Wireless Authentication Implementation (Windows CE 5.0)
802.1x implements port-based network access control to provide authenticated network access for Ethernet networks. Port-based network access control utilizes the physical characteristics of a switched LAN infrastructure to authenticate devices attached to a LAN port, and to prevent access to that port when the authentication fails.
A LAN port can adopt one of two roles in an access control interaction: supplicant or authenticator. The authentication server performs the authentication function to check the supplicant's credentials on behalf of the authenticator. It then responds to the authenticator, indicating whether the supplicant can access the authenticator's services. The authentication server may be a separate entity or its functions may be on the authenticator.
The port-based access control for the authenticator defines two logical access points to the LAN through a single physical LAN port.
- The first logical access point, called the uncontrolled port, allows an uncontrolled exchange between the authenticator and other systems on the LAN regardless of the system's authorization state.
- The second logical access point allows an exchange between a system on a LAN and the authenticator services only if the system is authorized.
An extension to the basic 802.1x protocol is required to allow an access point to securely identify a client computer's traffic. This is done by passing an authentication key to the client computer and the access point as part of the authentication procedure.
Only authenticated client computers may know the authentication key, which encrypts all packets sent by a client computer.
When a wireless supplicant is in range of a wireless authenticator, the following steps occur:
- The wireless authenticator issues a challenge to the wireless supplicant.
- Once the challenge is received, the supplicant sends its identity to the authenticator.
- The authenticator forwards the identity of the supplicant to the RADIUS server to initiate authentication services.
- The RADIUS server requests the credentials for the supplicant.
- Requests passing between the supplicant and the RADIUS server pass through the uncontrolled port on the authenticator because the supplicant cannot directly reach the RADIUS server. The authenticator does not allow communication through the controlled port because the supplicant does not possess an authentication key.
- The supplicant sends the credentials to the RADIUS server.
- After validating the credentials, the RADIUS server transmits an authentication key to the authenticator. The authentication key is encrypted so that only the authenticator can access it.
- The authenticator uses the authentication key received from the RADIUS server to securely transmit a per-supplicant unicast session key and a multicast/global authentication key to the supplicant.
To encrypt the global authentication key, EAP authentication must generate an encryption key as part of the authentication process.
TLS provides mutual authentication, integrity-protected cipher suite negotiation and key exchange between the two endpoints. Therefore, EAP and TLS are used for the TLS mechanisms within EAP.
Send Feedback on this topic to the authors