Cryptography Reference
In-Depth Information
network switch. This permits the AP to act in the role of a switch since each
connection request may be regarded as an
un
authenticated connection until
further approval by the authentication server (so upon approval, the AP may
“switch on” the connection). Thus, 802.1X may be considered to be a standard
for port-based network access control that resides between an authentication
protocol and a LAN. Yet, in itself, it is
not
an authentication protocol. That
choice (of authentication algorithm, and associated key management) is left to
the particular EAP authentication type (one from the list on pages 346-347).
In Diagram 9.3, we see the 802.1X protocol running between the client and
the AP for the authentication and key exchange operation. The AP is the link
between the client using802.1X protocol and the RADIUS server runningover
IP. Thus, the authentication phase is executed previous to the establishment of
an IP connection between the client and the network, and
exclusively
802.1X
traLc is permitted and
solely
to the RADIUS server. Once authentication
succeeds, the AP switches the client to a network connection.
Diagram 9.3 802.1X Protocol Illustration
AP
C
L
I
E
N
T
RS
AE
DR
IV
UE
SR
−−−−−−−→
IP
←−−−−−−−
−−−−−−−→
802.1X
←−−−−−−−
Port
EAP
RADIUS
IP
MAC
−−−−→
EAP
←−−−−
EAP
802.1X
MAC
802.1X-EAP Authentication Process
The followingis an example of how a common mode of operation for 802.1X
would operate with EAP. We assume that Alice is the client (sometimes called
the
supplicant
), who wishes to connect to a WLAN. The negotiation takes place
amongAlice, the AP as intermediary, and the authentication server.
1. Alice requests a connection to a WLAN via the AP.
2. The AP requests ID from Alice, and once received, it forwards this ID to
an authentication server, such as
RADIUS
.
3. The authentication server sends a challenge,
9.19
such as a token password
scheme,
9.20
for Alice to prove herself, and may send ID to prove itself to
9.19
See pages 197 and 198 for a description of challenge-response protocols.
9.20
For instance, RSA Security Inc. worked with Microsoft to introduce tokens called SecurID
for Microsoft Windows, which provide users with a temporary password every 60 seconds. This
“token password” is used with a secret PIN to logon to Windows.
Search WWH ::
Custom Search