LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN
222
Wireless LAN – WLAN
The access point is thus a sort of middle man between client and server. it
doesn't have to check the contents of these packets, it just has to check that
no other data traffic to or from the client can occur.
This process has two advantages:
The implementation effort in the access point is low. While the client and
the server are usually PCs with high levels of resources, access points are
devices which are limited both in memory and in computing power.
New processes for authentication require no firmware upgrade on the
access point.
Over this tunnel through the access point, the client and server authenticate
one another, that is, the server checks the client's access privilege to the
network, and the client checks that it is talking to the right network. "Wild"
access points set up by hackers can be recognised in this way.
A whole series of authentication processes exist which can be used in this
tunnel. A current process (and one supported by Windows XP) is for instance
TLS, in which server and client exchange certificates; another is TTLS, in which
only the server supplies a certificate—the client is authenticated using only a
username and password.
After the authentication phase, a secure tunnel even without WEP encryption
has been set up, in which the access point is connected in the next step.
For this, the RADIUS server sends the so-called 'Master Secret', a session key
calculated during the negotiation, to the access point. The LAN behind it is
considered secure in this scenario, so that this transmission can be performed
in clear text.
With this session key, the access point now takes over the tunnel and can use
it to provide the actual WEP key to the client. Depending on the capabilities
of the access point hardware, this can be a true session key (that is, a WEP key
which will only be used for data packets between the access point and
precisely this client), or a so-called group key, which the access point will use
for communication with multiple clients. Classical WEP hardware can usually
handle only group keys, these being the four mentioned in the chapter on
WEP.
The particular advantage of this procedure is that the access point can
regularly change the WEP key over the EAP tunnel, that is, it can perform a
so-called rekeying. In this way, WEP keys can be replaced by new ones long
before they run the risk of being cracked due to IV collisions. A common 'use
time' for such WEP keys might be 5 minutes.