Header
Home | Sitemap  
Sections
Archive
Su Mo Tu We Th Fr Sa
1
2345678
9101112131415
16171819202122
23242526272829
30
Syndication


Home : Wi-Fi Security : Preauthentication Using IEEE 802.1X

Preauthentication Using IEEE 802.1X

by

image

 

Preauthentication Using IEEE 802.1X

If you have a mobile device and move around a reasonably sized network, you need to roam. Or, to be more specific, your mobile device has to switch from one access point to another due to the limited coverage area of each access point. Ideally, you would like this to happen so fast that you, the user, don't notice it happening. You don't want your laptop to freeze up for a few seconds each time it happens and, worse still, you don't want it to come back with a "network failure" message in the middle of a file transfer.

To achieve this type of seamless handover, you need the switchover to be very fast, preferably milliseconds. This has two implications. First, you need the switchover to occur before you get outside the coverage area of the access point you are currently using. Second, you want the new access point to accept you as quickly as possible so you can continue operation. Security presents a problem for the second objective.

If you wait until the switchover before starting the authentication process, it could take a few seconds before the access point lets you back onto the network. This is especially true if you are using upper-layer authentication needing the services of some remote authentication server. One way to get around this problem is to do the authentication in advance so the access point is ready to let you join as soon as you are ready. The process is called preauthentication.

The original IEEE 802.11 WEP system allowed preauthentication using the simple authenticate messages. However, these messages are not relevant to RSN or WPA. We need to perform full authentication using IEEE 802.1X, including upper-layer authentication if required. The superficial difficulty is that we can't talk to the new access point until after we have associated with it—or can we? Remember, we do have an existing connection with the old access point, which, if we are doing things right, is still connecting us to the wired network. Clearly the new access point must be on the same wired network if the roaming operation is to make any sense. Therefore, we should be able to talk to the new access point via its wired connection. Although we may detect the new access point from the radio signal, we preauthenticate using the wired infrastructure. This is shown in Figure 13.1.

Figure 13.1. Preauthentication Communications

graphics/13fig01.gif

In principle, communicating via the wired network allows the mobile device to perform all the same EAP operations that would typically be performed wirelessly after association. This includes the conversation with a remote authentication server as well as the four-way pairwise key exchange and the group key exchange. Because all the messages are sent in EAPOL messages, they can travel equally well over a wired or wireless LAN. We say "in principle" because, although it is practical, this approach does drive a dump truck through the underlying architecture assumptions in IEEE 802.1X and causes sleepless nights among the standards purists. The problem is that technically the IEEE 802.1X authenticator controls a data port that is created when the station associates. But with preauthentication, no such port exists yet. You can think of ways to deal with this problem by creating a temporary port that get connected later, but it is a bit messy.

If preauthentication is done, the mobile can have an entire set of keys already in place at the point where it roams and associates with the new access point. If the new access point can map the mobile device onto the temporary IEEE 802.1X port that was authorized earlier, it can resume communication immediately. This is where we make further use of the copies of the Information Element that are included with the four-way handshake. When the mobile device preauthenticates, it needs to inform the authenticator which type of cipher it is going to use. This information is provided in the Information Element sent with the handshake. When the mobile device finally roams, the new access point needs to check that it has selected the same cipher in the association request that it selected during the handshake.

263 times read

Related news
» WPA/RSN Information Element
by admin posted on Dec 24,2006
» Network Coordination
by admin posted on Dec 24,2006
» WPA2 key management
by admin posted on Apr 24,2007
» IBSS Ad-Hoc Networks
by admin posted on Dec 24,2006
» IEEE 802.11 Family Operations
by admin posted on Jun 27,2007


More Top News
Cisco Wireless Networking
arrow What is a WLAN?
arrow How does a Wireless LAN Work?
arrow WLAN Benefits
arrow WLAN Design Considerations
arrow Accounting for the Fresnel Zone and Earth Bulge
arrow Radio Frequency Interference
arrow Interference from Radio Transmitters
arrow Harmonics
arrow Application Considerations
arrow Structural Considerations
arrow Security Considerations
arrow Network Management Considerations
arrow WLAN Modes of Operation
arrow What is a Wireless-aware LAN?
arrow Wireless-aware LAN Benefits
arrow Wireless Domain Services for IEEE 802.1X Local Authentication Service and Fast Secure Roaming Support
arrow Rogue AP Detection and Locatio
arrow Interference Detection to Isolate and Locate Network Interference
arrow Simplified WLAN Deployment Processes with Assisted Site Surveys
arrow Streamlined WLAN Management and Operations Support
arrow Seamless Delivery of Enhanced Network Security Solutions
arrow Radio Frequency (RF) Basics
arrow Transmitting Radio Signals over EM Waves
arrow Rogue AP Detection and Locatio
arrow Anatomy of a Waveform
arrow Propagating a Strong Radio Signal
arrow Understanding Signal Power and S/N Ratio
arrow Attenuation
arrow Bouncing
arrow Who Uses Wireless Technology?
arrow Wireless Security Filtering
arrow Wireless Security WPA
Most Popular
Featured Author

admin

image
wireless Business Project Management Beautiful Pictures
Website Statistics