Wi-Fi Authentication Demystified Companion Guide - Xirrus

Wi-Fi Authentication Demystified 

Companion Guide 

15 

9 

24 

23 

18 

1 

21 

27 

17 

19 

25 

16 

26 

4 

5 6 7 

12 13 14 

Across Down 

2. EAP over LAN 

6. Conveys data between points 

8. Pipe diameter 

9. Number of 802.11a nonoverlapping 

channels 

11. Receive/send radio signal 

13. Extensible Authentication 

Protocol 

15. End of the link that responds 

14 

17. Amount of data sent in a 

given time 

18. Manages addressing and 

protocol information 

21 109 Hz 

22. Only Wi-Fi Power Play 

24. Supersedes WEP for 802.11 

26. Contiguous frequencies 

27. Opposite of transmitter 

22 

11 

2 

20 

1. Highest performing access 

device 

3. Packet requesting information 

4. Xirrus language 

5. Circuitry to interpret and 

execute 

7. Path for signals 

10. Fragment of data 

12. Specification implementing 

TKIP and AES 

3 

8 

10 

14. End of link initiating EAP 

authentication 

15. Type of medium in 802.11 

16. Number of 802.11b/g nonoverlapping 

channels 

19. One-million cycles per second 

20. Rate at which a repeating 

event occurs 

23. Standard for port-based 

access control 

25. Institute of engineers

2 


Contents 

Introduction .............................................................................3 

The History of Authentication .....................................................4 

Authentication Framework .........................................................5 

Wireless Infrastructure ..............................................................7 

Roaming and Authentication ......................................................9 

Recommendations ..................................................................10 

Leading Architecture ...............................................................11 

About Xirrus ...........................................................................11 

©2008 Xirrus, Inc. All Rights Reserved.

Companion Guide 

Introduction 

Authentication is a critical part of any network security policy. Authentication validates the identity of a user 

or device, which is an important point as most people only look at authentication as authenticating the 

client. When using a mutual authentication scheme, not only is the client authenticated, but so is the network 

itself. This process allows the first device to authenticate the second and the second device to authenticate 

the first. Initial wireless authentication used a wireless encryption method, known as WEP to provide the 

authentication. The idea being that if both sides had a common encryption key it would serve as a way to 

provide proper authentication. However, WEP was cracked and as a result it was no longer considered to be 

sufficient as an authentication or encryption method. 

The overall goal of Wi-Fi authentication is to ensure that an authorized device does not connect to unauthorized 

access devices, such as a rogue AP. Rogue APs are unauthorized devices that have been detected in a 

network. Rogues can be either benign, such as neighboring APs or newly added devices or a threat when 

added to the network for malicious reasons. These rogue APs can create numerous issues for the network, 

for example: 

1. 

2. 

An attack called man-in-the-middle can occur in which the rogue insert themselves between authorized 

devices and collect information and credentials from the user and the network. 

An attack called replay-attack in which a valid data transmission is maliciously or fraudulently repeated 

or delayed by the attacker. These attacks can be designed to steal information or effect the normal 

operation, such as a denial of service attack. 

Typical Wi-Fi Infrastructure 

In a typical Wi-Fi 

infrastructure, stations 

associate to an Access 

Point. The Access Point 

is the Authenticator and 

interfaces with the 

Authentication Server to 

validate the stations 

identity and then allow 

access to the network. 

Wireless Stations 

(Supplicant) 

Ethernet 

Switch 

Authenticator Authenticator 

©2008 Xirrus, Inc. All Rights Reserved. 3 

Router 

Authentication 

Server

4 

For these reasons and more not listed, it helps to hide the users’ identity from being exposed from a sniffer or 

other type of eavesdropper on the network. There are additional benefits to authentication, such as encryption 

key management, which automatically expires user passwords and forces them to change credentials, like 

user name and password on a regular basis. Authentication is critical for protecting corporate and personal 

information, scaling and managing large groups of users at multiple locations normally requires the use 

of dynamic authentication process. In addition to just authorizing access to the network it also provides 

accounting and auditing information of every connection occurring in the network. All of this is extremely 

important in proving compliance with regulations such as HIPPA and PCI. Many forms of Authentication also 

allow for extended control over end-user access, such as time-of-day or restricted guest-access policies. 

The History of Authentication 

Most people are familiar with RADIUS, which stands for Remote Authentication Dial-In User Service and has 

been around since the days of dial-up network access. The RADIUS server sits on the wired network and 

completes the process of authentication. The RADIUS service has three components: The authentication 

server, such as Microsoft’s IAS. The RADIUS client, in the wireless world this is the AP or the WLAN Switch and 

the Supplicant. The supplicant is the Wi-Fi client to be authenticated. The supplicant forwards authentication 

information to the RADIUS client, which in turns forwards this information to the RADIUS server. The server will 

authorize or deny access to the network. In addition the RADIUS server may return configuration information 

to the AP, such as placing the Wi-Fi user in a specific VLAN. 

RADIUS 

RADIUS (RFC 2138) defines the backend authentication process between the Authenticator and Authentication Server. RADIUS Attributes carry 

specific authentication, authorization, information and configuration detail for the Access request and response types. 

Code 

(1 Byte) 

Identifier 

(1 Byte) 

Length 

(2 Bytes) 

Value Description 

0 Access-Request 

2 Access-Accept 

3 Access-Reject 

4 Accounting-Request 

5 Accounting-Response 

11 Access-Challenge 

12 Status-Server (experimental) 

13 Status-Client (experimental) 

255 Reserved 

Authenticator 

Field contains 

challenge text 

and MD5 

hashed 

responses 

(passwords) 

Authenticator 

(16 Bytes) 

Example Attributes include: 

– User Name (Type Field = 1) 

– Password (Type Field = 2) 

Items such as which VLAN the user is to be 

assigned to or what wireless user group policies 

to use can be defined by the use of Vendor 

Specific Attributes (VSAs) (Type Field = 26). 

... 

Attribute 1 Attribute ...N 

Type 

(1 Byte) 

Values= 

1 to 63 

Length 

(1 Byte) 

Value 

(1 or 

more Bytes) 

Attribute Field 

A RADIUS server can also access things like an active directory service or other directory service on the back 

end of the network to enforce policies. This allows RADIUS to be implemented without having to recreate 

account information that may already exist in another directory. 


In 1999, the 802.11standard was adopted which contained a couple of methods for basic authentication. One 

was called “open authentication” which was not really authentication at all. Open authentication basically 

allows Wi-Fi association to all 802.11 compliant devices. A second method was WEP and stood for Wired 

Equivalent Privacy. This form of authentication, known as “shared key WEP authentication” allowed a shared 

WEP key to be used for authenticating users to access the network. In May 2001, an IEEE Task Group known 

as 802.11i began work on new enhanced security standards for 802.11. By August 2001, WEP was cracked 

creating a large security breach and adversely impacting the adoption of Wi-Fi in the enterprise. At this point 

WEP became known as Weak Encryption Protocol. 

Needing improved security and not being able to wait for the developing IEEE standard, the Wi-Fi Alliance 

announced in October 2002 a new security standard called WPA, which stands for Wi-Fi Protected Access. 

It was a security enhancement based on the work being done by the IEEE 802.11i Task Group. WPA was 

quickly put in place to correct the problems with WEP. This was accomplished via the implementation of an 

authentication framework and stronger encryption modes, and the 802.11i addendum was finally ratified. 

Authentication Framework 

There were three basic building blocks that led up to 802.11i. First, there was EAP, which stands for Extensible 

Authentication Protocol. EAP is a framework for authentication, allowing for a number of authentication 

methods to be used. 

EAP/EAPOL Frame Format 

EAPOL (EAP Over LAN) is used by 802.1X to encapsulate the EAP protocol. The EAP protocol defines a number of methods for authentication. 

EAPOL Packet 

Destination MAC 

(6 Bytes) 


1 Request 

2 Response 

3 Success 

4 Failure 

Source MAC 

(6 Bytes) 

Code 

(1 Byte) 

EAP Packet 

Ethertype 

Code 

(2 Bytes) 

0x888e 

ID 

(1 Byte) 

Protocol 

Version 

(1 Byte) 

1 

Length 

(2 Bytes) 

# of Bytes 

Packet 

Type 

(1 Byte) 

Type 

(1 Byte) 

Body 

Length 

(2 Bytes) 

# of Bytes 

Data 

Packet Body 


1 Identity 

2 Notification 

3 NAK 

4 MD5 Challenge 


0 EAP Packet 

1 EAPOL Start 

2 EAPOL Logoff 

3 EAPOL Key 

4 EAPOL Alert 

5 One Time Password 

6 Generic Token Card 

13 TLS 

©2008 Xirrus, Inc. All Rights Reserved. 5

6 

One of those methods is 802.1x, a port level authentication method originally designed for wired networks. 

802.1x, EAP, and additional encryption modes TKIP and AES were all components of the 802.11i standard. 

802.11i Security 

802.11i is the official security standard for 802.11 Wireless LANs as ratified by the IEEE in 2004. Its operation consists of 4 primary phases 

to establish secure communications. Phase 2 and portion of Phase 3 are addressed in this poster; Phase 4 and a portion of Phase 3 are 

addressed in the companion Wi-Fi Encryption poster. 

Station 

Phase 1 

Phase 2 

Phase 3 

Phase 4 

Security Discovery/Negotiation 

802.1X Authentication 

Key Management RADIUS Key Distribution 

Data Confidentiality and Integrity 

Authenticator Authentication 

Server 

Additionally, mutual authentication and key exchange processes were added to the standard. All these 

additions allowed the authentication process to scale and also provided for dynamic key creation and 

updating, providing faster client authentication and roaming. 


802.11i Packet Exchange 

802.11i Packet Exchange describes the wireless authentication process, and begins with a supplicant 

(the wireless station) associating to the access point and initiating an 802.1X exchange. 


Supplicant Authenticator 

Server 

Probe Request 

Probe Response 

Authentication Request 

Authentication Response 

Association Request 

Association Response 

EAPOL-Start (Start Process) 

EAP-Request (Identity) 

EAP-Response (Identity) 

3. The users identity is passed to the 

Authenticator and then forwarded to 

the Authentication Server. 

EAP-Request (Challenge) 

4. An EAP packet with challenge text is 

sent from the Authentication Server. 

EAP-Response (Credentials) 

5. An EAP packet with the encrypted 

challenge text is sent back to 

the Server. 

EAP-Success 

EAPOL Key 1 

EAPOL Key 2 

EAPOL Key 3 

EAPOL Key 4 

EAP-Logoff 

Port Unauthorized 

Port Authorized 

1. The authentication process starts with 

a virtual port in the Array set to 

“unauthorized” such that only 

authentication protocols are forwarded. 

2. The station starts the authentication 

process with an EAPOL Start message. 

RADIUS Access Request 

RADIUS Access Challenge 

RADIUS Access Request 

RADIUS Access Accept 

6. If the station has the correct credentials, 

a RADIUS Access Accept packet is returned, 

which also includes a Master Key used by 

WPA to generate unique per user encryption 

keys (see Wi-Fi Encryption Poster). 

7. 802.11i adds 4-way handshake to 

generate and verify encryption keys for 

the supplicant station (see Wi-Fi 

Encryption Poster). 

8. Upon successful authentication and key 

exchange, the Access Point allows traffic to 

be forwarded from the station to the network. 

Port Unauthorized 

Wireless Infrastructure 

Now let’s talk about how authentication works in a 

Wi-Fi network today. At a high level, the Wi-Fi client 

associates to an AP, also known as the authenticator. 

The station then sends an authentication request 

to the authenticator. The authenticator is designed 

so that prior to proper authentication all standard 

packets are discarded. While in this state the AP will 

only forward EAP packets. These packets are allowed 

to transverse to the wired side in order to reach the 

authentication server. Next, the clients and server use 

the EAP packets to complete a four-way handshake. 

The result of which is the authenticator and client 

define session keys, and finally, the authenticator 

moves its port into an authorized mode and normal 

access to the network ensues. 

As mentioned before, the 802.1x framework uses 

EAP to exchange information; however there are 

several types of EAP methods used today. Seven of 

these types are approved for interoperability by the 

Wi-Fi Alliance. The first is EAP-TLS, which requires a 

server-site certificate and a client-site certificate for 

credentials. The second most popular type is EAP-TTLS 

whereby a user must have a server-site certificate, and 

uses just a user name and password. Typically a thirdparty 

supplicant is needed for this method. 

Wireless Authentication 

Framework 

Wi-Fi Authentication (802.11i) is built on top of 802.1X and EAP. 

EAP (RFC 3748) 

Extensible 


Protocol 

IEEE 802.1X 

Wired port-based 


uses EAP and EAPOL 

as the underlying 

authentication protocol 

IEEE 802.11i 

wireless authentication 

extends 802.1X to a 

wireless network and 

generates a Master Key. 

The Master Key is used by 

the Access Point and station 

to derive per session keys 

©2008 Xirrus, Inc. All Rights Reserved. 7

8 

The next type, and probably most commonly deployed is EAP-PEAP, which stands for Protected EAP. In this 

method, the server-site certificate is required, the client-site certificate is optional, and a standard user name 

and password is used. Advantage of PEAP is it can leverage user name and passwords already defined in 

Windows Active Directory. Another type commonly seen is EAP-PEAP-GTC, which stands for Generic Token 

Card. It is a physical token that is used in the authentication process. Likewise, EAP-SIM uses a SIM card, a 

Subscriber Identity Module, for a GSM mobile handset. The last two types are Cisco authored and proprietary 

protocols. One is LEAP (Lightweight Extensible Authentication Protocols), which was widely used early on, 

but is not recommended anymore due to a dictionary attack that can be easily harnessed against it. LEAP 

did not require certificates on both sides of the link as only a password was needed. To fix LEAP, fast-EAP 

was deployed. It is still password based and also does not require certificates on either side of the link. 

EAP Types 

Server Side Client Side User Credentials User Database Security 

EAP Type Description Certificate Certificate Used Access Issues 

EAP-PEAP Protected EAP Required Optional Windows XP, 2000, CE, Windows Domains, 

(widely used) Username/Passwords and Active Directory 

other 3rd party Supplicants 

EAP-TLS EAP with Transport Layer Security Required Required Certificate Windows Domains, User Identity 

Active Directory, Exposed 

Novel NDS OTP 

EAP-TTLS EAP with Tunneled Transport Required None Password Windows Domains, 

Layer Security Active Directory 

EAP-PEAP-GTC Protected EAP with Generic Required None Windows, Novell NDS, 

Token Card One Time Password Token 

EAP-SIM EAP – Subscriber Identity Module Required None Subscriber Identity Module 

(SIM). Uses SIM card found in (SIM Card) 

GSM mobile phone handsets 

LEAP Lightweight EAP. Not recommended None None Password Windows Domains, Dictionary Attack 

due to dictionary attacks Active Directory User Identity Exposed 

Fast EAP Cisco EAP based on PEAP None None Password Windows Domains, 

Active Directory 

RADIUS also has the ability to use what are called VSA, or vendor specific attributes. By using the VSA’s 

information can be passed from the RADIUS server to the authenticator, or AP. This information can be used 

for assigning a used group or VLAN assignment so policies can be applied to the end user connecting to the 

network. 

Another type of authentication available is web-based authentication, typically used to allow temporary users 

or guests to gain restricted access to the network. This process is used in many places, but commonly seen 

in hotels. When a user opens their web browser, they are redirected to a webpage where they can enter a 

user name and password. Authentication is then granted normally from RADIUS server and the session can 

continue or their connection may be redirected back to another webpage. Web pages can be hosted directly 

in the Xirrus Wi-Fi Array where it can be implemented on a per SSID-basis. 


Web-based Authentication 

Web-Based Authentication eliminates need to configure client software but requires manual entry of username/password. It is not used to 

configure an encrypted wireless link. 

1. A user associates to an open Wi-Fi network 

2. User’s web session is captured and redirected to a 

landing page in the Access Point 

3. The user is prompted for a username and password 

4. The Access Point uses these credentials to 

authenticate the user with the Authentication Server 

5. Access is granted and the user’s original URL 

is reloaded 

Roaming and Authentication 

Authenticator Authentication 

Server 

Captive Portal Original URL 

Clients using 802.11i can pre-authenticate with multiple access points at the same time providing for faster 

roaming methods across the network. The security association generates something called the Pairwise Master 

Key (or PMK) which is the result of the four-way hand shake discussed before. The PMK can be cached by the 

client and network AP anticipating the fact that the client will roam from one AP to another. When a client 

attempts to roam to another AP, they can request the PMK ID they were using before or that they have in their 

cache. As a result of this cached key the full 802.1x exchange is not required, thus saving considerable amounts 

of time. This feature is fully supported by Xirrus Wi-Fi Arrays and is crucial for things like voice roaming time 

needs to be as short as possible. 

802.11i Fast Roaming 

Supplicant 

Stations can 

pre-authenticate 

with new Access Point 

prior to roaming 

Pre- 

Authenticate 

then 

Roam 

PMK Caching 

Authenticator 


Server 


Ethernet 

Switch 

Access Points can share Pairwise Master Keys (PMK) 

in advance of stations roaming to them 

Stations can use existing PMK when roaming to a new 

Access Point that has pre-shared it with prior Access Point 

If Access Point has PMK, only the 4-way handshake needs 

to take place, otherwise full 802.11X exchange takes place

10 

Recommendations 

Our recommendation for authentication is as follows: 

Use 802.11i and WPA-2 for the strongest security that’s available today, as well as PEAP with MS-chap 

for easiest administration where no client site certificates are needed. It uses the built-in Windows user 

name and password that the user is already assigned for the domain. 

Use an authentication server to enforce access policies like time-of-day access. It also notifies what 

resources VLAN users have access to on the wired network. Web-based authentication is a great way to 

allow easy access on to the Wi-Fi network. 

Lastly, replication and availability of your authentication server is important. RADIUS servers need to be 

capable of handling the peak loading in terms of the number of users that authenticate to it at the same 

time. Also the location of your RADIUS server should not be located near a slow wan link or a remote site 

where it might take time and latency before the authentication process completes. 


Leading Architecture 

Xirrus planned for the success of Wi-Fi by developing 

an award-winning Wi-Fi architecture powerful 

enough to handle high-bandwidth applications today 

and modular enough to be upgraded for future 

enhancements. 

With the Wi-Fi Array, Xirrus delivers the only ‘Power 

Play’ architecture in Wi-Fi networking with the 

most bandwidth and coverage per cable drop in 

the industry. Xirrus Wi-Fi Arrays deliver up to 8x 

the bandwidth of a single access point and are 

compact, easy-to-install, ceiling-mounted devices. 

No other current-generation Wi-Fi technology can 

deliver the bandwidth or throughput of Xirrus Arrays 

because they are limited to 2 radios producing only 

108Mbps of shared bandwidth. 

Xirrus Wi-Fi Array 

Multiple Wi-Fi 

Radios Produce 

864Mbps of 

Bandwidth 

Redundant Gigabit Ethernet Uplinks 

High Gain 

Directional 

Antennas 

Increase 

Range 


Sectored 

Antenna 

Sectored 

Antenna 

Sectored 

Antenna 

Wi-Fi 

Radio 


Radio 


Radio 


Radio 

Sectored 

Antenna 

Sectored 

Antenna 


Radio 


Radio 


Radio 


Radio 

Wi-Fi Controller 

Sectored 

Antenna 

Ethernet 

Switch 

Sectored 

Antenna 


Radio 


Radio 


Radio 

Sectored 

Antenna 

Sectored 

Antenna 


Radio 


Radio 


Radio 


Radio 

Sectored 

Antenna 

Sectored 

Antenna 

Sectored 

Antenna 

50% Sector 

Overlap 

No other current-generation Wi-Fi technology can deliver 

the bandwidth or throughput of Xirrus Wi-Fi Arrays. 

By integrating these key components: the Wi-Fi controller, Gigabit Ethernet Switch, Gigabit uplinks, multiple 

access points, sectored antenna system, Wi-Fi stateful firewall and Wi-Fi threat sensor into a single device, 

Xirrus Arrays are able to provide a centrally-managed platform that delivers unparalleled range, client capacity 

and performance, along with better RF management and roaming for voice, video and data applications — all 

in a single device that is fully upgradeable to 802.11n. 

About Xirrus 

Xirrus, Inc. is a privately held firm headquartered in Westlake Village, California. Founded by the same team 

that created Xircom (acquired by Intel in 2001), Xirrus has developed the next generation in enterprise 

wireless LAN architectures centered around the award-winning Array. 

Backed by leading venture capital firms U.S. Venture Partners and August Capital, Xirrus brings a proven 

management team and patented approach to delivering the performance, scalability and security needed to 

deploy a true wireless extension of the wired Ethernet network capable of delivering Triple Play (voice, video, 

data) enablement.

15 

S 

H 

A 

R 

E 

D 

M 

E 

D 

I 

U 

M 

9 

T 

U 

W 

W 

P 

A 

24 

8 


Crossword Puzzle—Answer Key 

23 

E 

P 

8 

0 

2 

1 

X 

C 

O 

N 

T 

R 

O 

L 

L 

E 

R 

2 

18 

T 

I 

F 

1 

1 

A 

R 

R 

A 

Y 

21 

27 

C 

R 

G 

1 

R 

- 

I 

E 

E 

E 

T 

C 

S 

H 

A N T 

H 

T H R 

E 

A M 

H 

E 

H Z 

17 

19 

25 

16 

26 

S 

E 

4 

X 

I 

R 

R 

I 

A 

N 

5 6 7 

12 13 14 

Across Down 

2. EAP over LAN 

6. Conveys data between points 

8. Pipe diameter 

9. Number of 802.11a non-overlapping 

channels 

11. Receive/send radio signal 

13. Extensible Authentication Protocol 

15. End of the link that responds 

17. Amount of data sent in a given time 

18. Manages addressing and protocol 

information 

21 109 Hz 

22. Only Wi-Fi Power Play 

24. Supersedes WEP for 802.11 

26. Contiguous frequencies 

27. Opposite of transmitter 

14 

O 

P 

I 

G 

E 

U 

E 

V 

22 

N 

E 

E 

G 

X 

C 

E 

11 

A 

A 

A 

U 

T 

H 

E 

N 

T 

I 

C 

A 

T 

O 

R 

2 

E 

L 

N 

P 

P 

R 

R 

20 

A 

T 

U 

F 

R 

E 

Q 

U 

E 

N 

C 

Y 

3 

P 

R 

O 

B 

E 

R 

E 

Q 

U 

E 

S 

T 

8 

U 

M 

O 

A 

N 

S 

L 

N 

N 

10 

D 

P 

A 

C 

K 

E 

T 

W I D T 

1. Highest performing access device 

3. Packet requesting information 

4. Xirrus language 

5. Circuitry to interpret and execute 

7. Path for signals 

10. Fragment of data 

12. Specification implementing TKIP 

and AES 

14. End of link initiating EAP 


15. Type of medium in 802.11 

16. Number of 802.11b/g 

non-overlapping channels 

19. One-million cycles per second 

20. Rate at which a repeating event 

occurs 

23. Standard for port-based access 

control 

25. Institute of engineers 

C 

H 

A 

N 

N 

E 

L 

Xirrus, Inc. 

www.xirrus.com 

sales@xirrus.com 

370 North Westlake Blvd. Suite 200 

Westlake Village, California 91362, USA 

1.800. 947.7871 Toll Free in the US 

+1. 805.497.0955 Corporate Office 

+1. 805.497.7871 Sales 

+1. 805.449.1180 Fax 

Copyright© 2008, Xirrus, Inc. All Rights Reserved. Xirrus and the Xirrus logo 

are trademarks of Xirrus, Inc. All other trademarks belong to their respective 

owners. Protected by patent #US D526,973 S. Other patents pending.

Wi-Fi Authentication Demystified Companion Guide - Xirrus

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?