Security Solutions
1-30
Access Control Concepts
Network Access Control Technologies
RADIUS-PAP and RADIUS-CHAP, while not very secure, are more secure than
simple PAP and CHAP. For example, a PEP and a RADIUS server have a shared
secret, which authenticates their messages to each other. The PEP also
encrypts PAP passwords with this secret, lending a limited degree of security
to PAP.
In addition to PAP and CHAP, the RADIUS protocol works with EAP. The EAP
AVP contains an entire EAP packet, allowing a PEP to shuttle EAP messages
between the supplicant and the RADIUS server within RADIUS packets.
802.1X relies on RADIUS and EAP.
Wireless Authentication
Authentication protocols and access control methods are more or less stan-
dardized; they function similarly whether implemented on an Ethernet port,
a PPP connection, or a wireless (802.11) association. This does not mean,
however, that the connection type is irrelevant to the design. Characteristics
of a wireless network—particularly its open, shared medium—create vulner-
abilities that you must factor into your design. This section equips you with
the necessary knowledge about wireless technologies and protocols.
802.11
IEEE 802.11 is the Physical and Data-Link Layer standard for wireless connec-
tions. While most specifications in this standard are irrelevant to access
control, you should understand how an 802.11 endpoint connects to a
wireless AP.
1. The endpoint sends an 802.11 authentication request. (This request is
sometimes referred to as the association request.)
2. The AP sends an 802.11 authentication success response.
Note The AP always allows 802.11 authentication to succeed because it should
enforce open authentication. When 802.11 was first adopted, it defined
another option: shared-key authentication, which required wireless users
to enter the correct password (actually, an encryption key). However, this
authentication method included several major flaws and has since been
denigrated.
3. The endpoint sends an 802.11 association request.