on a bench outside your office doing? If you're running an 802.11-based wireless LAN, that person could be watching.
Network World, 09/17/01.
Dell: Future of wireless is 802.11
The future of wireless is in the IEEE 802.11 international standard for wireless LAN communications, at least if you ask Michael Dell.
Network World, 03/20/01.
The weaknesses of the IEEE 802.11 wireless LAN standards for security involve two basic issues.
Network World, 08/15/01.