Something that isn't stated directly in the book that I was curious about...
If you're using an EEG, is the traffic on the "encrypted" side, encrypted only from the EEG to the AP, or does the AP pass the data to the client in an encrypted state as well? Basically, who decrypts the information, the client or the AP? I'm assuming the client does, but I just wanted to make sure...
Having read ahead into the CWAP guide- it appears that encryption is between client device (with added proprietary layer 2 protocol) and the EEG. Open System Authentication is used on the AP.
Why would you use Open System Authentication, simply because you have an EEG?
The fact that the traffic is encrypted doesn't necessarily have anything to do with who should and shouldn't be permitted to authenticate to the WLAN.
Perhaps I'm just misunderstanding.
Also, by EEG to client, do you mean EEG to AP, or EEG to the client machine?
I am new to this so I cannot claim any experience with an EEG. This is what I have found:
The example given in the CWAP guide shows a sniffer capture where the encryption is between the client machine and the EEG.
As in the CWNA guide the CWAP guide provides a picture of an AirFortress 2100. I took a look at the AirFortress 2100 product guide (http://www.fortresstech.com/products/af2100.shtml)
In the product guide AirFortress uses "client" in this context "Loading the Secure Client on the laptop, PDA, or other mobile device"
Furthermore it shows that it is capable of integrating with RADIUS servers and NT Domains.
It appears that for the example in the CWAP guide, open authentication is used on the access point and possibly (not enough detail to know for sure) authentication is handled by RADIUS and/or AD.
I hope this is more helpful.
Yeah, that makes sense. It looks like they're just using the EEG, along with EAP, thus using open authentication.
All traffic between the client (laptop, handheld, etc.) and the EEG (AirFortress Gateway) is encrypted. Therefore, one can't really use the authentication on the AP since the AP can't "read" the traffic. Open authentication should then be set on the AP.
The AirFortress solution can use various authentication methods depending on its setup. There is what we call "network authentication" between the client the and the Gateway via an Access ID. There is also "device authentication" when a backend AirFortress Access Control Server is employed, i.e., each device (laptop,etc.) is allowed/denied based on a device ID generated when the AirFortress Client is installed.
"User authentication" can also be enabled. Directly from the Gateway to a Radius server using EAP-MD5. Or when employing an Access Control Server, one of the following can be used:
1) Radius (proxy to a Radius server)
2) Local database (on the ACS itself)
3) RSA SecurID
4) Proxy to NT Domain (or Active Directory)
5) Proxy to an LDAP server
Hope this helps.
Hey a response from a vendor! Thanks for the reply.
ALL, From what I hear.
AirFortress' devices are a very good way to secure a WLAN. "Once you set it up it is as sound as Fort Knox. Those of you that served in the military would know what I mean.