• 03/26/2004
    7:00 PM
  • Network Computing
  • News
  • Connect Directly
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Examining 802.11i and WPA

Products using the new Wi-Fi Protected Access Technology are here, with 802.11i-compliant products coming soon. We help you decide which one is best for your organization.

Radiating with RADIUS

Your APs need RADIUS authentication to work with WPA or RSN. And like the clients, they must support whichever encryption is used, like TKIP or AES, which means a firmware upgrade. They also must support fast reauthentication after a session time-out or drop, namely for real-time apps like voice over WLANs. WLAN RADIUS servers are specifically designed for APs. Companies like Funk Software, Meetinghouse Data Communications and Interlink sell WLAN versions of their RADIUS servers.

You can use your wired RADIUS server for the WLAN if it supports the EAP algorithms you'll use. If not, a WLAN RADIUS can access your legacy RADIUS server as a proxy. The WLAN RADIUS server works like this: It first verifies the client's credentials against a user name-password set or certificate or token ID. Then it enables the AP and client to dynamically generate a set of keys for each session. WPA requires the EAP's TLS (Transport Layer Security), whereas IEEE's 802.11i doesn't specify any specific EAP types. The EAP type you choose depends on the client's application needs and your network architecture.

Your laptops and handhelds also need supplicants--802.1x clients that provide 802.1x/EAP services--for both WPA and RSN WLAN security. Funk and Meetinghouse offer these add-ons for various client OSs, and Cisco includes a free 802.1x supplicant with its Aironet Client Utility. Microsoft packages one with its Zero Config utility in Windows XP; a free supplicant is downloadable for Windows 2000. The catch, however, is that these prepackaged supplicants don't typically support all EAP types.The easiest WPA model to deploy is WPA-PSK for the small or home office. There's no need for a RADIUS server, and the PSK passphrase is used by the RC4 cipher block to encrypt the packet and facilitate MIC. That may be sufficient for most SOHO environments, but it's best to have passphrases with more than 20 characters.

Enabling WPA-PSK is a walk in the park. First, check if your wireless devices are WPA-compatible, then upgrade their firmware or software as needed. A good place to check for WPA compliance is the Certified Product Listing from the Wi-Fi Alliance. The Windows XP embedded supplicant works for the SOHO environment, but you must download a security update (see support.microsoft.com/?kbid=815485). You can get more information on WPA-PSK deployment here.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

Log in or Register to post comments