Appendix E Wireless LANs

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network.

The encryption mechanisms used for WPA2 and WPA2-PSK are the same. The only difference between the two is that WPA2-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA2-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP)

User Authentication

WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. These two features are optional and may not be supported in all wireless devices.

Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again.

Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it.

Wireless Client WPA2 Supplicants

A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA2. At the time of writing, the most widely available supplicant is the WPA2 patch for Windows XP, Funk Software's Odyssey client.

The Windows XP patch is a free download that adds WPA2 capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it.

WPA2 with RADIUS Application Example

To set up WPA2, you need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA2 application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system.

1The AP passes the wireless client's authentication request to the RADIUS server.

2The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly.

3A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client.

 

187

NWA1000 Series User’s Guide