 |
802.1Q |
IEEE 802.11Q defines a mechanism for tagging frames so
that they can be segregated into separate VLANs. |
|
802.1X |
The IEEE 802.1X standard, Port Based Network Access Control,
defines a mechanism for port-based network access control that makes
use of the physical access characteristics of IEEE 802 LAN
infrastructure. It provides a means of authenticating and
authorizing devices attached to a LAN port that has point-to-point
connection characteristics. The 802.1X specification includes a
number of features aimed specifically at supporting the use of Port
Access Control in IEEE 802.11 Wireless LANs (WLANs). These include
the ability for a WLAN Access Point to distribute or obtain global
key information to/from attached stations, following successful
authentication. |
|
AP |
An access point (AP) is an 802.11 hub/bridge that provides star
topology control for wireless networking and optional access to
a wired network. |
|
Authentication Server
|
The Authentication Server (most typically a RADIUS Server) provides authentication services
to the Authenticator. The Authenticator and Authentication (RADIUS)
Server have a trusted (client/server) relationship over
the secure (usually wired) portion of the network. The
Authentication (RADIUS) Server conducts an authentication
conversation with the Supplicant using EAP. The
Authentication (RADIUS) Server authenticates the Supplicant based
upon a user profile that can be maintained either locally
or remotely. The Authentication (RADIUS) Server may also perform
authorization, collect accounting, and provide session
keys to the Authenticator. |
|
|
Authenticator
|
An Authenticator performs port-based access control on
a Network Access Server such as a Wireless Access Point.
During authentication it relays EAP messages between the
Supplicant and Authentication (RADIUS) Server and discards all
other traffic from the Supplicant. Once notified of
successful authentication by the Authentication (RADIUS) Server,
the Authenticator establishes the session and provides
network access to the Supplicant using any session keys
provided by the Authentication (RADIUS) Server. |
|
|
BSS |
The IEEE 802.11 term for a set of wireless stations
controlled by a single access point is Basic Service Set
(BSS). All communication passes through the access
point, which functions as a hub. |
|
|
EAP |
The Extensible Authentication Protocol (EAP), specified
in RFC 2284, is a method of conducting an authentication
conversation between a Supplicant and an Authentication
(RADIUS) Server. Intermediate devices such as Access Points and
proxy servers do not take part in the conversation.
Their role is to relay EAP messages between the parties
performing the authentication. The EAP messages are
transported between a wireless station and an 802.1X
Authenticator using EAPOL. The EAP messages are
transported between an 802.1X Authenticator and the
Authentication (RADIUS) Server using the RADIUS protocol. The EAP framework
supports the definition of EAP-Type Authentication
Methods. Currently implemented EAP-Type Authentication
Methods include EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PEAP,
and Cisco’s EAP-LEAP. |
|
|
EAP-AKA |
EAP-AKA is an EAP type for authentication and session
key distribution using the Universal Mobile
Telecommunications System (UMTS) Authentication and
Key Agreement (AKA) mechanism.UMTS AKA is based on
symmetric keys, and runs typically in a UMTS Subscriber
Identity Module, a smart card like device.EAP-AKA
includes optional identity privacy support and an
optional re-authentication procedure. |
|
|
EAP-LEAP |
EAP-LEAP (Lightweight Extensible Authentication Protocol)
is a Cisco proprietary EAP-Type. It is designed to
overcome some basic wireless authentication concerns
through Mutual Authentication and the use of
dynamic WEP keys. |
|
|
EAP-MD5 |
EAP-MD5 is an EAP-Type for authentication. It is
analogous to the PPP CHAP protocol. A challenge
string is sent from the Authentication (RADIUS) Server to
the Supplicant in the MD5-Challenge Request. The
challenge string with the user password is hashed
using MD5 and the hash is returned in the
MD5-Challenge Response. The Authentication (RADIUS) Server
performs the same hash and compares the result
with that returned by the Supplicant to determine
whether the authentication is a Success or Failure.
EAP-MD5, as defined in RFC 2284, is the most basic
EAP-Type, which must be supported by all
implementations of EAP. It is not a strong
authentication method and does not support
dynamic WEP keys. |
|
|
EAP-PEAP |
EAP-PEAP (Protected Extensible Authentication
Protocol) is a two-phase authentication like
EAP-TLS. In the first phase the Authentication
(RADIUS) Server is authenticated to the Supplicant using
an X.509 certificate. Using TLS, a secure channel
is established through which any other EAP-Type
can be used to authenticate the Supplicant to the
Authentication (RADIUS) Server during the second phase.
A certificate is only required at the
Authentication (RADIUS) Server. EAP-PEAP also supports
identity hiding where the Authenticator is only
aware of the anonymous username used to establish
the TLS channel during the first phase but not
the individual user authenticated during the
second phase. |
|
|
EAP-SIM |
EAP-SIM is an EAP type for authentication and
session key distribution using the GSM Subscriber
Identity Module (SIM).The mechanism specifies
enhancements to GSM authentication and key
agreement whereby multiple authentication
triplets can be combined to create authentication
responses and session keys of greater strength
than the individual GSM triplets.The mechanism
also includes network authentication, user
anonymity support and a re-authentication
procedure. |
|
|
EAP-TLS |
EAP-TLS is an EAP-Type for authentication based
upon X.509 certificates. Because it requires
both the Supplicant and the Authentication
(RADIUS) Server to have certificates, it provides
explicit Mutual Authentication and is resilient
to man-in-the-middle attacks. After successful
authentication a secure TLS link is established
to securely communicate a unique session key
from the Authentication (RADIUS) Server to the
Authenticator. Because X.509 certificates are
required on the Supplicant, EAP-TLS presents
significant management complexities. |
|
|
EAP-TTLS |
EAP-TTLS (EAP Tunneled TLS) is an EAP-Type for
authentication that employs a two-phase
authentication process. In the first phase the
Authentication (RADIUS) Server is authenticated to the
Supplicant using an X.509 certificate. Using
TLS, a secure channel is established through
which the Supplicant can be authenticated to
the Authentication Server using legacy PPP
authentication protocols such as PAP, CHAP,
and MS-CHAP. EAP-TTLS has the advantage over
EAP-TLS that it only requires a certificate
at the Authentication (RADIUS) Server. It also makes
possible forwarding of Supplicant requests to
a legacy RADIUS server. EAP-TTLS also supports
identity hiding where the Authenticator is only
aware of the anonymous username used to
establish the TLS channel during the first
phase but not the individual user authenticated
during the second phase. |
|
|
ESS |
An Extended Service Set (ESS) is composed of
multiple BSSs connected using other networking
technology. The ESS appears as a single
wireless network to the associated stations.
Stations can roam transparently from one BSS to
another within the ESS. However, there is
no standard for packet forwarding within the
ESS for a station roaming from one AP to another. |
|
|
FSM Table |
FSM stands for Finite State Machine. Finite State
Machines are a systems concept where sequential
systems are defined in terms of states, events,
and actions. A state completely defines the
conditions and point in a process. Events
occuring in a state trigger actions to be taken
and result in transitions to new states. An FSM
table defines all possible states as well as
the state transitions and actions to take for
each event. The power of Finite State Machines
is that sequential processes can be expanded or
changed by changing the FSM table without any
recoding or recompiling of the engine. The
RAD-Series RADIUS Server has a Finite State Machine
engine at its core for driving the processes
of handling RADIUS requests. This makes it very
easy to customize server processes or add new
ones. The RAD-Series RADIUS Server comes with several
predefined FSM tables from which to choose. The
Finite State Machine also makes it possible to
insert custom code developed with the Software
Developer's Kit (SDK) at any point in any process. |
|
|
LAS |
LAS stands for Local Authentication Service. The
LAS tracks active sessions and manages services
such as simultaneous session control and Address
Resource Management that are dependent on
maintaining the state of active sessions. |
|
|
MAC Address Authentication |
MAC Address Authentication authenticates the
station based upon its MAC address and not the
identity of the user using the station. This
form of authentication depends upon the station
having the correct static WEP keys configured
to confirm that its MAC address is not being
spoofed. This is a weak form of security as
static WEP keys are easily cracked and NIC
cards can be stolen. |
|
|
Mutual Authentication |
Mutual Authentication authenticates both the
Supplicant to the Authentication (RADIUS) Server and the
Authentication (RADIUS) Server to the Supplicant. Wired
network applications only required that the user
be authenticated before being granted access to
network services. The identity of the network
was assured by the physical connection to the
network directly or through the telephone
network. Because of the broadcast nature of
wireless networks there is no physical
connection to guarantee the network identity.
Security in wireless networks requires that the
Supplicant confirm the identity of the network
to which it is associating. |
|
|
Network Access Identifier (NAI) |
A network access identifier, or NAI, is a standard
way of composing user identifiers in a form that
enhances the interoperability of roaming and
tunneling services. The standard syntax is
user@realm Network Access Identifiers are
defined in RFC 2486. |
|
|
NULL Realm |
The NULL realm is the user group made up of all
users not explicitedly naming a realm in their
Username. NULL is the keyword used to configure
the NULL realm in both the authfile and las.conf. |
|
|
Realm |
A realm is a grouping of users. The realm portion
of a Network Access Identifier (NAI) often has
the same form as a domain name but a realm does
not have to correspond to a domain. Given the
NAI format of userid@realm, joe@test.org belongs
to the realm, test.org. The concept of realms
facilitates the segregation of user groups into
independently administered databases, the
application of policy on a user group basis, and
the establishment of roaming agreements to name
a few applications. |
|
|
SSID |
Each ESS has a Service Set Identifier (SSID) used
to identify the APs that belong to the ESS.APs
can be configured with the SSID of the ESS to
which they should associate. By default,
APs broadcast their SSID to advertise their
presence. Configuration of SSIDs is not a
form of security, as a rogue AP can be configured
with the same SSID. Disabling SSID
advertisements does little to help security, as
the SSID is broadcast whenever a valid station
associates. |
|
|
STA |
A wireless station is any 802.11 wireless device
other than an access point. |
|
|
Supplicant
|
The Supplicant is the client authentication
software/firmware. It runs on the station seeking
WLAN access and conducts an authentication
conversation with the Authentication (RADIUS) Server using
EAP. Until authenticated, the Supplicant can only
communicate with the Authentication (RADIUS) Server. |
|
|
TKIP |
TKIP (Temporal Key Integrity Protocol) is designed
to overcome WEP deficiencies. TKIP acts as a
wrapper for WEP adding the following functions:
-
a message integrity code to defeat forgeries.
-
a new initialization vector sequencing function
to defeat replay attacks.
-
a per-packet key mixing function.
-
a rekeying mechanism to provide fresh encryption
and integrity keys.
TKIP is one of the key improvements in WPA.
|
|
|
VLAN |
A VLAN is a switched network that is logically
rather than physically segmented.VLANs enable
workstations and other devices to have a virtual
association - independent of geographic location
or physical attachment to the network.These
groupings can be based upon organizational unit,
application, role, or any other logical grouping. |
|
|
WEP |
According to the IEEE 802.11 standard, Wired
Equivalent Privacy (WEP) is intended to provide
“confidentiality that is subjectively
equivalent to the confidentiality of a wired
local area network medium that does not employ
cryptographic techniques to enhance privacy.”
WEP relies on a secret key that is shared between
a mobile station and an access point. WEP uses the
RC4 stream cipher invented by RSA Data Security.
RC4 is a symmetric stream cipher that uses the same
variable length key for encryption and decryption.
With WEP enabled, the sender encrypts the data frame
payload and replaces the original payload with the
encrypted payload. The sender then forwards the
encrypted frame to its destination. The encrypted
data frames are sent with the MAC header WEP bit
set. Thus, the receiver knows to use the shared
WEP key to decrypt the payload and recover the
original frame. The new frame, with an unencrypted
payload can then be passed to an upper layer protocol.
WEP keys can be either statically configured or
dynamically generated. In either case, WEP has
been found to be easily broken. |
|
|
WPA |
Wi-Fi Protected Access (WPA) is a replacement
security standard for WEP. It is a subset of
the IEEE 802.11i standard being developed. WPA
makes use of TKIP to deliver security superior
to WEP. 802.1X access control is still employed.
The Authentication Server provides the material
for creating the keys. |
|
|
