Wireless Authentication
Implementing authentication enables you to secure a network so that only users with the proper credentials can access network resources. It's not an all-or-nothing deal, of course; you can use authentication to restrict or enable what a specific user can do once inside the network as well.
Authentication in a wired network, "Securing TCP/IP," generally takes the form of a centralized security database that contains user names, passwords, and permissions, like the Active Directory in a Windows Server environment. Wireless network clients can use the same security database as wired clients, but it takes a couple of extra steps to get the wireless user authenticated.
The IEEE 802.1X standard enables you to set up a network with some seriously secure authentication using a RADIUS server and passwords encrypted with Extensible Authentication Protocol (EAP). Let's look at the components and the process.
A RADIUS server enables remote users to connect to a network service. It provides authentication through a user name and password, and enables you to set a user's rights once in the network. A RADIUS server functions like a typical server, but the remote aspect of it requires you to learn new jargon. The terms "client" and "server" are so Active Directory, after all.
Here's how it works. The client computer, called a supplicant, contacts the WAP, called a Network Access Server (NAS), and requests permission to access the network. The NAS contacts the RADIUS server to see if the supplicant appears in the RADIUS server's security database. If the supplicant appears and the user name and password are correct, then the remote user gets access to the network resources.
Here's where it gets tricky. What are the points of potential failure of security here? All over the place, right? The connection between each of these devices must be secure; several protocols make certain of that security. PPP, for example, provides a secure dial-up connection between the supplicant and the NAS. IPSec often provides security between the NAS and the RADIUS server. Finally, the RADIUS server needs to use a protocol, such as one of the many implementations of the Extensible Authentication Protocol (EAP), for the authentication part of the deal.
EAP defines a framework for authentication, but does not specify how the authentication happens. Developers have, therefore, come up with many ways to handle the specifics, such as EAP-TLS, EAP-TTLS, and PEAP, to name just a few. The differences among the many flavors of EAP cause countless hours of argument among geeks, but from a technician's perspective you simply use the scheme that your network hardware supports. Both the WAP and the wireless NICs have to use the same EAP authentication scheme. You set this in the firmware or software.
NOTE EAP and RADIUS servers for authentication paint half the picture on 802.1X security implementation. The other half is WPA2, discussed next section.
In this tutorial:
- Wireless Networking
- Historical/Conceptual
- Wi-Fi Standards
- 802.11
- Hardware
- Software
- Wireless Network Modes
- Infrastructure Mode
- Speed
- BSSID, SSID, and ESSID
- Broadcasting Frequency
- Channels
- CSMA/CA
- 802.11b
- 802.11a
- 802.11g
- 802.11n
- Wireless Networking Security
- MAC Address Filtering
- Wireless Authentication
- Data Encryption
- Power Over Ethernet
- Implementing Wi-Fi
- Installing the Client
- Setting Up an Ad Hoc Network
- Placing Access Point
- Access Point Configuration
- Configuring Encryption
- Configuring the Client
- Adding a WAP
- Troubleshooting Wi-Fi
- Hardware Troubleshooting
- Software Troubleshooting
- Connectivity Troubleshooting
- Configuration Troubleshooting