Symbol Technologies WS 2000 manual 802.1x with Shared Key Authentication, Kerberos Authentication

802.1x with Shared Key Authentication

The pair-wise master keys (PMK) generated by this negotiation are used to generate keys used in MAC encryption. In the absence of a RADIUS server, 802.1x is used in a pre- shared key configuration. Administrators configure the master key statically through the configuration or the key is obtained through negotiation from an external RADIUS server in compliance with 802.1x.

The WS 2000 Wireless Switch uses the Remote Authentication Dial-In User Service (RADIUS) to authenticate 802.1x-enabled MUs.

802.1x with Shared Key Authentication

Shared key authentication, part of the Wired Equivalency Privacy (WEP) algorithm, provides a basic means of data encryption to improve data security for a Wireless LAN (WLAN). The shared key algorithm performs data encryption and decryption. A wireless device with a valid shared key is allowed to associate with the WS 2000 Wireless Switch and access services on the wired LAN.

Using shared key authentication, an administrator configures mobile units (MUs) and the WS 2000 Wireless Switch to share the same key. The MU authenticates by presenting the key to a WS 2000 Wireless Switch. The switch examines the key, and uses it to perform a checksum, or error-checking operation, by comparing the key to one on the switch. The MU accesses network services only when the key passes the checksum process.

The WS 2000 Wireless Switch uses shared key authentication when there is no RADIUS server on the wired LAN.

Kerberos Authentication

The Kerberos authentication service protocol (specified in RFC 1510) provides a secure means for authenticating users/clients in a wireless network environment.

With Kerberos, a client (generally either a user, a service, or a user requesting any number of network services) within the Kerberos Realm sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the Ticket Granting Server’s (TGS) secret key, and sends the encrypted TGT back to the client. In addition to the TGT, the KDC simultaneously sends a session key (SK1) encrypted with the client’s password to the client. The client then attempts to decrypt the session key using its password. If the client successfully decrypts the session key (i.e., if the client gave the correct password), it keeps the decrypted session key, which indicates proof of the client’s identity. The TGT permits the client to obtain additional tickets (TK-TS) which give permission for specific network services (any application or service) for the allotted time identified in the TK-TS. The requesting and granting of these additional tickets is user-transparent. Once the session tickets expire, the client must re- authenticate to continue using network services.

The KDC operates in a Master or a Slave capacity. The Master KDC maintains the master database file that contains all of the user authentication information. This information includes the user’s name, password, and authorization level. This authorization level determines what network services the user has access to.

The Slave KDC acts in a backup capacity to the Master KDC. Database information propagates from the Master KDC to the Slave at regular intervals. If the Master KDC fails, the Slave KDC resumes ticket granting services until the problem causing the Master KDC to fail is resolved. The Slave KDC has no database administration privileges, which are reserved for the Master KDC.