WPA2 802.1X


The 802.1X mechanism is similar to 802.1X for wired networks. With Wi-Fi, the 3 roles remain the same:

  • Supplicant: The wireless client

  • Authenticator: The AP

  • Authentication server: The server that manages the access requests (it can run on the same host as the authenticator) - typically RADIUS

In a wireless environment the process is as follows:

  1. The client (suplicant) sends an Authentication Request just like for Open Authentication.

  2. The AP (authenticator) responds with an Authentication Success

  3. The client sends an Association Request

  4. The AP responds with an Association Reponse that includes an ID.

  5. Even though Asscociation is completed, the virtual port is still not allowed to pass any traffic until the 802.1X authentication completes succesfuly. At this step the client can start the process or the authenticator can request the credentials

  6. The AP (authenticator) sends the 802.1X traffic encapsulated to the Authentication server while all other network traffic on that port is dropped. The response from the server is sent to the client (this way the client can also authenticate the server)

  7. On a succesful authentication the virtual port will be allowed to pass data.

One key aspect of 802.1x is that it will authenticate each supplicant independently and during the authentication process the server and the client derive an individual key that will be used by the client in this session. Because keys are different for each client and session based it is hard for an intruder to get access to the network.

PKI and Certificate-Based Authentication

  • The Certificate Authority (CA) is used to generate digital certificates for users (clients) and the Authentication servers in order to validate their identities

  • Clients requests a user certificate from CA and use it to authenticate themseleves to the server using 802.1X

  • Servers request a server certificate from CA or it can use a self-signed certificate when it acts as its own CA

  • WLCs that are used as the authentication servers use preinstalled certi

Last updated