Wireless Networking
Wireless Networking
Ministry of Defense
Defense University, College of Engineering
Assignment 2
On
Wireless networking
By
Melkamzer Assefa
[RPG/0044/12]
October 2020
Ethiopia, Bishoftu
1. Write in detail about the 802.1x authentication protocol?
The standard defines how the extensible authentication protocol (EAP) is used by the Data Link layer to
pass authentication information between the supplicant and the authentication server. The actual
authentication process is defined and handled depending on the specific EAP type used, and the access
point, acting as an authenticator, is simply a go between, enabling the supplicant and the authentication
server to communicate.
To authenticate a wireless client seeking network access via an access point, the access point, acting as a
client to the RADIUS server, sends a RADIUS message to the server which contains the user’s credentials
together with information on the requested connection parameters (Figure 1). The RADIUS server will
either authenticate and authorize or reject the request, in either case sending back a response message.
A RADIUS message comprises a RADIUS header and RADIUS attributes, with each attribute
specifying a piece of information about the requested connection. For example, an Access-Request
message will contain attributes for the user name and credentials, and the type of service and connection
parameters being requested by the user, while the Access-Accept message contains attributes for the type
of connection that has been authorized, relevant connection constraints and any vendor specific attributes.
The extensible authentication protocol (EAP) builds on the framework for enabling remote access that
was originally established for dial-up connections in the point-to-point protocol (PPP) suite of protocols.
The PPP dial-up sequence provided for the negotiation of link and network control protocols, as well as
the authentication protocol that would be used, based on the desired level of security. For example, an
authentication protocol, such as password authentication protocol (PAP) or challenge- handshake
authentication protocol (CHAP), is negotiated between client and the remote access server when a
connection is established and then the chosen protocol is used to authenticate the connection.
EAP extended this structure by allowing the use of arbitrary authentication mechanisms, called EAP types,
which define various structures for the authentication message exchange. When a WLAN connection is
being established, client and access point agree on the use of EAP for authentication, and a specific EAP
type is chosen at the start of the connection authentication phase. The authentication process then consists
of the exchange of a series of messages between the client and authentication server, the length and detail
of the exchange depending on the requested connection parameters and the selected EAP type.
When EAP is used together with RADIUS as the authentication protocol, EAP messages sent between
the access point and the authentication server will be encapsulated.
EAP types supported by the Wi-Fi Alliance’s interoperability certification program include; EAP-TLS,
EAP-TTLS/MS-CHAP v2, PEAP v0/EAP-MS-CHAP v2, PEAP v1/EAP-GTC and EAP-SIM. To give a
flavor of how these EAP types differ, EAP_TLS, EAP-TTLS and PEAP are briefly described here.
EAP-TLS (Transport layer security) uses certificate based authentication between client and server, and
can also dynamically generate keys to encrypt subsequent data transmissions.
An EAP-TLS authentication exchange requires both the station and the authentication (RADIUS) server to
prove their identities to each other using public key cryptography and the exchange of digital certificates
(see next section). The client station validates the authentication server’s certificate and sends an EAP
response message that contains its certificate and starts the process of negotiating encryption parameters,
such as the cipher type that will be used for encryption. As shown in Figure 8-6, once the authentication
server validates the client’s certificate, it responds with the encryption keys to be used during the session.
EAP-TLS therefore requires initial configuration of certificates on both the client station and the
authentication server, but once this is established by the network manager no further user intervention is
required.