INTRODUCTION 2008-03-05 07:42:00 Wireless LAN SecurityThe approval of the IEEE 802.11 standard for wireless local area networks(WLANs) and the subsequent fall in prices for wireless network interface cards(NICs) and wireless access points (APs) has caused an explosion in demand forwireless LAN capability. Because of this demand, network administrators have hadto deal with two conflicting issues. Network administrators want to provide userswith the flexibility and convenience that wireless network access offers whilemaintaining network security and integrity. This whitepaper examines WLAN security beginning with the basic 802.11 securityfeatures and shortcomings. It continues by exploring the additional security featuresoffered by 802.1x. Finally, it introduces Cisco’s LEAP authentication scheme anddiscusses how using LE
802.11 SECURITY CONCERNS 2008-03-05 07:37:00 Using the 802.11 security features certainly increases the security of the WLAN.However, these features alone do not provide a complete wireless security solution.A number of security concerns have been raised. These concerns were motivatingfactors in the development of Cisco’s EAP-LEAP and Interlink Networks’ RADSeriesEAP-LEAP support.MAC Address AuthenticationOpen and Shared Key Authentication involves the station authenticating to anaccess point using the station’s MAC address. This type of authentication does notconsider the identity of the user. Thus anyone stealing a laptop or NIC configuredwith the WEP keys can obtain network access.One Way AuthenticationWEP authentication is one-way only. The access point does not need to authenticateto the mobile station. This may allow a ro
LEAP - LIGHTWEIGHT EXTENSIBLE AUTHENTICATION PROTOCOL 2008-03-05 07:31:00 Cisco Systems, Inc. has developed the Lightweight Extensible AuthenticationProtocol (LEAP), sometimes known as “EAP-Cisco Wireless”. LEAP provides twoimportant security features.Mutual Authentication Between Station and Access PointLEAP requires the mutual authentication between stations and access points. Thisallows a connecting station to verify the identity of the access point with which it isattempting to associate. At the same time, the access point must verify the identityof the station. The station must present a username and password that will beverified by a LEAP-capable RADIUS server such as the Interlink Networks RADSeriesAAA Server. This mutual authentication ensures that only authorized usersare allowed access to the network while preventing hijacking of legitimate userses
THE LEAP AUTHENTICATION PROCESS 2008-03-05 06:55:00 The Cisco LEAP authentication and key exchange process occurs in three phases. The Start PhaseIn the start phase, the supplicant begins the authentication by issuing an EAPOWStartmessage to the authenticator. The authenticator responds to the supplicant withan EAP-Request/Identity message. The supplicant responds with an EAPResponse/Identity message that delivers its identity to the authenticator.Figure 2 – The Start Phase. The supplicant (client) sends an EAPOL-Start message. Theauthenticator responds with an EAP-Request/Identity message. Finally, the supplicantresponds with an EAP-Response/Identity message which contains the identity of the user.The Authenticate PhaseThe Cisco LEAP authentication is a mutual authentication method. TheAuthenticator (Access Point) relays EAP messages to
CONFIGURING INTERLINK NETWORKS RAD-SERIES TO USE CISCO LEAP 2008-03-05 06:24:00 The RAD-Series AAA server must be configured to use Cisco LEAP. This isaccomplished by modifying the following three RAD-Series configuration files./etc/opt/aaa/clientsThis file specifies the RADIUS clients that are recognized by the server. Add a linethat specifies the Cisco Network Access Server (NAS) that will be acting as a clientto the RAD-Series server. One must also specify the secret shared between the NASand the RAD-Series server. The following is an example configuration:w03.mydomain.com secret Type=Cisco:NAS/etc/opt/aaa/usersThis file identifies the users that will be authenticating via LEAP. The AuthenticationType must be specified as “Realm”. This will allow all users for a given realm to beauthenticated using LEAP. One must also add “Check-Items Read more:NETWORKS
ABOUT INTERLINK NETWORKS 2008-03-05 06:18:00 THE COMPANYInterlink Networks is a leader in securing access to public and private networks. Ourproducts manage user access to dial-in, broadband, mobile, and wireless LANnetworks. Interlink Networks’ RADIUS-based access control software provides theauthentication, authorization, and accounting infrastructure that enables secure andreliable network access for thousands of enterprise and service provider networksworldwide.Interlink Networks is headquartered in Ann Arbor, Michigan. We have a worldwidenetwork of resellers and distributors.OUR MISSIONInterlink Networks’ mission is to be a worldwide leader in providing solutions forsecuring access to public and private networks. By securing access to the network,we provide network operators the first line of defense against unauthorized acc Read more:NETWORKS
Recommend Site To A Friend
