802.1x Authentication      Zhao Xiaoqi
This section provides an overview of the components and the     processes involved in establishing 802.11 wireless connect...
Association with the Wireless AP andLink-Layer AuthenticationWhen a wireless network adapter is turned on, it begins to sc...
802.1x Authentication Phases - Wireless1. Scanning         7. Access-Accept2. Association      8. 802.1X Controlled Port3....
Phase 1: Scanning   The client scans for an AP using a Probe Request.Volvo IT
Phase 2: Association   The client associates with the AP:    – The AP registers the client’s MAC address and assigns a    ...
Phase 3: Access Request   Using its 802.1X uncontrolled port, the AP forwards a RADIUS   Access-Request message to the RAD...
Volvo IT
Phase 4: EAP  If the server running IAS does not reject the Access-Request, the  EAP authentication method is negotiated b...
Phase 5: AuthenticationAfter the EAP authentication method is agreed upon between the client and IAS, the serverrunning IA...
Phase 6: Authorization   The server running IAS performs authorization, as follows:    a. IAS checks the users or computer...
Phase 7: Access-Accept   If the authorization is successful, IAS sends the AP an Access-   Accept message.   If authorizat...
Volvo IT
Phase 8: 802.1X Controlled Port   As part of authentication, 802.1X dynamically generates session   keys from which it fur...
Phase 9: DHCP Address Request   The client sends a DHCP address request through the 802.1X   controlled port to the networ...
Phase 10: Group Policy Applied   If configured, updated Group Policy is applied on the client during   domain logon operat...
Phase 11: Network Access   The client is able to access network resources, contingent upon   any applied restrictions.Volv...
Volvo IT
Upcoming SlideShare
Loading in …5
×

802.1x authentication

1,771 views

Published on

Detail phases for using 802.1X authentication, total 11 steps.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,771
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
56
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

802.1x authentication

  1. 1. 802.1x Authentication Zhao Xiaoqi
  2. 2. This section provides an overview of the components and the processes involved in establishing 802.11 wireless connections to 802.1X authenticating infrastructure networks. THE AUTHENTICATION PROCESS - WIRELESSVolvo IT
  3. 3. Association with the Wireless AP andLink-Layer AuthenticationWhen a wireless network adapter is turned on, it begins to scan across the wirelessfrequencies (spectrum) for wireless APs and other wireless clients. Scanning is an activeprocess in which the wireless adapter sends Probe-Request frames on all channels of theISM frequency range and listens for the Probe-Response frames sent by wireless APs andother wireless clients. After scanning, Windows instructs the wireless adapter to connect to anetwork, based on the configured preferences.This choice is made automatically by using the SSID of a known or preferred wirelessnetwork and the wireless AP with the best signal strength (the highest signal-to-noise ratio).Next, the wireless client negotiates the use of a logical wireless port with the chosen wirelessAP. This process is known as association.The wireless client’s configuration settings determine whether the wireless client prefers toconnect with infrastructure or ad-hoc mode networks. By default, a wireless client runningWindows Vista, Windows XP, or Windows Server 2003 prefers infrastructure mode wirelessnetworks over ad-hoc mode wireless networks. If the signal strength of the wireless AP is toolow, if the error rate is too high, or if instructed by the operating system, the wireless clientscans for other wireless APs to determine whether a different wireless AP can provide astronger signal to the same wireless network. If so, the wireless client negotiates aconnection with that wireless AP. This process is known as roaming.Volvo IT
  4. 4. 802.1x Authentication Phases - Wireless1. Scanning 7. Access-Accept2. Association 8. 802.1X Controlled Port3. Access Request 9. DHCP Address Request4. EAP 10. Group Policy Applied5. Authentication 11. Network Access6. AuthorizationVolvo IT
  5. 5. Phase 1: Scanning The client scans for an AP using a Probe Request.Volvo IT
  6. 6. Phase 2: Association The client associates with the AP: – The AP registers the client’s MAC address and assigns a unique virtual port that is mapped to that MAC address. – The client registers the MAC address of the AP as the only device to which it is permitted to associate (until such time that is disassociates and then reassociates with another AP or wireless device).Volvo IT
  7. 7. Phase 3: Access Request Using its 802.1X uncontrolled port, the AP forwards a RADIUS Access-Request message to the RADIUS (IAS) server. Note TCP/IP frames generates by the wireless client can only be sent to the network through the controlled port. The client cannot send frames using the controlled port until it is authenticated and authorized.Volvo IT
  8. 8. Volvo IT
  9. 9. Phase 4: EAP If the server running IAS does not reject the Access-Request, the EAP authentication method is negotiated between the client and IAS. After the negotiation is complete, the AP forwards messages between the client and the server running IAS. Note There are many EAP authentication types. Both EAP-TLS and PEAP-MS-CHAPv2 are supported natively in Windows Server 2003, Windows XP, and Windows Vista. Note When PEAP is used, a TLS session is first created between the access client and the server running IAS; authentication then occurs through the secure TLS session.Volvo IT
  10. 10. Phase 5: AuthenticationAfter the EAP authentication method is agreed upon between the client and IAS, the serverrunning IAS sends its server certificate chain to the client computer as proof of identity.The client computer uses the IAS server certificate to authenticate the server running IAS.Successful PEAP-MS-CHAPv2 authentication requires that the client trusts the serverrunning IAS after validating the IAS server certificate chain.For the client to trust the server running IAS, the root CA certificate of the issuing CA of theserver certificate must be installed in the Trust Root Certification Authorities certificate storeon client computer.After the client authenticates the server, the client sends password-based user credentialsto the server running IAS, which verifies the client credentials against the user accountsdatabase in Active Directory. – If the credentials are not valid, IAS sends an Access-Reject message to the AP in response to the connection request. – If the credentials are valid, the server running IAS proceeds to the Authorization phase.Volvo IT
  11. 11. Phase 6: Authorization The server running IAS performs authorization, as follows: a. IAS checks the users or computer account dial-in properties in Active Directory. b. IAS then attempts to find a remote access policy that matches the connection request. If a matching remote access policy is found, IAS authorizes the connection request based on that policy.Volvo IT
  12. 12. Phase 7: Access-Accept If the authorization is successful, IAS sends the AP an Access- Accept message. If authorization is not successful, IAS sends an Access-Reject message.Volvo IT
  13. 13. Volvo IT
  14. 14. Phase 8: 802.1X Controlled Port As part of authentication, 802.1X dynamically generates session keys from which it further derives encryption keys to secure the wireless connection. The encryption keys are configured on both the wireless AP and the client; all subsequent data traffic is protected. The wireless AP enables the controlled port; traffic from the wireless client is allowed to traverse the port.Volvo IT
  15. 15. Phase 9: DHCP Address Request The client sends a DHCP address request through the 802.1X controlled port to the network. If a DHCP server responds, the client obtains an IP address.Volvo IT
  16. 16. Phase 10: Group Policy Applied If configured, updated Group Policy is applied on the client during domain logon operation; this includes the Wireless Network (IEEE802.11) Policies Group Policy extension. Note For computer already configured with Wireless Network (IEEE 802.11) Policies, Group Policy is applied when the computer is started, and whenever an updated policy is downloaded. If Group Policy is updated on the server while the computer is turned off, the last known policy (which might be stale) is immediately applied when the computer is started. If the 802.1X settings on the computer enable IAS to authorize the computer for network access, updated policies are downloaded and applied when the computer connects to the network, prior to user authentication. If 802.1X settings on the computer cannot enable IAS to authorize the computer for network access at startup, then application of updated policies occurs immediately after user authentication.Volvo IT
  17. 17. Phase 11: Network Access The client is able to access network resources, contingent upon any applied restrictions.Volvo IT
  18. 18. Volvo IT

×