NETGEAR ME103 User Manual

Page 81

background image

Reference Manual for the ME103 802.11b ProSafe Wireless Access Point

Wireless Networking Basics


August 2003

Initial 802.1x communications begin with an unauthenticated supplicant (i.e., client device)
attempting to connect with an authenticator (i.e., 802.11 access point). The access point responds
by enabling a port for passing only EAP packets from the client to an authentication server located
on the wired side of the access point. The access point blocks all other traffic, such as HTTP,
DHCP, and POP3 packets, until the access point can verify the client's identity using an
authentication server (e.g., RADIUS). Once authenticated, the access point opens the client's port
for other types of traffic.

The basic 802.1x protocol provides effective authentication and can offering dynamic key
management using 802.1x as a delivery mechanism. If configured to implement dynamic key
exchange, the 802.1x authentication server can return session keys to the access point along with
the accept message. The access point uses the session keys to build, sign and encrypt an EAP key
message that is sent to the client immediately after sending the success message. The client can
then use contents of the key message to define applicable encryption keys. In typical 802.1x
implementations, the client can automatically change encryption keys as often as necessary to
minimize the possibility of eavesdroppers having enough time to crack the key in current use.

It's important to note that 802.1x doesn't provide the actual authentication mechanisms. When
using 802.1x, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or
EAP Tunneled Transport Layer Security (EAP-TTLS), which defines how the authentication takes

The important part to know at this point is that the software supporting the specific EAP type
resides on the authentication server and within the operating system or application software on the
client devices. The access point acts as a “pass through” for 802.1x messages, which means that
you can specify any EAP type without needing to upgrade an 802.1x-compliant access point. As a
result, you can update the EAP authentication type as newer types become available and your
requirements for security change.