If you want to understand basics about 802.1X/EAP concept please refer this.
EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..
Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..
Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..
EAP-TLS
EAP-TLS (Transport Layer Security) is an authentication mechanism that relies on certificates. Key pairs (certificate & private key) are installed on the clients and on the RADIUS server.
Note:-
Certificate is a public key verified by a trusted authority.
First 4 steps are common in any EAP method (basic wireless connectivity).
(01) The client sends 802.11 Open Authentication Request
(05) The client sends the EAPoL Start (this is optional)
(01) The client sends 802.11 Open Authentication Request
(02) AP sends 802.11 open Authentication Response
(03) The client then sends the Association Request
(03) The client then sends the Association Request
(04) AP sends Association Response
At this point AP blocks all traffic from the supplicant until authentication completes..
(05) The client sends the EAPoL Start (this is optional)
(06) AP/WLC continues with an EAP message requesting the Supplicant Identity (username)
(07) The client sends its Identity to AP/WLC
(08) AP/WLC forwards the Supplicant Identity to the RADIUS server
(07) The client sends its Identity to AP/WLC
(08) AP/WLC forwards the Supplicant Identity to the RADIUS server
(09) The RADIUS server sends its certificate to the client through AP/WLC
(10) The client verifies the server certificate and sends its own certificate to the RADIUS server
Now both the client and the RADIUS server have a way to encrypt the messages they exchange. They use this secure connection to agree on a way to derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'
(11) RADIUS server & client generate the PMK (Pairwise Master Key)
(12) RADIUS server forwards the PMK to the WLC with an authentication success message
(13) WLC use the PMK to generate encryption keys for the client traffic
Note:-
RADIUS server does not keep the PMK, it just generates it and hands it over to WLC & the client also generates the PMK which is identical to the PMK generated by the Authentication Server..
At this point, the work of the EAP-TLS is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..
Note:-
EAP-TLS is a very secure method for authentication but certificates will be needed to install on each client so it is not widely used as the enterprises are moving towards BYOD..
Once the PMKs are generated, do the Radius server and Client compare to check they are the same?
ReplyDelete