:confused:

I am a student do some reading on WLAN security. Now I have a question about IEEE 802.11i authentication.

In 802.11i, IEEE 802.1x and EAP-TLS can be used in authentication. The PMK in key derivation is generated by the STA and Authentication Server seperately. But the PMK is derived from EAP master secret, which is shared by the supplicant and authentication server. But I did not find in RFC 2716 how to get the master secret and how it is shared between the supplicant and authentication server.

So where can I find the specification about the master secret? Is it vendor specified?

I also have a question conserning the IEEE 802.11i authentication.

I know that the 802.11i uses the IEEE 802.1X together with EAP to authenticate the wireless station. But if i have understand correctly, the station must be associated with the AP before the 802.1X protocol exchange can take place. And in order to associate, the station must be authenticated. So, how is this possible?

My guess would be:
1. STA authenticates to AP with open system or shared key authentication. (802.11)
2. After successful authenticatio, STA associates with AP. (802.11)
3. IEEE 802.1X authentication starts. (802.11i)

Is this how it goes?

Thanks in advance!

The successful 802.1x-EAP client authentication model works as follows:
1. The client requests association with the AP
2. The AP replies to the association request with an EAP idenity request
3. The client sends an EAP identity response to the AP
4. The client's EAP idenity response is forwarded to the authentication server
5. The authentication server sends an authorization request to the AP
6. The AP forwards the authorization request to the client
7. The client sends the EAP authorization response to the AP
8. The AP forwards the EAP authoization reponse to the authentication server
9. The authenticaion server sends an EAP sucess message to the AP
10. The AP forwards the EAP success message to the client and places the clients port in forward mode.

Whew!

Hi, i know the 802.1X authentication exchange, but what happens before the client requests association?

In IEEE 802.11 standard there is a state machine that describes that the station must be authenticated before it can request association (Association request is a Class 2 frame). Is open system or shared key authentication used in order to make association possible? And after that steps 1 to 10 as Vosheje described?

The 802.11i use only open system authentication before STA associates with AP, because the security flaw of shared key authentication.

But 802.11i protocol says security parameters are negotiated during association. Who can tell me what in detail is negotiated? Authentication and encryption ciphers? I think they are negotiated during 802.1X-EAP exchanges.

erkkula78,

vosheje is correct with the data flow. I’m not sure where you’re reading that the association occurs following authentication, but that’s not correct. Association is the initial connection phase and is in itself a trivial state that is followed by negotiations of security (802.1x and eventually more sophisticated security as standards are finalized) and authorization.

If you can provide a pointer to where you read that association occurs after authentication, perhaps we can clarify what was being described.

andilei,

It really depends on what security is being set up. You are correct that this occurs in the 802.1x EAP exchange. What you are looking for can be located in that specification. There are a number of different parameters that can be exchanged, so looking to the spec would be the best place for you to start.

jammerdjc:

Can you tell me some site to find the detailed specification?
I have read IEEE 802.11, IEEE 802.11i, RFC 2284, RFC 2716 and IEEE 802.1X, but can't find the detailed description.:(

I found information about the specific contents for the currently standardardized EAP at http://standards.ieee.org/getieee802/download/802.1X-2001.pdf

Just look in Section 7. If you are looking for AES information, that's still a work in progress and you must join the IEEE organization and pay for access to the data. Odds are that with some looking around you can find more information. I have read several documents on AES (I know of one from Inari and another from the NIST).

For the NIST document try http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

A word of warning, the actual implementation is not there for the wireless scenario as this is more of a general AES document.

jammerdjc:

In the IEEE 802.11 standard Chapter 5.5:
"
State 1: Initial start state, unauthenticated, unassociated
State 2: Authenticated, not associated
State 3: Authenticated and associated
"

So, i guess that in order to authenticate using the 802.1X authentication framework, station must first perform authentication using open system authentication (or shared key?)followed by association. And after that start the 802.1X authentication with EAPOL-Start (send by supplicant) or EAP-Request/Identity (send by authenticator).

Am i missing something?

OK, I think I see the confusion. I haven't considered the initial state as actually authenticated as the 802.11 spec describes it. The authentication that it's talking about before association is more of an identification at a layer 2 level than anything else. There is no real access or privilege levels at this stage. There is higher level authentication that does not being until after the association occurs. Some of this is the perspective that you are looking at things. The spec we’re talking about is a layer 2 fringing in higher layers.

My perspective is that I consider true authentication to occur where authorization and access are established. That follows the association phase (so we’re effectively talking about 2 levels of authorization). Have I sufficiently confused you yet?

jammerdjc,

i agree with you. I just wanted to know are the first two steps described in my first post necessary when using 802.1X authentication. And it seems that they are.

It's true that the "real" authentication starts after the STA has associated to the AP, and the access to the network resources (via authenticators controlled port) is obtained after the 802.1X/EAP conversation is successfully terminated.

Thanks for your help!

Actually they are by 802.11. HOWEVER, many implementations use no authentication for 802.11 when 802.1x is in use. So, the process is done, but very much in a perfunctory manner.

(sorry for the late reply, for some reason I just now got email that you had posted your reply on 1-27)