Solved

Wireless authentication query's

Posted on 2012-03-21
4
457 Views
Last Modified: 2012-04-17
hello all,

i'm just looking for a few straight answers regarding wireless authentication on WPA2 networks, since i can never seem to find a straight answer on any Cisco docs.

would appreciate answers on any of the following;

1. when deploying WAP's in standalone mode, that is, they are configured independantly, no WLC is used, but they ARE using the same SSID, so i guess they are classed as an ESS. How do clients authenticate when roaming between AP's? do the clients need to go through the whole re-authentication process when roaming to the new AP?, and need new encryption key material for the new AP etc?

2. in WPA2 mode, for authentication, i see that in infrastructure mode, when using PEAP, the authentication process is encrypted between the client and the AP / RADIUS server. My question is this... in WPA2 personal PSK mode, how is the password passed securely between the client and the AP? Is there some secure connection which is set up prior to the key being passed to the AP?

3. How is the AES session encryption key securely exchanged between the client and AP in either PSK or enterprise mode?

i understand how this type of exchange works when connecting to an SSL web server (server passes public rsa key to client, client uses this to encrypt the session keys and passes back to the server which uses it's private key to decrypt and find the session keys. i just never seem to find a good explanation of how this sort of stuff works in wireless.

please can somebody help explain, or point me in the right direction of a good link?

thanks in advance.
0
Comment
Question by:L-Plate
4 Comments
 
LVL 43

Assisted Solution

by:Jackie Man
Jackie Man earned 125 total points
ID: 37746556
The answer for your Question 2:-

Authentication in the WPA2 Personal mode, which does not require an authentication server, is performed between the client and the AP generating a 256-bit PSK from a plain-text pass phrase (from 8 to 63characters). The PSK in conjunction with the Service Set Identifier and SSID length form the mathematical basis for the PMK (Pair-wise Master Key) to be used later in key generation.

Source: http://cs.gmu.edu/~yhwang1/INFS612/Sample_Projects/Fall_06_GPN_6_Final_Report.pdf
0
 
LVL 9

Assisted Solution

by:Lance_P
Lance_P earned 125 total points
ID: 37746806
As far as I have tested, If you have multiple AP's, you need to have the ALL on the SAME SSID. But make sure that the nearby AP's are on DIFFERENT channels to avoid interference.

This should work without issues. I have setup a similar network at home as well with 3 AP's. No issue's.

I do not see why there would be any issues with Radius or any security since all the matters is that the AP be setup correctly to communicate with the Authentication server and that the SSID matches.
0
 
LVL 5

Assisted Solution

by:RikeR
RikeR earned 125 total points
ID: 37748098
Hi L-Plate,

1. If you configure the network to use WPA or WPA2 enterprise the client has to re-authenticate when roaming to a different AP. The reason being that the pairwise master key is being derived from the Radius server. A mechanism to prevent this is called PMK-caching which is only possible if there is some sort of intelligence glue-ing the accesspoint together. In most casses this is the Wireless controller.

2. When using pre-shared key authentication the PMK is allready known by both parties (client and accesspoint) calculated as jackieman states. Have a look at this video as it desribes the process very clear: http://www.securitytube.net/video/1905

3. How these key are being used to feed AES is beyond my knowledge.

Good luck

/steven
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 125 total points
ID: 37748377
For #3,  the key is in fact never actually exchanged. Very simplified, only negotiation vectors are exchanged, and if the client doesn't already know the proper key it can't make the proper response vectors to create a secured session. Even if the exchanged negotiation packets are captured, they can't be worked backwards because they are created by mixing in a "number used once" (NONCE) rather than the passphrase by itself. Both sides take the other's challenge packet, decrypt it using what they think the key is, then create a response packet using the result. If either side has a different passphrase, the responses don't match what they're supposed to be and the session is discarded.

If the wrong key is tried more than twice in 30 seconds, the WPA2 spec makes it stop allowing new connections for 2 minutes. That limits brute force hack attempts to a maximum of 4 per minute, so it would take about 2 days for a properly constructed hacker 'bot to go through a 10,000 entry dictionary just to discover you didn't use a common passphrase (like "password" or "qwertyuiop" et cetera)... or longer if it tried 3 times in 30 seconds and got locked out from trying for 2 minutes. Keep that in the back of your mind for when the symptom shows up of not being able to connect without waiting 2 minutes. ;-)
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Layer 2 versus layer 3 10 86
managing a small network 6 81
Cisco WLAN 5520 licensing 10 33
VMware ESXi vswitch - performance question 2 37
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now