Preauthentication
Preauthentication is used to speed up association transfer. Authentication can often cause a lag between the time a station decides to move to a new AP and the time that the frames start flowing through that AP. Preauthentication attempts to reduce the time by getting the time-consuming authentication relationship established before it is needed. Due to the overloading of the term "authentication" by both the low-level 802.11 authentication and the 802.1X authentication, there are two different types of preauthentication. As it is commonly used by network engineers, though, it usually refers to the 802.1X authentication.
802.11 Preauthentication
Stations must authenticate with an access point before associating with it, but nothing in 802.11 requires that low-level authentication take place immediately before association. Stations can 802.11-authenticate with several access points during the scanning process so that when association is required, the station is already authenticated. As a result of preauthentication, stations can reassociate with access points immediately upon moving into their coverage area, rather than having to wait for the authentication exchange.
In both parts of Figure 8-7, there is an extended service set composed of two access points. Only one mobile station is shown for simplicity. Assume the mobile station starts off associated with AP1 at the left side of the diagram because it was powered on in AP1's coverage area. As the mobile station moves towards the right, it must eventually associate with AP2 as it leaves AP1's coverage area.
Figure 8-7. Time savings of preauthentication
Preauthentication is not used in the most literal interpretation of 802.11, shown in Figure 8-7 (a). As the mobile station moves to the right, the signal from AP1 weakens. The station continues monitoring Beacon frames corresponding to its ESS, and will eventually note the existence of AP2. At some point, the station may choose to disassociate from AP1, and then authenticate and reassociate with AP2. These steps are identified in the figure, in which the numbers are the time values from Table 8-1.
|
Step |
Action without preauthentication: Figure 8-7 (a) |
Action with preauthentication: Figure 8-7 (b) |
|---|---|---|
|
0 |
Station is associated with AP1 |
Station is associated with AP1 |
|
1 |
Station moves right into the overlap between BSS1 and BSS2 |
Station moves right into the overlap between BSS1 and BSS2 and detects the presence of AP2 |
|
1.5 |
Station preauthenticates to AP2 |
|
|
2 |
AP2's signal is stronger, so station decides to move association to AP2 |
AP2's signal is stronger, so station decides to move association to AP2 |
|
3 |
Station authenticates to AP2 |
Station begins using the network |
|
4 |
Station reassociates with AP2 |
|
|
5 |
Station begins using the network |
Figure 8-7 (b) shows what happens when the station is capable of preauthentication. With this minor software modification, the station can authenticate to AP2 as soon as it is detected. As the station is leaving AP1's coverage area, it is authenticated with both AP1 and AP2. The time savings become apparent when the station leaves the coverage area of AP1: it can immediately reassociate with AP2 because it is already authenticated. Preauthentication makes roaming a smoother operation because authentication can take place before it is needed to support an association. All the steps in Figure 8-7 (b) are identified by time values from Table 8-1.
802.11i Preauthentication and Key Caching
When a network is authenticated with 802.1X, the most time-consuming step in getting from the 802.11 join to the ability to send network protocol packets is the 802.1X authentication, especially if it uses an EAP method with several frame round-trips. Preauthentication, shown in Figure 8-8, allows a station to establish a security context with a new AP before associating to it. In essence, preauthentication decouples the association and security procedures, and allows them to be performed independently. WPA explicitly excluded preauthentication.
Figure 8-8. 802.11i preauthentication
Figure 8-8 shows the following sequence of steps.
- The station associates to the first access point it finds on the network. It selects this AP based on the criteria in its firmware.
- Once associated, the station can perform an 802.1X authentication. This step uses EAPOL frames as described in Chapter 6, with an Ethertype of (hexadecimal) 88-8E. EAPOL frames are converted into RADIUS packets by the AP, and the session is authenticated.
- Dynamic keys for the radio link are derived on both sides through the four-way handshake for pairwise keys and the group key handshake for the group keys.
- With keys configured, the station is "on the air" and can send and receive network protocol packets.
Station software is in control of roaming behavior, and can use that to its advantage. As the station moves in such a way that AP2 appears to be a better choice, it can perform preauthentication to speed up the process of moving over to AP2. Rather than move everything all at once, though, it performs preauthentication to cut down on the interruption between sending network packets.
- Preauthentication commences with an EAPOL-Start message sent from the station to the new AP. A station can only be associated with a single AP, so the preauthentication frames are channeled through the old AP. Preauthentication is a complete 802.1X exchange.
- Preauthentication frames use the Ethertype of (hexadecimal) 88-C7 because most APs apply special processing to the regular authentication Ethertype. The source address of the frames is the station, the receiver address is the BSSID of its current AP (in this case, the MAC address of AP1's wireless interface), and the destination address is the BSSID of the new AP (in this case, AP2's wireless interface).
- When received by AP1, the frames are sent over the distribution system to AP2. The AP only has a MAC address. If the two APs are not connected directly to the same Ethernet broadcast domain, they must have an alternative method of shuttling preauthentication frames between devices.
- During this entire step, the station remains associated to AP1, and can send and receive network packets through its existing encrypted connection. Because the station is still on the air, there is no apparent authentication occuring.
- The result of the preauthentication is that a security context with AP2 is established. The station and AP2 have derived a pairwise master key, which can be further processed to create keys between the station and AP2. Both the station and the AP store the pairwise master key in a key cache.
- When the station pulls the trigger, the association is moved to AP2. As part of the initial association, the station includes a copy of its key cache to tell AP2 that it was already authenticated.
- AP2 receives the authentication request and searches its key cache. Finding an entry, it starts the fourway pairwise key handshake immediately. By proceeding to key derivation, the station is unable to send and receive packets for only a short time.
802.11 preauthentication moves the time-consuming 802.1X EAP method to occur in parallel with sending and receiving network frames on an authenticated connection. The first association will be slow because the full EAP exchange is required. On subsequent associations, however, preauthentication can dramatically reduce handoff times.
Introduction to Wireless Networking
- Introduction to Wireless Networking
- Why Wireless?
- What Makes Wireless Networks Different
- A Network by Any Other Name...
Overview of 802.11 Networks
- Overview of 802.11 Networks
- IEEE 802 Network Technology Family Tree
- 11 Nomenclature and Design
- 11 Network Operations
- Mobility Support
11 MAC Fundamentals
- 11 MAC Fundamentals
- Challenges for the MAC
- MAC Access Modes and Timing
- Contention-Based Access Using the DCF
- Fragmentation and Reassembly
- Frame Format
- Encapsulation of Higher-Layer Protocols Within 802.11
- Contention-Based Data Service
- Frame Processing and Bridging
11 Framing in Detail
- 11 Framing in Detail
- Data Frames
- Control Frames
- Management Frames
- Frame Transmission and Association and Authentication States
Wired Equivalent Privacy (WEP)
- Wired Equivalent Privacy (WEP)
- Cryptographic Background to WEP
- WEP Cryptographic Operations
- Problems with WEP
- Dynamic WEP
User Authentication with 802.1X
- User Authentication with 802.1X
- The Extensible Authentication Protocol
- EAP Methods
- 1X: Network Port Authentication
- 1X on Wireless LANs
11i: Robust Security Networks, TKIP, and CCMP
- 11i: Robust Security Networks, TKIP, and CCMP
- The Temporal Key Integrity Protocol (TKIP)
- Counter Mode with CBC-MAC (CCMP)
- Robust Security Network (RSN) Operations
Management Operations
- Management Operations
- Management Architecture
- Scanning
- Authentication
- Preauthentication
- Association
- Power Conservation
- Timer Synchronization
- Spectrum Management
Contention-Free Service with the PCF
- Contention-Free Service with the PCF
- Contention-Free Access Using the PCF
- Detailed PCF Framing
- Power Management and the PCF
Physical Layer Overview
- Physical Layer Overview
- Physical-Layer Architecture
- The Radio Link
- RF Propagation with 802.11
- RF Engineering for 802.11
The Frequency-Hopping (FH) PHY
- The Frequency-Hopping (FH) PHY
- Frequency-Hopping Transmission
- Gaussian Frequency Shift Keying (GFSK)
- FH PHY Convergence Procedure (PLCP)
- Frequency-Hopping PMD Sublayer
- Characteristics of the FH PHY
The Direct Sequence PHYs: DSSS and HR/DSSS (802.11b)
- The Direct Sequence PHYs: DSSS and HR/DSSS (802.11b)
- Direct Sequence Transmission
- Differential Phase Shift Keying (DPSK)
- The Original Direct Sequence PHY
- Complementary Code Keying
- High Rate Direct Sequence PHY
11a and 802.11j: 5-GHz OFDM PHY
- 11a and 802.11j: 5-GHz OFDM PHY
- Orthogonal Frequency Division Multiplexing (OFDM)
- OFDM as Applied by 802.11a
- OFDM PLCP
- OFDM PMD
- Characteristics of the OFDM PHY
11g: The Extended-Rate PHY (ERP)
- 11g: The Extended-Rate PHY (ERP)
- 11g Components
- ERP Physical Layer Convergence (PLCP)
- ERP Physical Medium Dependent (PMD) Layer
A Peek Ahead at 802.11n: MIMO-OFDM
11 Hardware
- 11 Hardware
- General Structure of an 802.11 Interface
- Implementation-Specific Behavior
- Reading the Specification Sheet
Using 802.11 on Windows
11 on the Macintosh
Using 802.11 on Linux
- Using 802.11 on Linux
- PCMCIA Support on Linux
- Linux Wireless Extensions and Tools
- Agere (Lucent) Orinoco
- Atheros-Based cards and MADwifi
- 1X on Linux with xsupplicant
Using 802.11 Access Points
- Using 802.11 Access Points
- General Functions of an Access Point
- Power over Ethernet (PoE)
- Selecting Access Points
- Cisco 1200 Access Point
- Apple AirPort
Logical Wireless Network Architecture
- Logical Wireless Network Architecture
- Evaluating a Logical Architecture
- Topology Examples
- Choosing Your Logical Architecture
Security Architecture
- Security Architecture
- Security Definition and Analysis
- Authentication and Access Control
- Ensuring Secrecy Through Encryption
- Selecting Security Protocols
- Rogue Access Points
Site Planning and Project Management
- Site Planning and Project Management
- Project Planning and Requirements
- Network Requirements
- Physical Layer Selection and Design
- Planning Access-Point Placement
- Using Antennas to Tailor Coverage
11 Network Analysis
11 Performance Tuning
Conclusions and Predictions
EAN: 2147483647
Pages: 179
