Appendix D Wireless LANs
VMG1312-B Series User’s Guide
346
password-guessing att acks but it ’s still an im provem ent over WEP as it em ploys a consistent,
single, alphanum eric password to derive a PMK which is used t o generate unique tem poral
encrypt ion keys. This prevent all wireless devices sharing t he sam e encryption keys. ( a weakness of
WEP)
User Authentication
WPA and WPA2 apply I EEE 802.1x and Ext ensible Aut hentication Prot ocol ( EAP) to authent icat e
wireless client s using an external RADI US database. WPA2 reduces the num ber of key exchange
m essages from six t o four (CCMP 4-way handshake) and shortens the tim e required to connect to a
net work. Other WPA2 aut hent ication features that are differ ent fr om WPA include key caching and
pre- aut hent icat ion. These two feat ures are opt ional and m ay not be supported in all wireless
devices.
Key caching allows a wireless client t o st ore the PMK it derived through a successful aut hentication
wit h an AP. The wireless client uses t he PMK w hen it t ries t o connect to the sam e AP and does not
need t o go wit h t he authent icat ion process again.
Pre-authent icat ion enables fast roam ing by allowing the wireless client (already connecting t o an
AP) to perform I EEE 802.1x authent ication wit h another AP before connecting to it .
Wireless Client WPA Supplicants
A wireless client supplicant is the soft ware t hat runs on an operat ing system inst ructing t he w ireless
client how t o use WPA. At t he t im e of writing, the m ost widely available supplicant is the WPA patch
for Windows XP, Funk Software's Odyssey client .
The Windows XP pat ch is a free dow nload that adds WPA capability to Windows XP's built- in " Zero
Configuration" wireless client . However, you m ust run Windows XP to use it .
WPA(2) with RADIUS Application Example
To set up WPA(2), you need the I P address of the RADI US server, it s port num ber ( default is 1812),
and t he RADI US shared secret . A WPA( 2) application exam ple wit h an external RADI US server
looks as follows. " A" is t he RADI US server. "DS" is the distribution syst em .
1 The AP passes the wireless client 's aut hent icat ion request to the RADI US server.
2 The RADI US server then checks t he user 's identificat ion against its database and grant s or denies
net work access accordingly.
3 A 256-bit Pairwise Master Key (PMK) is derived from t he aut hent ication process by t he RADI US
server and the client .
To Next Page
Loading...
