Security Solutions
1-31
Access Control Concepts
Network Access Control Technologies
4. The AP sends an 802.11 association response, and—if the response is
“success”—the association comes up.
The AP usually sends an association success response.
However, if the AP implements MAC-Auth, it first extracts the MAC
address from the association request and forwards it in an access request
to a RADIUS server. The AP then sends a success or failure response
depending on whether the RADIUS server accepts or rejects the request.
5. An active association is much like a connected Ethernet port. Unless a
specific access control mechanism is enforced, the endpoint can send and
receive any data.
The 802.11i amendment to the standard requires just such a mechanism: 802.1X.
In addition, encryption keys, while not part of a formal authentication scheme,
can act as de facto access controls. In fact, these keys are commonly called
passwords.
Static Wired Equivalent Privacy (WEP)
WEP was designed to deliver the privacy of a wired connection to the shared
wireless medium. It both protects users’ data and offers a measure of access
control.
To protect data from eavesdroppers, the AP and wireless endpoints encrypt
all traffic with the same shared key.
If a user specifies the wrong encryption key on his or her endpoint, the AP
discovers the problem when it decrypts the traffic. It drops the traffic silently,
effectively cutting off the user’s access.
Unfortunately, the WEP design includes several flaws, and widely available
software can exploit these flaws to crack the shared key. Cracking the key
requires at most about a million frames, which a hacker can collect over
several hours in a reasonably busy network (particularly since all users share
the same key).
Dynamic WEP
If you so desire, you can implement 802.1X for access control in a wireless
network using WEP encryption. This option is called dynamic WEP because
the RADIUS server not only handles authentication but also provides each
endpoint with its own unique WEP key.