1x with shared key authentication, Kerberos authentication – Symbol Technologies WS 2000 User Manual

802.1x with Shared Key Authentication

The pair-wise master keys (PMK) generated by this negotiation are used to generate keys
used in MAC encryption. In the absence of a RADIUS server, 802.1x is used in a pre-
shared key configuration. Administrators configure the master key statically through the
configuration or the key is obtained through negotiation from an external RADIUS server in
compliance with 802.1x.

The WS 2000 Wireless Switch uses the Remote Authentication Dial-In User Service
(RADIUS) to authenticate 802.1x-enabled MUs.

802.1x with Shared Key Authentication

Shared key authentication, part of the Wired Equivalency Privacy (WEP) algorithm,
provides a basic means of data encryption to improve data security for a Wireless LAN
(WLAN). The shared key algorithm performs data encryption and decryption. A wireless
device with a valid shared key is allowed to associate with the WS 2000 Wireless Switch
and access services on the wired LAN.

Using shared key authentication, an administrator configures mobile units (MUs) and the
WS 2000 Wireless Switch to share the same key. The MU authenticates by presenting the
key to a WS 2000 Wireless Switch. The switch examines the key, and uses it to perform a
checksum, or error-checking operation, by comparing the key to one on the switch. The MU
accesses network services only when the key passes the checksum process.

The WS 2000 Wireless Switch uses shared key authentication when there is no RADIUS
server on the wired LAN.

Kerberos Authentication

The Kerberos authentication service protocol (specified in RFC 1510) provides a secure
means for authenticating users/clients in a wireless network environment.

With Kerberos, a client (generally either a user, a service, or a user requesting any number
of network services) within the Kerberos Realm sends a request for a ticket to the Key
Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client,
encrypts it using the Ticket Granting Server’s (TGS) secret key, and sends the encrypted
TGT back to the client. In addition to the TGT, the KDC simultaneously sends a session
key (SK1) encrypted with the client’s password to the client. The client then attempts to
decrypt the session key using its password. If the client successfully decrypts the session
key (i.e., if the client gave the correct password), it keeps the decrypted session key, which
indicates proof of the client’s identity. The TGT permits the client to obtain additional
tickets (TK-TS) which give permission for specific network services (any application or
service) for the allotted time identified in the TK-TS. The requesting and granting of these
additional tickets is user-transparent. Once the session tickets expire, the client must re-
authenticate to continue using network services.

The KDC operates in a Master or a Slave capacity. The Master KDC maintains the master
database file that contains all of the user authentication information. This information
includes the user’s name, password, and authorization level. This authorization level
determines what network services the user has access to.

The Slave KDC acts in a backup capacity to the Master KDC. Database information
propagates from the Master KDC to the Slave at regular intervals. If the Master KDC fails,
the Slave KDC resumes ticket granting services until the problem causing the Master KDC
to fail is resolved. The Slave KDC has no database administration privileges, which are
reserved for the Master KDC.

Copyright © 2004 Symbol Technologies, Inc. All Rights Reserved

16

WS 2000 Wireless Switch: 1.0 Date of last Revision: March 2004