7 posts by 2 authors in: Forums > CWSP - Enterprise Wi-Fi Security
Last Post: April 13, 2005:
  • I understand how EAP works, but when does the EAP process happen? before association or after?

    Is this correct?

    1. Client sends probe request
    2. AP sends probe response
    3. EAP initated by client ??
    4. association granted by AP after successful EAP authentication.


  • Hi CSC5wyw:

    Lets assume an infrastructure network rather than ad hoc. Here we go:

    scan/probe for BSSs (frames)
    join a BSS (internal synchronization, no frames)
    open system authenticate with BSS (two frames)
    associate with BSS (two frames)
    802.1X/EAP/RADIUS/Directory authenticate with BSS (frames)
    occasionally probe/scan
    optionally preauthenticate over the air
    optionally pre EAP-authenticate over the infrastructure

    I hope this helps. Can you add your location to your forum profile? Thanks. /criss

  • Criss,

    Thanks, it's much clearer now. Since we are talking security, I have another question that you can hopefully answer. I am reading about IPSEC from the CWSP study guide, It says AH (authentication header) perform hashing but not encryption, but few pages later, it says transport and/or tunnel mode will encrypt the data, so I am a little confused. Does a packet get hashed and then encrypted if AH transport and/or tunnel mode is used?

  • Hi csc5wyw of Dulles:

    The middle paragraph on page 312 sums it up.

    The design goal of IPSec was to provide end-to-end service. So-called "tunnel mode" is not an inherent part of the IPSec protocol (as I understand it) but rather a name given to an IP tunnel where IPSec ESP is used to encrypt the tunnel payload.

    [Correction 13Apr2005: Tunnel mode >is< an inherent part of the IPSec protocol, and is described in the original RFC.]

    An IPSec encrypted tunnel is one way of creating a VPN. VPNs are extremely popular and an intimate part of our unfortunate love affair with NATs.

    I hope this helps. Thanks. /criss

  • Criss,

    Thanks again, You are a wealth of knowledge. I have one more security question. When 802.1x/EAP is used in WLANs, I know data frames are authenticated and encrypted, are management and control frames also authenticated and encrypted or sent in the clear?

  • Hi CSC:

    Only data frames are encrypted. With one exception all management and control frames are in the clear.

    The one exception is the third frame in a four step frame exchange sequence for WEP based "Shared Key" authentication. Although this process is preserved in the 802.11 standard as amended by 802.11i, all advise is to use "Open" authentication instead. And Robust Security Networks (RSNs are WEP free and use TKIP and/or CCMP exclusively) must use "Open" authentication only.

    I hope this helps. Thanks. /criss

  • Criss,

    Thanks for clearing up!

Page 1 of 1
  • 1