Page 37 / 141
DTUS065 rev A.7 – June 27, 2014
Authentication modus operandi
802.1x uses one of the EAP (Extensible Authentication Protocol) methods.
The most commonly used ones are:
-
EAP-PEAP
-
EAP-TLS
-
EAP-TTLS
The EAP method used is transparent to the access point. On another hand
the access point clients, like bridges, must be aware of the authentication
method. The choice of method must take into account the capabilities of the
server/supplicant couple as well as the level of security needed.
For example, a Windows XP SP2 supplicant allows:
-
PEAP authentication with login and password (called MSCHAP V2)
-
Use of certificates.
Preauthentication
A client is said to preauthenticate when it is authenticating with a new AP
through the currently associated AP. This aims to speed up the association
time when the client decides to roam to the preauthenticated AP, because it
will remove the important overhead of the 802.1x protocol.
Preauthentication must be enabled in the AP to allow the client to use it.
WLn clients always use preauthentication when the AP offers it.
Pre-authentication makes the client store communication keys before it
needs it. The WLn client can keep many keys in advance, allowing roaming
from one AP to another to another… and back to the first, without re-
executing the 802.1 x protocol.
In the WLn clients, the keys are kept in a cache table whose lifetime is
configurable.
V.5.5
Protected management frame (802.11w)
This feature protects your device from a hacker DoS (Deny of Service) attack.
By default, the management frames are not protected. Anyone can send a DEAUTH frame to
a client or to the AP.
In this situation, a hacker can gather AP information using a Wi-Fi sniffer and then send to a
legacy client a DEAUTH frame with the AP mac address. The client receives this frame, and
then closes the connection with the AP.
The 802.11w adds a field in the frame to authenticate the frame sender.
If the Wi-Fi equipment receives a management frame from an incorrect sender, it will discard
the frame.
