and eliminates the need for a public-key infrastructure (PKI) to manage the certificates. EAP-FAST Authentication
Figure illustrates how the wireless client associates with an access point using open authentication:
Content 6.2 Introducing Wireless Security 6.2.8 EAP-TLS EAP-TLS is one of the original authentication methods that the IEEE specified when 802.1x and EAP were initially proposed and established as a standard. TLS is used in many environments and is intended to be an alternative, standardized version of the widely deployed Secure Sockets Layer (SSL) encryption mechanism. EAP-TLS uses a message authentication code that is derived from a certificate to authenticate a user. Certificates are issued to users and computers by a certificate authority (CA) and are used to validate identity. The maintenance of the CA (which is part of a PKI) can be a barrier to EAP-TLS deployment for some customers. All clients (users) must have their own certificates personally issued and installed on their machines in order to perform TLS authentication. Each AAA server must also have unique certificates. EAP-TLS has native support on Microsoft Windows 2000, Windows XP, Windows CE, and Windows Vista. Third-party supplicants can be used for non-Windows support. Meetinghouse has supplicant software that supports EAP-TLS. With the Cisco (and Microsoft) implementation of EAP-TLS, it is possible to tie the Microsoft credentials of the user with the certificate of that user in a Microsoft database, which permits one-time sign-on to a Microsoft domain. EAP-TLS Authentication
Figure illustrates the 802.1x EAP authentication process with EAP-TLS as the authentication protocol. The process takes part in many steps:
Content 6.2 Introducing Wireless Security 6.2.9 PEAP PEAP is an authentication protocol that was jointly proposed and developed by Cisco, Microsoft, and RSA Security. The purpose of PEAP is to protect the authentication transaction with a TLS-secured connection, much as you might secure a connection to an e-commerce website when performing an online transaction. Note that there are two implementations of PEAP: The PEAP-GTC authentication mechanism allows generic authentication to a number of databases—Novell Directory Service (NDS), Lightweight Directory Access Protocol (LDAP), OTP, and so on. The PEAP-MSCHAPv2 authentication mechanism allows authentication to databases that support the MSCHAPv2 format, including Microsoft NT and Microsoft Active Directory. As with other 802.1x and EAP types, dynamic encryption can be used with PEAP. A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. Figure summarizes and expands on these points. EAP-PEAP Authentication
Figure illustrates the 802.1x EAP authentication process with EAP-PEAP as the authentication protocol, a multistep exchange: At the end of the session, the client sends an EAPOL-logout packet, and the access point returns to the preauthentication state (filtering all but EAPOL traffic).
Content 6.2 Introducing Wireless Security 6.2.10 Wi-Fi Protected Access WPA Characteristics
WPA is the Wi-Fi Alliance standards-based mechanism that creates secure and interoperable WLAN networks. WPA provides a mechanism to authenticate keys for use in 802.11 environments as well as providing enhancements to WEP encryption to increase the robustness of the security protocol. WPA was an interim solution proposed by the wireless industry consortium to create a WLAN standard in advance of the IEEE standard for security, IEEE 802.11i, which was ratified in June 2004. WPA addressed vulnerabilities of standard 802.11 WEP security and permitted a path for migration of users to this new security mechanism through a software upgrade. Components of WPA
WPA is a standard that describes a combination of security capabilities. These capabilities were available before WPA became an industry standard (note that WPA was not an IEEE standard as of late 2003), but WPA pulls the capabilities into one definition. The following, listed in Figure , are the most important aspects of WPA: