Connectivity and Data Protection
different than configuring WEP, though it uses TKIP and other more
secure functions than WEP did. It is theoretically possible to upgrade
most current 802.11 access points and radio card components to use
WPA through relatively simple firmware upgrades. As a result, with
vendor cooperation, WPA is a good solution for providing enhanced
security for the existing installed base of WLAN hardware.
The use of IEEE 802.1X offers an effective framework for
authenticating and controlling user traffic to a protected network, as
well as dynamically varying encryption keys. 802.1X ties the
Extensible Authentication Protocol (EAP) to both the wired and
wireless LAN media and may support many authentication methods,
such as token cards, Kerberos, one-time passwords, certificates, and
public key authentication.
Initial 802.1X communication begins with an unauthenticated
supplicant (client station) attempting to connect with an authenticator
(access point). The access point responds by enabling a port for
passing only EAP packets from the client to an authentication server
located on the wired side of the access point. The access point blocks
all other traffic, such as HTTP, DHCP, and POP3 packets, until the
access point can verify the client's identity using an authentication
server, such as RADIUS. Once the client is successfully authenticated,
the access point opens the client's port for other types of traffic. This
state is called “EAP Associated” and is illustrated below. Being
associated and being EAP associated are different as you can see in
Figure 3.13.
FIGURE 3.13
Access Point’s Association Table
