0% found this document useful (0 votes)
62 views5 pages

Wireless Networking

Melkamzer Assefa submitted an assignment on wireless networking to Dr. Manoj V.N.v at the Defense University, College of Engineering in Ethiopia. The 2-page assignment discusses the 802.1x authentication protocol in detail. It describes the three main components of 802.1x - the supplicant, authenticator, and authentication server. It then focuses on how RADIUS servers are commonly used for authentication and authorization. The assignment also explains the roles of EAP, EAPoL, and some common EAP authentication types like EAP-TLS, EAP-TTLS, and PEAP.

Uploaded by

melkamzer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
62 views5 pages

Wireless Networking

Melkamzer Assefa submitted an assignment on wireless networking to Dr. Manoj V.N.v at the Defense University, College of Engineering in Ethiopia. The 2-page assignment discusses the 802.1x authentication protocol in detail. It describes the three main components of 802.1x - the supplicant, authenticator, and authentication server. It then focuses on how RADIUS servers are commonly used for authentication and authorization. The assignment also explains the roles of EAP, EAPoL, and some common EAP authentication types like EAP-TLS, EAP-TTLS, and PEAP.

Uploaded by

melkamzer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Federal Democratic Republic of Ethiopia

Ministry of Defense
Defense University, College of Engineering

Assignment 2
On
Wireless networking
By
Melkamzer Assefa
[RPG/0044/12]

Submitted to Dr. Manoj V.N.v


[CT-6262]
Department: Computer and Information Technology
Specialization: Computer Engineering

October 2020
Ethiopia, Bishoftu
1. Write in detail about the 802.1x authentication protocol?

802.1x Authentication Framework


IEEE 802.1x is an access control protocol that provides protection for networks by authenticating users.
After successful authentication, a virtual port is opened on the access point for network access, while
communications are blocked if authentication fails. 802.1 x authentications define three elements;

1. The Supplicant – software running on the wireless station that is seeking


authentication
2. The Authenticator – the wireless access point that requests authentication on behalf of the
supplicant and
3. Authentication Server – the server, running an authentication protocol such as RADIUS
or Kerberos that provides centralized authentication and access control using an
authentication database.

The standard defines how the extensible authentication protocol (EAP) is used by the Data Link layer to
pass authentication information between the supplicant and the authentication server. The actual
authentication process is defined and handled depending on the specific EAP type used, and the access
point, acting as an authenticator, is simply a go between, enabling the supplicant and the authentication
server to communicate.

Authentication Servers (RADIUS)

The application of 802.1x authentication in an enterprise WLAN requires the presence of an


authentication server within the network, which can authenticate users against a stored list of the names and
credentials of authorized users. The most commonly used authentication protocol is the remote
authentication dial-in user service (RADIUS), which is supported by WPA compliant access points and
provides centralized authentication, authorization and accounting services.

To authenticate a wireless client seeking network access via an access point, the access point, acting as a
client to the RADIUS server, sends a RADIUS message to the server which contains the user’s credentials
together with information on the requested connection parameters (Figure 1). The RADIUS server will
either authenticate and authorize or reject the request, in either case sending back a response message.
A RADIUS message comprises a RADIUS header and RADIUS attributes, with each attribute
specifying a piece of information about the requested connection. For example, an Access-Request
message will contain attributes for the user name and credentials, and the type of service and connection
parameters being requested by the user, while the Access-Accept message contains attributes for the type
of connection that has been authorized, relevant connection constraints and any vendor specific attributes.

Extensible Authentication Protocol

The extensible authentication protocol (EAP) builds on the framework for enabling remote access that
was originally established for dial-up connections in the point-to-point protocol (PPP) suite of protocols.

The PPP dial-up sequence provided for the negotiation of link and network control protocols, as well as
the authentication protocol that would be used, based on the desired level of security. For example, an
authentication protocol, such as password authentication protocol (PAP) or challenge- handshake
authentication protocol (CHAP), is negotiated between client and the remote access server when a
connection is established and then the chosen protocol is used to authenticate the connection.

EAP extended this structure by allowing the use of arbitrary authentication mechanisms, called EAP types,
which define various structures for the authentication message exchange. When a WLAN connection is
being established, client and access point agree on the use of EAP for authentication, and a specific EAP
type is chosen at the start of the connection authentication phase. The authentication process then consists
of the exchange of a series of messages between the client and authentication server, the length and detail
of the exchange depending on the requested connection parameters and the selected EAP type.
When EAP is used together with RADIUS as the authentication protocol, EAP messages sent between
the access point and the authentication server will be encapsulated.

Extensible Authentication Protocol over LANs


To apply EAP to LANs or WLANs rather than to dial-up connections, extensible authentication
protocol over LAN (EAPoL) was defined in the 802.1x standard as a transport protocol for delivering
authentication messages. EAPoL defines a set of packet types that carry authentication messages, the
most common of which are;

a. EAPoL-Start – Sent by the authenticator to start an authentication message exchange


b. EAP-Packet – Carries each EAP message
c. EAPoL-Key – Carries information related to generating keys
d. EAPoL-Logoff – Informs the authenticator that the client is logging off.
EAP Types

EAP types supported by the Wi-Fi Alliance’s interoperability certification program include; EAP-TLS,
EAP-TTLS/MS-CHAP v2, PEAP v0/EAP-MS-CHAP v2, PEAP v1/EAP-GTC and EAP-SIM. To give a
flavor of how these EAP types differ, EAP_TLS, EAP-TTLS and PEAP are briefly described here.

EAP-TLS (Transport layer security) uses certificate based authentication between client and server, and
can also dynamically generate keys to encrypt subsequent data transmissions.

An EAP-TLS authentication exchange requires both the station and the authentication (RADIUS) server to
prove their identities to each other using public key cryptography and the exchange of digital certificates
(see next section). The client station validates the authentication server’s certificate and sends an EAP
response message that contains its certificate and starts the process of negotiating encryption parameters,
such as the cipher type that will be used for encryption. As shown in Figure 8-6, once the authentication
server validates the client’s certificate, it responds with the encryption keys to be used during the session.

EAP-TLS therefore requires initial configuration of certificates on both the client station and the
authentication server, but once this is established by the network manager no further user intervention is
required.

You might also like