260
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The AES
block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a
dynamic key negotiation and management method, so that each wireless client can dynamically
negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP
encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to
ensure that each encrypted packet uses a different PN, thus improving the security to a certain extent.
Client access authentication
When a wireless client sets up a wireless link with an AP, the wireless client is considered to have
accessed the wireless network. However, for the security and management of the wireless network, the
wireless client can actually access the network resources after passing the subsequent access
authentication. Among the authentication mechanisms, preshared key (PSK) and 802.1X authentication
accompany the dynamic key negotiation and management of the wireless link, and therefore, they are
closely related to wireless link negotiation. However, they are not directly related to the wireless link.
1. PSK authentication
Both WPA wireless access and WPA2 wireless access support PSK authentication. To implement PSK
authentication, the client and the authenticator must have the same shared key configured.
4-way handshake key negotiation exchanges four key packets of 802.1X to negotiate the private keys of
the wireless link at the wireless client side and the AP side, and the preshared key is used as the seed key
for key negotiation. During the negotiation process, the seed key is used by two parties for verification.
The key negotiation succeeds only when the key setting is the same, that is, the wireless client successfully
passes the PSK access authentication. Otherwise, the wireless client fails to pass the PSK access
authentication, and the link of the wireless client is broken.
2. 802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the port
level. A device connected to an 802.1X-enabled port of a WLAN access control device can access the
resources on the WLAN only after passing authentication.
3. MAC authentication
MAC authentication provides a way for authenticating users based on ports and MAC addresses. For
this authentication, the user does not need to install any client software. When the device first detects the
MAC address of a user, it starts the authentication for the user. During the authentication process, the user
does not need to manually input username or password. In WLAN applications, MAC authentication
needs to get the MAC addresses of the clients to access the wireless network in advance. Therefore, MAC
authentication is applicable to small-scaled networks with relatively fixed users, for example, SOHO and
small offices.
MAC authentication falls into two modes:
• Local MAC authentication: When this authentication mode is adopted, you must configure local
usernames and passwords on the device, and the authentication is directly performed on the device.
Usually, you can use the MAC address as the username, and you must know the MAC addresses of
wireless access clients in advance and configure the MAC addresses as usernames. When clients
access the wireless network, only the clients whose MAC addresses exist on the device can pass the
authentication.
To Next Page
Loading...
