Securely Identifying Wireless Traffic

The 802.11 standard must permit a wireless access point to identify
traffic securely for specific types of clients by sending an authentication
key to the client as well as to the wireless access point; this is the
default authentication procedure. Only authenticated clients actually
know the authentication key, and that the same key will encrypt all
packets transmitted by the client. If there is no valid authentication
key, then the “authenticator” will restrict wireless traffic passing
through it. On the other side of the coin, when the wireless workstation
or “supplicant” is in range of the access point, the access point sends a
challenge back to the wireless workstation. When the wireless workstation
receives the challenge from the access point, it transmits its identity
back to the access point, which then sends the identity of the wireless
workstation to the authentication server to begin the
authentication process.

At this point, the authentication server then asks for the credentials
of the wireless workstation. It then determines the types of credentials
it specifically needs to confirm the wireless user’s identify. Note that all
the requests sent between the wireless workstation and the authentication
server go through the uncontrolled access point port so that the
wireless workstation is not able to contact the authentication server
directly. In addition, the access point does not permit responses through
the controlled port because the wireless workstation does not have the
required authentication key.

The wireless workstation then sends its credential to the authentication
server and, upon validation, the authentication server sends an
authentication key to the access point. That key is encrypted, so that
only the access point has the ability to send. The access point can use
the authentication key it got from the authentication server to transmit securely to each wireless workstation with both a unicast session key
and a multicast/global authentication key.