180 Chapter 5
www.newnespress.com
when the PSK had been in use. Furthermore, because preshared keys are text and are
common for all devices, they are easy to share and impossible to revoke. Good users can be
fooled into giving the PSK away, or bad users—such as employees who have left the
organization—can continue to use the preshared keys as often as they desire.
These problems are solved, however, by moving away from preshared keys to using 802.1X
and EAP. Recently, some vendors have been introducing the ability to create per-user
preshared keys. The advantage of having per-user keys is that one user’s access can be
revoked without allowing that user to compromise the rest of the network. The problem
with this scheme, however, is the continued lack of forward secrecy, meaning that a user
who has his password stolen can still have decrypted every packet ever sent or will send
using that key. For this reason, 802.1X is still recommended, using strong EAP methods
that provide forward secrecy.
5.6.2 802.1X, EAP, and Centralized Authentication
Up to now, we’ve discussed Wi-Fi’s self contained security mechanisms. With WPA2, the
encryption and integrity protection of the data messages can be considered strong. But
we’ve only seen preshared keys, or global passwords, as the method the network
authenticates the user, and preshared keys are not strong enough for many needs.
The solution is to rely on the infrastructure provided by centralized authentication using a
dedicated Authentication, Authorization, and Accounting (AAA) server. These servers
maintain a list of users, and for each user, the server holds the authentication credentials
required by the user to access the network. When the user does attempt to access the
network, the user is required to exercise a series of steps from the authentication protocol
demanded by the AAA server. The server drives its end of the protocol, challenging the
user, by way of a piece of software called a supplicant that exists on the user’s device, to
prove that the user has the necessary credentials. The network exists as a pipe, relaying the
protocol from the AAA server to the client. Once the user has either proven that she has
the right credentials—she apparently is who she says she is—the AAA server will then tell
the network that the user can come in.
The entire design of RADIUS was originally centered around providing password prompts

for dial-up users on old modem banks. However, with the addition of the Extensible
Authentication Protocol (EAP) framework on top of RADIUS, and built into every modern
RADIUS server, more advanced and secure authentication protocols have been constructed.
See Figure 5.22.
The concept behind EAP is to provide a generic framework where the RADIUS server and
the client device can communicate to negotiate the security credentials that the network
administrator requires, without having to concern or modify the underlying network access
technology. To accomplish this last feat, the local access network must support 802.1X.
Introduction to Wi-Fi 181
www.newnespress.com
5.6.2.1 What Is Authentication in 802.1X?
Let’s first define exactly what authentication is, and what the technology expects out of the
authentication process. We’ve mentioned credentials immediately preceding this section. An
authentication credential is something that one party to communication has that the other
parties can use to verify whether the user is really who he claims he is and is authorized to
join the network.
In the preshared key case, the authentication credential is just the preshared key, a global
password that every user shares. This is not very good, because every user appears identical,
and there is no way for users to know that their networks are also authentic. Authentication
should be a two-way street, and it is important for the clients to know that the network they
are connecting to is not a fraud. With preshared keys, anyone with the key can set up a
fraudulent rogue access point, install the key, and appear to be real to the users, just as they
can arbitrarily decrypt over-the-air traffic.
Normal computer account security, such as what is provided by email servers, enterprise
personal computers, and Active Directory (AD) networks, generally uses the notion that a
user has a unique, secret password. When the user wants to access the network, or the
machine, or the email account, she enters her password. If this password matches, then the
user is allowed in. Otherwise, he or she is not.
(In fact, to prevent the system administrators from having access to the user’s password,
which the user might use in other systems and might not want to share, these systems will

record a cryptographically hashed version of the password. This version, such as the MD5-
hashed one mentioned in the next section, prevents anyone looking at it from knowing what
the original password is, yet at the same time allows the user to type their password at any
time, which leads to a new MD5-hashed string that will be identical to the one recorded by
the system if and only if the passwords are identical.)
This identifies the user, but what about the network, which can’t type a password to prove
itself to the user? More advanced authentication methods use public key cryptography to
RADIUS Server
Phone
Wireless ControllerAccess Point
Supplicant
EAPOL EAP over RADIUS
User Credentials
Authenticator/
NAS
Figure 5.22: The Components of RADIUS Authentication Over Wi-Fi
182 Chapter 5
www.newnespress.com
provide more than a password. A thorough description of public key cryptography will be
given in Chapter 8 security for voice mobility, as it is such a crucial topic, and you may
want to skip ahead and read that part for the details. The background is quite simple,
however. Public key cryptography is based on the notion of a certificate. A certificate is a
very small electronic document, of an exact and precise format, containing some basic
information about the user, network, or system that the certificate represents. I might have
a certificate that states that it is written for , pretending for a
moment that that is the name of my user account at some company. The network might
have a certificate that states it is written for network.somecompany.com, using the DNS
name of the server running the network. To ensure that the contents of the certificate are not
downright lies made up in the moment, each certificate is signed using another certificate,
that of a certificate authority who both parties need to trust in advance. Finally, each

certificate includes some cryptographic material: a public key, that is shouted out in the
certificate, and a private key, which the owner of the certificate keeps hidden and tells no
one. This private key is like a very big, randomly generated password. The difference is that
the private key can be used to encrypt data that the public key can decrypt, and the public
key can be used to encrypt data that the private key can decrypt. This allows the holder of
the certificate to prove his or her identity by encrypting something using his or her private
key. It also allows anyone else in the world to send the holder of the certificate a private
message that only the holder can decrypt.
Certificates are necessary for network authentication. When the user tries to authenticate to
the network, the network will prove its identity by using its private key and certificate, and
the client will accept it only if the network gives the right information based on that
certificate. Certificates are also useful for user authentication, because the same properties
work in reverse. The EAP method known as EAP-TLS requires client certificates. Most of
the other Wi-Fi-appropriate EAP methods use only server certificates, and require client
passwords instead.
To recap, authentication over Wi-Fi means that the user enters a password or sends his
certificate to the AAA server, which proves his identity, while the network sends its
certificate to the client, whose supplicant automatically verifies the network’s identity—just
like how web browsers using HTTPS verify the server’s identity.
It is the EAP method’s job to specify whether passwords or certificates are required, how
they are sent, and what other information may be required. The EAP method also is
required to allow the AAA server and the client to securely agree to a master key—the
PMK—which is used long after authentication to encrypt the user’s data. The EAP method
also must ensure that the authentication process is secure even though it is sent over an
open, unencrypted network, as you will see in the following section on 802.1X.
The administrator is allowed to control quite a bit about what types of authentication
methods are supported. The AAA administrator (not, you may note, the network
Introduction to Wi-Fi 183
www.newnespress.com
administrator, unless this is the same person) determines the EAP methods, and thus the

certificate and authentication requirements. The AAA administrator also chooses how long a
user can keep network access until he or she has to reauthenticate using EAP. The network
administrator controls the encryption algorithm—whether to use WPA or WPA2. Together,
the two administrators can use extensions to RADIUS to also introduce network access
policies based on the results of the AAA authentication.
5.6.2.2 802.1X
802.1X, also known as EAPOL, for EAP over LAN, is a basic protocol supported by
enterprise-grade Wi-Fi networks, as well as modern wired Ethernet switches and other
network technologies. The idea behind 802.1X is to allow the user’s device to connect to
the network as if the RADIUS server and advanced authentication systems did not exist, but
to then block the network link for the device for all other protocols except 802.1X, until
authentication is complete. The network’s only requirements are twofold: prevent all data
traffic from or to the client except for EAPOL (using Ethernet protocol 0x888E) from
passing; and taking the EAPOL frames, removing the EAP messages embedded within, and
tunneling those over the RADIUS protocol to the AAA server.
The job of the network, then, is rather simple. However, the sheer number of protocols can
make the process seem complex. We’ll go through the details slowly. The important thing to
keep in mind is that 802.1X is purely a way of opening what acts like a direct link between
the AAA server and the client device, to allow the user to be authenticated by whatever
means the AAA server and client deem necessary. The protocols are all layered, allowing
the highest-level security protocols to ride on increasingly more specific frames that each
act as blank envelopes for its contents.
Once the AAA server and the client have successfully authenticated, the AAA server will
use its RADIUS link to inform the network that the client can pass. The network will tear
down its EAPOL-only firewall, allowing generic data traffic to pass. In the same message
that the AAA server tells the network to allow the client (an EAP Success), it also passes
the PMK—the master key that the client also has and will be used for encryption—to the
network, which can then drop into the four-way handshake to derive the PTK and start the
encrypted channel. This PMK exchange goes in an encrypted portion of the EAP response
from the RADIUS server, and is removed when the EAP Success is forwarded over the air.

The encryption is rather simple, and is based on the shared password that the RADIUS
server and controller or access point have. Along with the PMK comes a session lifetime.
The RADIUS server tells the controller or access point how long the authentication, and
subsequent use of the keys derived from it, is valid. Once that time expires, both the access
point and the client are required to erase any knowledge of the key, and the client must
reauthenticate using EAP to get a new one and continue using the network.
184 Chapter 5
www.newnespress.com
For network administrators, it is important to keep in mind that the EAP traffic in EAPOL is
not encrypted. Because the AAA server and the client have not agreed on the keys yet, all
of the traffic between the client and the RADIUS server can be seen by passive observers.
This necessarily limits the EAP methods—the specific types of authentication—that can be
used. For example, in the early days of 802.1X, an EAP method known as EAP-MD5 was
used, where the user typed a password (or the client used the user’s computer account
password), which was then hashed with the MD5 one-way cryptographic hash algorithm,
and then sent across the network. Now, MD5 is flawed, but is still secure enough that an
attacker would have a very hard time reverse-engineering the password from the hash of it.
However, the attacker wouldn’t need to do this, as he could just replay the same MD5
hashed version himself, as if he were the original user, and gain access to the network. For
this reason, no modern wireless device supports EAP-MD5 for wireless authentication.
5.6.2.3 Key Caching
Because the work required establishing a PMK when 802.1X and RADIUS are used is
significant, WPA2 provides for a way for the PMK to be cached for the client to use, if it
should leave the access point and return before the PMK expires.
This is done using key caching. Key caching works because each PMK is given a label,
called a PMKID, that represents the name of the RADIUS association and the PMK that
was derived from it. The PMKID is specifically a 128-bit string, produced by the function
PMKID = HMAC-SHA1-128(PMK, “PMK Name” || AA || SPA),
where AA is the BSSID Ethernet address, SPA is the Ethernet address of the client, and
HMAC-SHA1-128 is the first 128 bits of the well-known SHA1-based HMAC function for

producing a cryptographic one-way signature with the PMK as the key. The double-pipes
(“||”) represent bitwise concatenation. The “PMK Name” ASCII string is used to prevent
implementers from putting the wrong function results in the wrong places and having it
work by accident.
From this, it is pretty clear to see that a client and access point can share the same PMKID
only if they have the same PMK and are referring to each other.
When the client associates, it places into its Reassociation message’s RSN information
element (Table 5.16) the PMKID it may have remembered from a previous association to
the access point. If the access point also remembers the previous association, and still has
the PMK, then the access point will skip starting 802.1X and will proceed to sending the
first message in the four-way handshake, basing it on the remembered PMK.
This caching behavior is not mandatory, in the sense that either side can forget about the
PMK and the connection will still proceed. If the client does not request a PMKID, or the
access point does not recognize or remember the PMKID, the access point will still send an
Introduction to Wi-Fi 185
www.newnespress.com
EAP Request Identity message, and the 802.1X protocol will continue as if no caching had
taken place.
5.6.3 Putting It All Together: An Example
The client passes through a number of phases when associating to a Wi-Fi network that uses
enterprise-grade security. To help understand how everything fits together, we will go
through one example authentication, using WPA2 and the EAP method EAP-PEAP, which
requires each mobile device to have a username and password. The password will be sent,
securely tunneled through PEAP, to the RADIUS server, which is usually attached to a
Microsoft Active Directory server.
Each message that is sent will be represented by a table, showing the relevant contents of
the message. The aim is to allow the reader to follow along, when analyzing wireless packet
capture traces, what the individual steps mean, when a client associates to the network. As a
matter of presentation, when information that might be important is repeated in subsequent
messages, it will be omitted for those messages.

Step 1: Associate with the Wi-Fi Network
The mobile device, having scanned for the SSID of the network desired—let’s call it voice
for this example—has found an access point that is advertising the voice SSID.
The client requests a connection with the access point by sending an 802.11 Authentication
message, requesting open authentication, meaning that the client does not want to use WEP.
See Table 5.19.
Table 5.19: 802.11 Authentication message from client to AP
Frame Control Destination
Address
Source Address BSSID Algorithm
Number
Authentication
Sequence
Authentication AP Address Client Address AP Address 0 (Open System)
1
Table 5.20: 802.11 Authentication message from AP to client
Frame
Control
Destination
Address
Source
Address
BSSID Algorithm
Number
Authentication
Sequence
Status Code
Authentication Client
Address
AP Address Client

Address
0 (Open
System)
1
0 (Success)
The access point accepts the open connection by responding with its own 802.11
Authentication message, to the client, simply stating that the request is a success. See Table
5.20.
186 Chapter 5
www.newnespress.com
The access point accepts the association request and sends an 802.11 Association Response
message to the client, announcing success, providing the client with the access point’s
capabilities and its network-wide configuration parameters.
At this point, the client cannot speak to any other access point without disconnecting or
being disconnected, but it cannot send or receive any real data traffic. The client must first
use EAPOL to authenticate.
Step 2: Authenticate with the AAA Server
The sends an EAPOL Start message (Table 5.22), encoded as a Wi-Fi Data frame with
Ethernet protocol 0x888E, sent to the Ethernet address of the access point. This message is
optional, but when sent is meant to request that the access point should start the EAP
exchange.
Table 5.21: 802.11 Association request message from client to AP
Frame
Control
Destination
Address
Source
Address
BSSID Capabilities SSID Information
Elements

Association
Request
AP Address Client
Address
AP Address Capabilities
voice Radio, Security,
and QoS
Capabilities
Table 5.22: 802.11 EAPOL start message
Frame Control Destination
Address
Source
Address
BSSID EtherType EAPOL Type
Data AP Address Client Address AP Address
0x888E Start
Table 5.23: 802.11 EAP request identity
Destination
Address
Source
Address
Ether-type EAPOL Type EAP Code EAP Type Identity
Client Address AP Address
0x888E
0=EAP 1=Request 1=Identity
hello
At around the same time, the access point will usually voluntarily send an EAPOL message
with an EAP Request Identity message inside (Table 5.23), triggering the start of the
authentication process. The Request Identity message is the EAP way of asking the client to
announce who he or she is.

The client then sends an 802.11 Association Request message to the access point, informing
the access point of its Wi-Fi capabilities, supported extensions and 802.11 features (Table
5.21).
Introduction to Wi-Fi 187
www.newnespress.com
This response triggers the start of the PEAP protocol, tunneled over EAP, tunneled over
EAPOL, carried over 802.11. The first message is from the RADIUS server, through the
access point, and informs the client that PEAP is beginning (Table 5.25).
PEAP uses TLS as the outer tunnel, within which the encrypted username and password are
passed. The first message in the TLS exchange is what is known as a TLS Client Hello
(Table 5.26). The Client Hello passes the client’s nonce, used as a part of the key derivation
protocol. The client will specify a number of cipher suites, but must specify RSA public key
encryption with RC4 stream encryption and either MD5 or SHA hashes.
Table 5.24: 802.11 EAP response identity
Destination
Address
Source
Address
Ether-type EAPOL
Type
EAP Code EAP Type Identity
AP
Address
Client Address
0x888E EAP
2=Response
Identity LOCATION\
user
Table 5.25: 802.11 EAP request PEAP
Destination

Address
Source
Address
Ether-type EAPOL Type EAP Code EAP Type Flags
Client
Address
AP Address
0x888E EAP Request
25=PEAP
Start
Table 5.26: 802.11 PEAP client hello
Destination
Address
Source
Address
EAP Code EAP Type TLS Type Handshake
Type
Nonce Cipher
Suites
AP Address Client
Address
Response PEAP
22=Handshake 1=Client
Hello
random Many
The client receives the request for the identity and responds with identity to use (Table
5.24). Let’s call the user “user”, in the domain “LOCATION”. PEAP uses a separate
protocol (MSCHAPv2) for the presentation of the real username and password. The identity
given in the outer protocol may or may not matter, depending on the RADIUS server. In
this example, the outer identity is the same one given as the real, inner identity:

“LOCATION\user”.
The server will respond with a Server Hello. The Server Hello message will specify the
server’s nonce, a session ID (which is usually not taken advantage of by wireless clients),
one of the client’s cipher suite to use for the rest of the process, and the beginning of a
chain of certificates for the RADIUS server, which identifies itself as being valid. The client
will usually verify that the server is signed by a valid certificate authority somewhere along
the path and is allowed to serve the role it does, unless the client’s administrator has
188 Chapter 5
www.newnespress.com
explicitly disabled this check. Because certificates are much longer than the maximum
EAPOL packet, the PEAP Server Hello and Certificate will be divided up over many
consecutive EAPOL frames from the access point. After the certificate, the server may
include a request for the client to send a certificate. This would be used by PEAP to short-
circuit the inner tunnel and revert to plain TLS, if the client has a certificate. Usually, PEAP
is not used with client certificates, so the client will ignore this request and trigger the
password exchange. If requested, the types of certificates and distinguished names of
acceptable certificate authorities, one of whom needed to have signed any client certificate
given, will be provided. The message ends with a Server Hello Done. See Table 5.27.
Table 5.27: 802.11 PEAP server hello and certificate, usually split across multiple
EAPOL messages
Destination
Address
Source
Address
EAP
Code
Flags TLS Type Handshake
Type
Session ID Nonce
Client

Address
AP Address
Request
0x40 =
More
Handshake
2=Server
Hello
arbitrary random
…
Handshake
Type
Server
Certificate
Handshake
Type
Certificate
Types
Distinguished
Names
Handshake
Type
…
11=Certificate
X509 Certificate
13=Certificate
Request
RSA, DSS… Any Names
14=Server
Hello Done

Table 5.28: 802.11 EAP response PEAP
Destination
Address
Source
Address
Ether-type EAPOL Type EAP Code EAP Type
AP Address Client Address
0x888E EAP Response PEAP
The client will respond to the intermediate server certificate messages with empty responses,
to keep the request/response protocol going (Table 5.28).
When the Server Hello Done message arrives at the client, the client will kick off the
second, inner phase of PEAP. First, the client responds with a Certificate handshake
message. If the client were going to provide a certificate, it would do so here. However,
with normal PEAP, the certificate message will be empty. Following this is the Client Key
Exchange. Let’s assume that the server and client agreed to RSA public key encryption. The
client chooses a random 48-byte premaster key, which is encrypted by the server
certificate’s RSA public key, and then packaged in the key field. Following this comes the
Change Cipher Spec message (Table 5.29), to inform the server that all future
communications will take place using encryption based on the key. Finally, the first
encrypted message is introduced, which is a marker, encrypted by the key, that states that
the cipher change is done.
Introduction to Wi-Fi 189
www.newnespress.com
Table 5.29: 802.11 PEAP client change cipher spec
Destination
Address
Source
Address
EAP Code Flags TLS Type Handshake
Type

Client
Certificate
AP Address Client Address
Response
none
Handshake Certificate
none
…
Handshake
Type
Key Handshake Type Handshake Type Encrypted
Handshake
…
22=Client Key
Exchange
Pre-master Key
20=Change
Cipher Spec
32=Encrypted
Handshake Message
Finished (encrypted
with TLS PRF)
Table 5.30: 802.11 PEAP server change cipher spec
Destination
Address
Source
Address
EAP Code TLS Type Handshake
Type
Handshake

Type
Encrypted
Handshake
Client
Address
AP Address
Request Handshake Change
Cipher Spec
Encrypted
Handshake
Message
Finished
(encrypted
with TLS
PRF)
Table 5.31: 802.11 EAP response PEAP
Destination
Address
Source
Address
Ether-type EAPOL Type EAP Code EAP Type
AP Address Client
Address
0x888E EAP Response PEAP
Table 5.32: 802.11 PEAP encrypted request identity
Destination
Address
Source
Address
EAP Code TLS Type EAP Code

(encrypted with
RC4)
EAP Type
(encrypted)
Client Address AP Address
Request
23=Application
Data
Request Identity
The server now responds with a Change Cipher Spec and Finished message (Table 5.30), to
mark the switch over of the protocol completely to the inner TLS tunnel.
The client, once again, sends an empty response (Table 5.31).
Now, the inner MSCHAPv2 protocol can take place. Table 5.32 will peel back the inner
TLS tunnel and reveal the contents. The inner tunnel will also present an EAP exchange,
but using MSCHAPv2, rather than TLS.