RE: 802.1x RADIUS Deployment in Wireless LAN

• Previous message: ZyberGeek: "RE: Altiris Deployment Server vs. Microsoft SMS"
• Maybe in reply to: David J. Jackson: "802.1x RADIUS Deployment in Wireless LAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: eric@sandpile.net, djackson@netdmz.com
Date: Wed, 26 Nov 2003 13:10:16 +0530

Hi,

I assume that all who are reading this have knowledge of Wireless LAN
(802.11b), its Security issues and packet formats. Forgive me if not, as
this digs into technology a little. To talk about WPA in Wi-Fi Alliance's
own terms it is WPA = 802.1X + EAP + TKIP + MIC

1. EAP in combination with 802.1X is used for Authentication. Temporal keys
or use Pre-shared keys (typically in homes where you can't have a RADIUS
Server installed) to derive Temporal keys
2. MIC (short for Message Integrity Check, commonly called Michael and
created by Niels Fergusson - apologies if that is wrongly spelt) is used for
Integrity check
3. TKIP has 3 algorithms to it - they overcome weak key generation,
collision attacks and sequence key problem

To cut this short, because WPA uses MIC and TKIP as additional algorithms,
such features need to be built on the cards as the cards use these features
along with the AP/ RADIUS to help implement WPA. Hence cards, client
software and AP need to understand WPA and therefore need to be upgraded to
support such algorithms.

WPA authentication follows EAP with 802.1X for authentication, so I am not
sure encapsulation is the right word to use.

Hope this helps.............

Shankar

-----Original Message-----
From: Eric Hagen [mailto:eric@sandpile.net]
Sent: Wednesday, November 26, 2003 2:21 AM
To: David J. Jackson
Cc: security-basics@securityfocus.com
Subject: Re: 802.1x RADIUS Deployment in Wireless LAN

Well, I can relay a bit of experience using Cisco's "Secure Access
Control" platform. You need version 3.2 to properly support the EAP
that is required for authentication over 802.1x. It's a Windows
package, but I it's not that inexpensive compared to the open-source route.

We used Cisco Aironet 1200 access points and got the WPA/TKIP
authentication to work. That's a dynamic key system and has 100% of
it's authentication through the SAC server.

We standardized on 3com client cards because they include strong
software support for WPA as well as the 802.11i draft standard with AES
encryption. The Cisco client card was good too, but the range wasn't as
good for one reason or another.

Difficulty? Fortunately, we had a few experts on hand, so it wasn't all
that difficult at all. Unfortunately, for those unfamiliar with all of
the technologies (including Cisco IOS) it would be very difficult.

Also, I believe that the wireless card's drivers must support the WPA
authentication, since it uses a layer-2 encapsulation on the auth
packets (someone correct me if I'm wrong here).

Eric

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: ZyberGeek: "RE: Altiris Deployment Server vs. Microsoft SMS"
• Maybe in reply to: David J. Jackson: "802.1x RADIUS Deployment in Wireless LAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]