Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

comp3010 - advanced networks > 7. WLAN Authentication & Roaming > Flashcards

7. WLAN Authentication & Roaming Flashcards

1
Q

What are the three parties of the 802.1x - Network Layer Access Control

A
  1. Supplicant (client device/sw on it)
  2. Authenticator - network device (ethernet switch or WAP)
  3. Authentication server - host running sw supporting RADIUS & EAP Protocols
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the stages of authentication for 802.1x - Network Layer Access Control

A
  1. Initialisation
  2. Initiation
  3. Negotiation
  4. Authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

802.1x - Network Layer Access Control

Initialisation

A

New supplicant detected
Port on the switch (authenticator) is enabled to ‘unauthorised’ state where only 802.1x traffic is allowed
Other traffic; IP, TCP, UDP is dropped

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

802.1x - Network Layer Access Control

Initiation

A

Authenticator periodically transmits EAP-Request Identity frames to a special Layer 2 address on the local network segment. Supplicant listens on this address and when it receives EAP-Request Id frame, responds with EAP-Response Identity frame containing user ID. Authenticator encapsulates the ID response in a RADIUS Access-Request packet & fwds to authentication server. Supplicant can also initiate or restart auth by sending EAPOL-Start frame to authenticator…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

EAP

A

Extensible Authentication Protocol
Authentication framework, it only defines message formats
EAP over LANs (EAPOL) from host to AP
EAP over RADIUS from AP to Auth Server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

802.1x - Network Layer Access Control

Negotiation

A

Authentication server sends a reply to authenticator, containing an EAP Request, specifying the EAP Method (Type of EAP based authentication it wants the supplicant to perform).
The authenticator encapsulates the EAP Request in an EAPOL frame and sends to supplicant, who can start using the requested EAP method or do NAK (Negative Acknowledgement) and respond with the EAP Method it is willing to perform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

802.1x - Network Layer Access Control

Authentication

A

In authentication server and supplicant agree on EAP Method, requests & responses are sent btwn them, translated by the authenticator, till server responds with an EAP Success or EAP Failure. If ok, authenticator sets post to authorised state and normal traffic ok,. When supplicant logs off, authenticator sets port to unauthorised again

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

802.1x - Network Layer Access Control

Advantages

A
  1. Prevents local abuse within the hotspot (controls access to Layer 2)
  2. No IP address used/consumed till device authenticates
  3. Supports periodic re-authentication
  4. Provides encryption of traffic
    (WPA2 enterprise mode)
  5. Credentials can be cached
  6. Supports IPv6 access control as its Layer 2
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

802.1x - Network Layer Access Control

Disadvantages

A
  1. Requires special supplicant software
  2. RADIUS server must support EAP
  3. A more complex solution for users to deploy, understand and troubleshoot
    (but once configured properly, simple to use)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

WPA2 standard of the wifi 802.11i

A

specifies security mechanisms for wireless networks
Deprecates the broken WEP with
Wi-Fi Protected Access or Robust Security Network
Uses Advanced Encyption Standard (AES) block cipher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

WEP

A

Wired Equivalent Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

WPA2

A

Wi-Fi Protected Access
2002
Minimum 802.11i support required
Temporal Key Integrity Protocol (TKIP) encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

WPA ‘personal’

A

Uses pre-shared key

  • strong if passphrase strong
  • possible traffic injection vulnerability due to TKIP flaw
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

WPA2

A

Has all the mandatory 802.11i support

- includes Advanced Encryption Standard (AES) which is recommended in place of TKIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

WPA/WPA2 ‘Enterprise’

A

Used with 802.1X port based authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Home network vs campus network

A

Avoid WEP
Prefer use of WPA2 PSK, use AES if available
Can use shared key as don’t need to distinguish users
For campus network;
cant use shared key for the whole campus - need authentication
also to allow users to roam btwn diff unis to go to confs and get WLAN using their home credentials
Not to have to get a username/password on a piece of paper

17
Q

IEEE 802.11

A

IEEE 802.11 is a set of media access control (MAC) and physical layer (PHY) specifications for implementing wireless local area network (WLAN) computer communication in the 2.4, 3.6, 5 and 60 GHz frequency bands.

18
Q

IEEE 802.11i

A

Revision of 802.11 to specify more advanced security standards - developed to replace WEP
Implemented in Wi-Fi Protected Access standards WPA & WPA2

19
Q

RADIUS

A

Remote Authentication User Dial-in Service
-for exchanging user authentication requests & responses btwn devices eg wireless access point & auth server
-Access Request
-Access Reject or Access Accept
Originally used for dialup, now in other scenarios
Can work within single realm, can refer a RADIUS Access Request to another RADIUS server

20
Q

Realms and referrals

A

RADIUS realm usually defined by a domain name
Identify users by their local identifier within a realm - ord1c08
RADIUS server may pass a client request to a server in another RADIUS realm
May use ‘shared secret’ encryption between servers

21
Q

Authentication / Authorisation

A

Granting authorisation based on specific user attributes
- attributes may be stored in the authentication server (Active Directory or LDAP)
- users may also be blocked from access for various reasons
Different access can be granted based on user attributes
RADIUS supports options in the Access Accept response
(eg which VLAN (IP Subnet) to place a device in)
Can place staff and students in different IP subnets with different firewall or QoS policies
Can place a device in a quarantine network

22
Q

Web redirection

A

Forces and HTTP client on a network to see a special web page for authentication purposes before allowing access to network
Used at commercial hotspots
User device gets local IP access/address via DHCP

23
Q

Web direction operation

A

User runs web client

  • Network access controller (usually the gateway connecting the WLAN to the external network) detects an http request
  • Controller redirects user’s browser to an authentication page
  • Credentials passed by RADIUS to the authentication back end / server
  • If successful, access controller opens external network access (based on the site’s policy) for the user
24
Q

Web redirect advantages

A

May authenticate using different methods
- username/password
- scratch card
- SMS etc
Only requires a web browser on the client (easy for users)
Commercial and free/open source systems readily available (Uni uses Bluesocket)

25
Q

Web redirect disadvantages

A

Web challenge server could be spoofed
Device may still be able to connect to the local WLAN, even if it cant get outside of it
- local hosts vulnerable to attacker
- eg trusting DHCP responses not to be spoofed
May have to re-enter credentials each time
As yet no commercial products support IPv6

26
Q

Web-redirect or 802.1X

A

Both can work for a single campus
When considering the balance of best secrity wit hthe best potential to support roaming, the 802.1X wins;
- Secures access to Layer 2
- Part of WPA2 Enterprise model
- Supports IPv6 implicitly
- Avoids unnecessary IPv4 address consumption
- Can readily cache credentials if desired
- Can integrate with RADIUS for referrals to other realms

27
Q

Roaming infrastructure with RADIUS

A

Janet (UK NREN - National Research and Education Network) worked with european NRENs on a design for a scalable roaming
Rather than NREN to NREN pairing & exchanging shared secrets individually btwn all pairs of Organisational RADIUS Proxies which is not scalable - proposed;
National Radius Proxy (NRP)

28
Q

NRP

A

National Radius Proxy
Each sire refers non-local RADIUS requests to the NRP
- every campus site only peers with the NRP, not every other ORP
- NRP forwards RADIUS traffic between sites
Thus JRS established - JRS - it mandats the use of 802.1X ( and not web-redirect)

29
Q

EDUROAM

A

Federation formed through RADIUS infrastructure; NRENs roaming extended to european, australian, canadian and US networks

comp3010 - advanced networks (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions