Networking / Beginners

Wireless Authentication

Implementing authentication enables you to secure a network so that only users with the proper credentials can access network resources. It's not an all-or-nothing deal, of course; you can use authentication to restrict or enable what a specific user can do once inside the network as well.

Authentication in a wired network, "Securing TCP/IP," generally takes the form of a centralized security database that contains user names, passwords, and permissions, like the Active Directory in a Windows Server environment. Wireless network clients can use the same security database as wired clients, but it takes a couple of extra steps to get the wireless user authenticated.

The IEEE 802.1X standard enables you to set up a network with some seriously secure authentication using a RADIUS server and passwords encrypted with Extensible Authentication Protocol (EAP). Let's look at the components and the process.

A RADIUS server enables remote users to connect to a network service. It provides authentication through a user name and password, and enables you to set a user's rights once in the network. A RADIUS server functions like a typical server, but the remote aspect of it requires you to learn new jargon. The terms "client" and "server" are so Active Directory, after all.

Here's how it works. The client computer, called a supplicant, contacts the WAP, called a Network Access Server (NAS), and requests permission to access the network. The NAS contacts the RADIUS server to see if the supplicant appears in the RADIUS server's security database. If the supplicant appears and the user name and password are correct, then the remote user gets access to the network resources.

Here's where it gets tricky. What are the points of potential failure of security here? All over the place, right? The connection between each of these devices must be secure; several protocols make certain of that security. PPP, for example, provides a secure dial-up connection between the supplicant and the NAS. IPSec often provides security between the NAS and the RADIUS server. Finally, the RADIUS server needs to use a protocol, such as one of the many implementations of the Extensible Authentication Protocol (EAP), for the authentication part of the deal.

EAP defines a framework for authentication, but does not specify how the authentication happens. Developers have, therefore, come up with many ways to handle the specifics, such as EAP-TLS, EAP-TTLS, and PEAP, to name just a few. The differences among the many flavors of EAP cause countless hours of argument among geeks, but from a technician's perspective you simply use the scheme that your network hardware supports. Both the WAP and the wireless NICs have to use the same EAP authentication scheme. You set this in the firmware or software.

NOTE EAP and RADIUS servers for authentication paint half the picture on 802.1X security implementation. The other half is WPA2, discussed next section.

[Previous] [Contents] [Next]

In this tutorial:

  1. Wireless Networking
  2. Historical/Conceptual
  3. Wi-Fi Standards
  4. 802.11
  5. Hardware
  6. Software
  7. Wireless Network Modes
  8. Infrastructure Mode
  9. Speed
  10. BSSID, SSID, and ESSID
  11. Broadcasting Frequency
  12. Channels
  13. CSMA/CA
  14. 802.11b
  15. 802.11a
  16. 802.11g
  17. 802.11n
  18. Wireless Networking Security
  19. MAC Address Filtering
  20. Wireless Authentication
  21. Data Encryption
  22. Power Over Ethernet
  23. Implementing Wi-Fi
  24. Installing the Client
  25. Setting Up an Ad Hoc Network
  26. Placing Access Point
  27. Access Point Configuration
  28. Configuring Encryption
  29. Configuring the Client
  30. Adding a WAP
  31. Troubleshooting Wi-Fi
  32. Hardware Troubleshooting
  33. Software Troubleshooting
  34. Connectivity Troubleshooting
  35. Configuration Troubleshooting