WLAN Authentication
PCs produce probe messages to discover APs
APs respond and client selects AP
PCs requests authentication
AP confirms authentication
PC associates with AP
AP confirms association
Enhanced WEP was a Cisco proprietary fix to WEP that added two improvements:
■ 802.1x for authentication
■ Cisco Key Integrity Protocol (CKIP) to protect the key
WPA (Wi-Fi Protected Access), the pre-standard version of 802.11i, mirrored
the Cisco Enhanced WEP by enhancing encryption and authentication in
much the same way. Encryption is improved by incorporating Temporal Key
Integrity Protocol (TKIP). WPA2 (standard 802.11i) added Advanced
Encryption Standard (AES) encryption. Authentication was improved to
support 802.1x and the Extensible Authentication Protocol (EAP).
Key improvements in WPA/WPA2 include the following:
■ Per-session keys allow users a different key each time the user accesses
the AP.
■ TKIP changes the way the key is applied to consecutive packets.
■ Encryption uses a starting number called an Initialization Vector (IV).
WPA uses an IV that is harder to guess.
■ The cryptographic function is changed to 128-bit AES. AES is a standard
that is common in security functions, such as virtual private
networks (VPN).
■ 802.1x for encrypted RADIUS authentication. RADIUS can be linked
back to Active Directory, so users sign in with familiar usernames and
passwords.
802.1x requires that the client and AP support EAP and that a RADIUS
server is present. There are several methods based on EAP to accomplish
authentication:
■ Lightweight EAP (LEAP)
■ EAP Flexible Authentication via Secure Tunnel (EAP-FAST)
■ EAP-Transport Layer Security (EAP-TLS)
■ Protected EAP (PEAP)