WPA/WPA2 offers 2 authentication mechanisms..
(1) A Personal Mode using Pre-Shared Keys (PSK) for smaller networks.
(2) An Enterprise Mode using 802.1X/EAP and authenticating users through a RADIUS server.
To learn how 802.1X/EAP works, go here.
To learn how EAP-PEAP (another famous EAP method) works, go here.
In both cases a PMK (Pairwise Master Key) is generated. The RADIUS passes the PMK to the WLC. PSK is the PMK for the Personal Mode.
A 4-way handshake then occurs between the client and the WLC. This phase is used to confirm that both sides have the PMK and validate the security parameters that were negotiated during the authentication phase. It is also used to generate another key, The PTK (Pairwise Transient Key) which will be used as a base to generate encryption keys which is changing at regular intervals.
The WLC keeps the PMK and sends the PTK to the AP.
At this point, as each client has an individual and changing key, devices in the same cell cannot send broadcasts. For this reason, another key named GTK (Group Transient Key) is derived from a key called GMK (Groupwise Master Key) which is generated on the AP/WLC. This GTK is encrypted using the client's individual encryption key and sent to the client during the 4-way handshake.
Every time a client leaves the cell, and at regular intervals, the AP/WLC generates a new GTK and distributes it to the cell clients. New GTK is sent encrypted (using the individual encryption key) through a 2-way handshake. This is also called "broadcast key rotation"..
Following are all the important steps in Enterprise Mode of WPA authentication which is using PEAP as the EAP type.
Here you can see those steps in an actual packet capture of WPA2 authentication which is using PEAP as the EAP type. Download the pcap from here.
Note that the DHCP process starts after the authentication is done.
No comments:
Post a Comment