Authentication

There are two different interpretations of authentication. One is the 802.11 authentication, and the other is authentication that uses passwords or 802.1X.

802.11 Authentication Note: This form happens BEFORE association

In the 802.11 standard, there is authentication, followed by association. That is, a wireless station must authenticate to an AP, and then it can associate to it.

This authentication is basically just a handshake to make sure that the wireless station has the capabilities required by the AP to join the BSS.

There are only two kinds of 802.11 authentication, ‘open’ or ‘WEP’. There are no others. Remember, this is 802.11 authentication.

Open authentication is recommended. This is because the way WEP authentication works, it provides an easy mechanism to deduce the WEP key. Once gained, that same WEP key is what is used for traffic encryption, so an attacker would have the key and be able to view WEP traffic.

A station must be 802.11 authenticated to an AP before it can be associated to it (next step). If an attacker performs a ‘de-auth’ attack, they are effectively making it so the station is no longer authenticated to the AP. No authentication means no association. The de-auth management frame must be obeyed, which is what makes it an effective attack. WIPS systems that do rogue containment work by making it so no stations can authenticate to the rogue AP, rendering it useless.

Security Authentication Note: This form happens AFTER association

This authentication is what you might be more familiar with. There is a fine line here between authentication and encryption. Once you’re 802.11 authenticated and associated, you can’t pass traffic unless you have the right encryption set up. This encryption may be established by using a pre-shared key (a pass phrase), or derived from the 802.1X process.

802.1X is not an 802.11 standard. It is a standard for port security, which may be simply a wired switch port. 802.1X consists of three components:

  • the authenticator (which is a switch port, or in Wi-Fi would be the AP)
  • the supplicant (which is a program on the client which presents its credentials for checking)
  • the authentication server (which is the RADIUS server which either grants or denies access)

Forget about wireless for now, and consider a wired host connecting to a wired switch port to gain network access. The switch has two virtual ports; a controlled port and an uncontrolled port. The uncontrolled port only allows traffic through which is required for the authentication process to take place. This traffic is called the extensible authentication protocol (EAP). Until the client is successfully authenticated by the authentication server, only EAP traffic is allowed through the switch. Once successful authentication is complete, the switch opens the controlled port, and full network access is granted.

This process is virtually the same for wireless. In a wireless example, the AP is like the switch that has the controlled and uncontrolled virtual ports. The AP will only let EAP traffic through until authentication is successful. Once the RADIUS server sends back the ‘success’ code, it sends the seeding material for encryption (a step that doesn’t take place in wired 802.1X).