Filter
Top Products
Appendix E Wireless LANs
NWA1000 Series User’s Guide
187
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets,
altering them and resending them. The MIC provides a strong mathematical function in which the
receiver and the transmitter each compute and then compare the MIC. If they do not match, it is
assumed that the data has been tampered with and the packet is dropped.
By generating unique data encryption keys for every data packet and by creating an integrity
checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi
network than WEP and difficult for an intruder to break into the network.
The encryption mechanisms used for WPA2 and WPA2-PSK are the same. The only difference
between the two is that WPA2-PSK uses a simple common password, instead of user-specific
credentials. The common-password approach makes WPA2-PSK susceptible to brute-force
password-guessing attacks but it’s still an improvement over WEP as it employs a consistent,
single, alphanumeric password to derive a PMK which is used to generate unique temporal
encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of
WEP)
User Authentication
WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless
clients using an external RADIUS database. WPA2 reduces the number of key exchange messages
from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network.
These two features are optional and may not be supported in all wireless devices.
Key caching allows a wireless client to store the PMK it derived through a successful authentication
with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not
need to go with the authentication process again.
Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an
AP) to perform IEEE 802.1x authentication with another AP before connecting to it.
Wireless Client WPA2 Supplicants
A wireless client supplicant is the software that runs on an operating system instructing the wireless
client how to use WPA2. At the time of writing, the most widely available supplicant is the WPA2
patch for Windows XP, Funk Software's Odyssey client.
The Windows XP patch is a free download that adds WPA2 capability to Windows XP's built-in "Zero
Configuration" wireless client. However, you must run Windows XP to use it.
WPA2 with RADIUS Application Example
To set up WPA2, you need the IP address of the RADIUS server, its port number (default is 1812),
and the RADIUS shared secret. A WPA2 application example with an external RADIUS server looks
as follows. "A" is the RADIUS server. "DS" is the distribution system.
1 The AP passes the wireless client's authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants or denies
network access accordingly.
3 A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS
server and the client.