802.1X provides a framework for user authentication over any LANs, including wireless. For the purposes of this book, the "port" in 802.1X on wireless is an association between a wireless device and its access point. The successful exchange of Association Request and Association Response frames is reported to the 802.1X state engine as the link layer becoming active. Once associated, a station can exchange 802.1X frames in an attempt to become authorized. The completion of the 802.1X authentication exchange, including key distribution, is reported to the user as the interface coming up.
Sample 802.1X Exchange on 802.11
EAPOL exchanges look almost exactly like EAP exchanges. The main difference is that supplicants can issue EAPOL-Start frames to trigger the EAP exchange, and they can use EAPOL-Logoff messages to deauthorize the port when the station is done using the network. The examples in this section assume that a RADIUS server is used as the back-end authentication server, and therefore they show the authenticator performing translation from EAP on the front end to RADIUS on the back end. EAP authentication in RADIUS packets is specified in RFC 2869.
This example exchange also shows the use of EAPOL-Key frames to distribute key information for link layer security protocols. Figure 6-8 shows a sample EAPOL exchange on an 802.11 network. The figure shows a successful authentication, whose steps are:
Steps five and six repeat as many times as is necessary to complete the authentication. If it is an EAP method that requires certificate exchange, multiple steps are almost certainly required. Many EAP exchanges can require 10-20 round trips between the client and RADIUS server.
Figure 6-8. Typical 802.1X exchange on 802.11
Exchanges similar to Figure 6-8 may be used at any point. It is not necessary for the user to begin an EAPOL exchange with the EAPOL-Start message. At any point, the authenticator can begin an EAPOL exchange by issuing an EAP-Request/Identity frame to refresh the authentication data. Re-authentications are often triggered by session timeout values to refresh keys.
The EAPOL-Key frame allows keys to be sent from the access point to the client and vice versa. Key exchange frames are sent only if the authentication succeeds; this prevents the compromise of key information. EAPOL-Key frames can be used periodically to update keys dynamically as well. Several of the weaknesses in WEP stem from the long lifetime of the keys. When it is difficult to rekey every station on the network, keys tend to be used for long periods of time. Several experts have recommended changing WEP keys on a regular basis, but no practical mechanism to do so existed until the development of 802.1X.
Introduction to Wireless Networking
Overview of 802.11 Networks
11 MAC Fundamentals
11 Framing in Detail
Wired Equivalent Privacy (WEP)
User Authentication with 802.1X
11i: Robust Security Networks, TKIP, and CCMP
Contention-Free Service with the PCF
Physical Layer Overview
The Frequency-Hopping (FH) PHY
The Direct Sequence PHYs: DSSS and HR/DSSS (802.11b)
11a and 802.11j: 5-GHz OFDM PHY
11g: The Extended-Rate PHY (ERP)
A Peek Ahead at 802.11n: MIMO-OFDM
Using 802.11 on Windows
11 on the Macintosh
Using 802.11 on Linux
Using 802.11 Access Points
Logical Wireless Network Architecture
Site Planning and Project Management
11 Network Analysis
11 Performance Tuning
Conclusions and Predictions