18 CHAPTER 3: ACCESS POINT SECURITY
them. After successful authentication, the TLS server securely sends the session
keys to the access point and user data is allowed to pass. EAP-TLS is currently
supported only under Windows XP.
3Com Serial
Authentication Serial Authentication, a 3Com-proprietary upper layer authentication mechanism,
uses a two-phase process involving both EAP-TLS and EAP-MD5
■In the first phase, the wireless client and the RADIUS EAP-TLS server mutually
authenticate each other. All clients can authenticate to the TLS server because
a common certificate is provided during software installation. Successful
completion of this phase establishes dynamic session keys that protect
subsequent communication between the wireless client and access point.
■In the second phase, the server can securely use EAP-MD5 to authenticate the
user. Once authenticated, the server informs the access point and data traffic
from the client is allowed to pass to the wired network.
3Com Serial Authentication also includes optional dynamic session-key renewal,
which greatly enhances system security. Dynamic key renewal means that,
following the initial upper layer authentication, the client and the access point
periodically update the session keys used for encryption.
3Com’s Serial Authentication method provides obvious advantages. By combining
encryption key distribution and a secure network authentication, it makes use of
two complementary authentication schemes. Additionally, the client and the
access point dynamically update session keys while the network session is in
progress. Because Serial Authentication is a 3Com proprietary scheme, it must be
used with the 3Com Wireless LAN PC Card (model 3CRWE62092A) and the 3Com
Access Point 8000. Serial authentication is supported by the 3Com 802.1x agent
(described below).
Additional Security Configuration Options If you choose not to use an upper layer authentication scheme, 3Com’s security
solution also supports the authentication and encryption methods described
below.
Open Network. The open-network option assumes that neither authentication
nor encryption are required. No security is used.
40-bit Shared Key Encryption. This option is compatible with Wi-Fi certified
equipment from other vendors. Encryption keys must be set up on both the client
and the access point. The network administrator sets up a fixed set of encryption
keys for the wireless network and supplies users with an encryption string or a set
of hexadecimal keys. This option can be used with local access point
authentication or with EAP-MD5 RADIUS authentication.
128-bit Shared Key Encryption. This option is compatible with 128-bit shared
key from most vendors, including 3Com, Agere, and Cisco. The network
administrator sets up encryption keys for the wireless network and supplies users
with an encryption string or hexadecimal keys. You must set up encryption keys on
both the client and access point. This option can be used with local access point
authentication or with EAP-MD5 RADIUS authentication.