Re: [fw-wiz] "802.1x"?

From: CTA (
Date: 12/15/02

From: "CTA" <>
To: fw-wiz <>
Date: Sun Dec 15 10:49:01 2002

<color><param>0100,0100,0100</param>On 14 Dec 2002, at 12:52, Mikael Olsson wrote:

<bigger>From: Mikael Olsson

Organization: Clavister AB

To: fw-wiz <<firewall->

Subject: [fw-wiz] "802.1x"?

Date sent: Sat, 14 Dec 2002 12:52:47 +0100


> Hullo,


> Could someone clueful please take a minute or two and give
us all

> the "techecutive summary" of 802.1x? I've been trying to

> together what exactly it's supposed to be doing, but

> I've come across so far has been so buzzword-laden, it's

> impossible to glean real clue from.


> All I've understood is that it uses PPP EAP for authentication

> (by, for instance, talking to a radius server) - Which box is

> "EAP server"? I would assume that it's the

> endpoing ("base station"), but docs seem to suggest that

> it just gets passed through to some sever in the
background? -

> Then there's something about key exchange.... (?) - Is there

> built-in crypto layer, or is that supposed to be

> done by something else?

> - Does it rely on known-good crypto, or are they inventing

> own algorithms again?

> - Is it any good? :)


<color><param>0000,0000,0000</param>>>>>bhH in

<color><param>0100,0100,0100</param><FontFamily><param>Times New Roman</param><bigger>Essentially there are three primary components in a
typical 802.x Wireless Access POP topology:

The Client /User (CU) such as Computers, PALMS, other
802 capable devices, the Authenticator or wireless
Access Point (AP), and the Authentication Server

***However, I believe that one should consider a
Bastion/FW/NAT as a fourth and essential component.
This also reduces the threat of disclosure integrity or
accessibility from a Man-In-The-Middle Attack, which is
one of the vulnerabilities of Key-based cryptography.
Mirowave (MASER) jamming (you can build one for
about $99) is another significant DDOS threat, but I will
save that for another time.***

The Client/User (CU) communicates via 900Mhz – 2 GHz
 RF to wireless Access Point (AP). The AP is typically
(or should be in IMO) installed behind a Bastion Host
FW / NAT Box, this way the Bastion/NAT can control
the distribution of Internet IP, or specific IEFT 1918
address space for controlled access to a VPN/Intranet,
i.e. access the “Network”.

Typically, the CU communicates authentication
information with the AP, which forwards the information
to a RADIUS server to authenticate and authorize access
to the Network by the CU. The authentication information
between the CU AP and RADIUS is exchanged using the
EAP/TLS method. EAP/TLS is a Certificate Based
authentication method, which uses dynamic rotating 128
bit WEP keys for data encryption.

The CU must be able to do EAP/TLS, which Micro$oft
WinXP is able to do. Beware of the flaw in softee’s
implementation of x509. I think this was patched, but not

The AP more or less is a forwarder of the authentication
information and its primary existence is to act as a
wireless converter and router/gateway.

The RADIUS server typically interfaces with a Certificate
 Server / Key Encryption application such as OpenSSL
manage the cryptography and certs.

The Bastion Host keeps, for the most part, the good fenced
 in and bad fenced out. A honeypot or two is a good
addition as well. It gives a place for the kids to play.

That’s a quick view IMHO…




“I don’t ware no stinken hat… Bald Hatless and

<color><param>0000,0000,0000</param><FontFamily><param>ARIAL</param><<<<<<bhH out<smaller>

<color><param>7F00,0000,0000</param>> --

> Mikael Olsson, Clavister AB

> Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK,

> Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05

> Fax: +46 (0)660 122 50 WWW:

> _______________________________________________

> firewall-wizards mailing list




I don't ware no stiken hat...
    Bald, Hatless and Hacking since 1975