Manualshelf

Designing a Secure Wireless LAN with the HP-UX AAA RADIUS Server

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
12345678910
9
network that is referred to as an “ad-hoc” WLAN. When a client communicates with an access
point or wired network service, it is known as an “infrastructure” WLAN. All future references to
WLAN in this document refer to infrastructure mode.
The basic WLAN is easy to set-up and run, but its well-publicized vulnerabilities result in what is
essentially a public broadcast of LAN traffic. Enabling basic security features that are available
with entry-level components add a minimum level of security that is effective in protecting WLAN
traffic from the casual snooper. These security features are characteristic of network-based
security.
2.2 Wireless LAN Network-Based Security
The Basic Wireless LAN components are usually delivered with network-based security features.
These features allow network access based upon device identification, which provides entry-level
security protection and typically requires manual configuration.
2.2.1 MAC Address Filtering
Media Access Control (MAC) address filtering is a static WLAN security configuration variable,
usually resident on the access point. The administrator configures the access point with the MAC
address for every client device that will be allowed access to the network, and the access point
verifies the authenticity of the device. An example of the configuration steps for MAC address
filtering is available in Chapter 5.
There are two obvious problems with MAC address filtering. First, a MAC address can easily be
sniffed (discovered) and spoofed (impersonated), thus allowing network access to beginner-level
intruders. Second, every device MAC address must be manually configured on every access point
that could potentially be accessed.
2.2.2 WEP and Shared Secret Keys
Wired Equivalent Privacy (WEP – discussed in greater detail in Chapter 3) utilizes secret keys that
are configured and synchronized between the client and access point. Because the secret key is
statically configured on the access point, all of the clients must be configured with the same
“secret” key, and are awarded network access based upon the validity of the key, thus the key is
shared (and not very secret). Similarly to MAC address filtering, the key is associated with the
client itself. WEP has other problems that are evaluated later, but the shared secret key design
ultimately results in a network-based security method.
2.3 The Next Step: AAA RADIUS User-Based Security
Simply adding and configuring a AAA RADIUS Server to an existing Wireless LAN configuration
provides a very effective user-based secure solution. As opposed to a network-based solution, a
user-based solution can authenticate, authorize, and account for network access based upon
individual users, and can leverage existing user repositories or introduce new user repositories.
Also, the network access device itself can be authenticated to the user (mutual authentication -