Wpa/wpa2 authentication: enterprise-level user – NETGEAR 108 MBPS WIRELESS WGT624 V3 User Manual

Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3

D-12

Wireless Networking Basics

202-10090-02 v 1.4, July 2005

WPA/WPA2 Authentication: Enterprise-level User

Authentication via 802.1x/EAP and RADIUS

Figure 4-6: WPA/WPA2 Overview

IEEE 802.1x offers an effective framework for authenticating and controlling user traffic to a
protected network, as well as providing a vehicle for dynamically varying data encryption keys via
EAP from a RADIUS server, for example. This framework enables using a central authentication
server, which employs mutual authentication so that a rogue wireless user does not join the
network.

It is important to note that 802.1x does not provide the actual authentication mechanisms. When
using 802.1x, the EAP type, such as Transport Layer Security (EAP-TLS), or EAP Tunneled
Transport Layer Security (EAP-TTLS), defines how the authentication takes place.

Note: For environments with a Remote Authentication Dial-In User Service (RADIUS)
infrastructure, WPA supports Extensible Authentication Protocol (EAP). For environments
without a RADIUS infrastructure, WPA supports the use of a pre-shared key.

Together, these technologies provide a framework for strong user authentication.

Windows XP implements 802.1x natively, and several NETGEAR switch and wireless access
point products support 802.1x.

Certificate

Authority

(for

example

Win Server,

VeriSign)

WPA/WPA2

enabled
wireless

client with

“supplicant”

TCP/IP

Ports Closed

Until

Authenticated

RADIUS Server

Wired Network with Optional

802.1x Port Based Network

Access Control

WPA/WPA2

enabled

Access Point

using

pre-shared key

or 802.1x

TCP/IP

Ports Opened

After

Authenticated

Wireless LAN

Login

Authentication