Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Wi-Fi Security : Extensible Authentication Protocol

Extensible Authentication Protocol

Apr 29,2010 by alperen

small font medium font large font
image


The extensible authentication protocol (EAP) is required to encrypt the
global authentication key. EAP offers a method necessary for wireless
workstations to be able to create an encryption key for the authentication
service.


Mutual authentication is provided by transport level security (TLS) to
protect the integrity of encrypted transmissions and the exchange of
keys from point to point. Because a combination of EAP and TLS is
used, TLS mechanics facilitate EAP.

Once authentication has occurred, 802.11 can be set to request that
the wireless workstation authenticate itself again at a predefined time
interval. This means that the wireless access point is set to restrict network
traffic when it is sent to a wired network or other wireless workstation
without valid authentication keys.

Both the wireless access point and wireless workstation need to support
a multicast/global authentication key so that the wireless access
point can utilize a server that receives 802.11 network traffic either
with or without a specific authentication key.

When the access point has a new wireless workstation connecting to
it, the access point receives an EAP-Start from the wireless workstation.
Then, the access point sends an EAP-Request to the wireless workstation,
to establish its identity. The access point then sends an EAP-Start
connected with the new access point on your WLAN.

The wireless workstation can then send an EAP-Response using as
an identifier the same specific machine name as the response request if
there is no user logged on at the time. The wireless workstation can
send an EAP-Response using as an identifier the same username as
that request if there is a user logged on at that time.
At that point, the EAP-Response for identity is sent by the access
point to the authentication server, which then transmits an EAPRequest
via a TLS or MD5 challenge to the EAP-Response for an identity
message from the wireless workstation.

Note that TLS is necessary for wireless traffic, since the authentication
server is not able to permit sending multicast/global keys. The wireless
workstation must therefore deal securely with unicast session authentication keys so that the wireless access point sends the EAPRequest
from the authentication server to the wireless workstation.
The wireless workstation then sends an EAP-Response containing its
credentials to the authentication server through the wireless access
point, which then sends the wireless workstation’s credentials to the
authentication server. The authentication server validates the wireless
workstation’s credentials and creates a “Success” message for the wireless
workstation.

The authentication server responds to the wireless access point with
the wireless workstation message and the encryption key from the EAPTLS
session key.

At that point, the wireless access point creates a multicast-global
authentication key either by producing a random number or by choosing
it from a predefined setting. Once the authentication server receives
that message, the wireless access point sends a “Success” message to the
wireless workstation. The wireless access point then sends an EAP-Key
message to the wireless workstation that has the multicast/global
authentication key encrypted through the per-session encryption key.
Should the wireless access point and wireless workstation support
this type of unicast session key, then the access point uses that encryption
key (sent by the authentication server) as the unicast session key.
Once the wireless access point alters the multicast/global authentication
key, it can produce EAP-Key messages that have the new multicast/
global authentication key encrypted with specific wireless workstation
unicast session keys. The wireless access point then adds the
specific wireless workstation unicast session key to the list of unicast
session keys it has logged.

Once the wireless workstation has received the EAP-Key message, it
uses the unicast session encryption key to decrypt the multicast/global
authentication key. Once the wireless access point and wireless workstation
receive these unicast session keys in combination with a multicast/
global authentication key, the encryption key (from the EAP-TLS
session key) is sent to the wireless workstation as the unicast session
key to use.

Finally, when the wireless NIC receives these authentication keys, it
must program the wireless workstation’s NIC to accept them. When the
authentication keys have been successfully programmed, the wireless
workstation uses DHCP to restart its process of communication and
assign an IP address for itself.

120 times read

Related news
» Securely Identifying Wireless Traffic
by alperen posted on Apr 29,2010
» Open System Security
by alperen posted on May 03,2010
» Open System to WEP Authentication
by alperen posted on Apr 29,2010
» Shared Key Authentication
by alperen posted on Apr 08,2010
» Authenticating Data
by alperen posted on Mar 30,2010
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.