Appendix A Wireless LANs
WAP6906 User’s Guide
79
encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This
all happens in the background automatically.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets,
altering them and resending them. The MIC provides a strong mathematical function in which the
receiver and the transmitter each compute and then compare the MIC. If they do not match, it is
assumed that the data has been tampered with and the packet is dropped.
By generating unique data encryption keys for every data packet and by creating an integrity
checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a WiFi network than
WEP and difficult for an intruder to break into the network.
The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference
between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific
credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-
guessing attacks but it’s still an improvement over WEP as it employs a consistent, single, alphanumeric
password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all
wireless devices sharing the same encryption keys. (a weakness of WEP)
User Authentication
WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless
clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from
six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other
WPA2 authentication features that are different from WPA include key caching and pre-authentication.
These two features are optional and may not be supported in all wireless devices.
Key caching allows a wireless client to store the PMK it derived through a successful authentication with
an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go
with the authentication process again.
Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to
perform IEEE 802.1x authentication with another AP before connecting to it.
Wireless Client WPA Supplicants
A wireless client supplicant is the software that runs on an operating system instructing the wireless client
how to use WPA. At the time of writing, the most widely available supplicant is the
WPA patch for
Windows XP, Funk Software's Odyssey client.
The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero
Configuration" wireless client. However, you must run Windows XP to use it.
WPA(2) with RADIUS Application Example
To set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812), and the
RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A"
is the RADIUS server. "DS" is the distribution system.
1
The AP passes the wireless client's authentication request to the RADIUS server.
2
The RADIUS server then checks the user's identification against its database and grants or denies
network access accordingly.