Using Kerberos, RADIUS, and LDAP for WLAN Authentication

While wireless networking applications benefit from location independence and freedom of mobility, they all have the same security challenge— authentication. When considering a security implementation, authentication is a key component of any security solution. Mutual authentication, where both the client and the server must authenticate with each other, is used to ensure that only authorized users are allowed on the network. Kerberos, Remote Authentication Dial-In User Service (RADIUS), and LDAP are popular and useful authentication solutions that meet this security challenge in WLANs.

Kerberos is designed to enable two parties to exchange private information across an otherwise insecure network. Kerberos provides mutual authentication between a client and a server, as well as between servers, before a network connection can be opened. It uses a technique that involves a shared secret, which works much like a password. This happens by assigning a unique key, called a ticket, to each user who logs on to the network. The ticket is then embedded in messages to identify the sender of the message.

RADIUS servers are robust, scalable servers that provide authentication, authorization, and accounting (AAA) functions and advanced policy and custom configuration management to control user access to wired and wireless networks. Radius and LDAP are often used together in WLAN applications.

The Lightweight Directory Access Protocol (LDAP) is an extensible, vendor-independent network protocol standard, an authentication system, and a directory service that is based on the X.500 Directory Services model. LDAP is an information repository as well as a protocol for querying and manipulating the data in an LDAP directory. LDAP is one of the most widely used authentication directories in modern networks. LDAP is based on the standards contained within the X.500 standard but is much simpler and supports TCP/IP, which is necessary for any type of Internet access. Many of today's WLAN security devices, such as Enterprise Wireless Gate-ways (EWGs), have native LDAP client support.