Authentication & Association

The process of connecting to a wireless LAN consists of two separate sub-processes. These sub-processes always occur in the same order, and are called authentication and association. For example, when we speak of a wireless PC card connecting to a wireless LAN, we say that the PC card has been authenticated by and has associated with a certain access point. Keep in mind that when we speak of association, we are speaking of Layer 2 connectivity, and authentication pertains directly to the radio PC card, not to the user. Understanding the steps involved in getting a client connected to an access point is crucial to security, troubleshooting, and management of the wireless LAN.


Authentication

The first step in connecting to a wireless LAN is authentication. Authentication is the process through which a wireless node (PC Card, USB Client, etc.) has its identity verified by the network (usually the access point) to which the node is attempting to connect. This verification occurs when the access point to which the client is connecting verifies that the client is who it says it is. To put it another way, the access point responds to a client requesting to connect by verifying the client’s identity before any connection happens. Sometimes the authentication process is null, meaning that, although both the client and access point have to proceed through this step in order to associate, there's really no special identity required for association. This is the case when most brand new access points and PC cards are installed in their default configuration.

The client begins the authentication process by sending an authentication request frame to the access point (in infrastructure mode). The access point will either accept or deny this request, thereafter notifying the station of its decision with an authentication response frame. The authentication process can be accomplished at the access point, or the access point might pass along this responsibility to an upstream authentication server such as RADIUS. The RADIUS server would perform the authentication based on a list of criteria, and then return its results to the access point so that the access point could return the results to the client station.


Association


Once a wireless client has been authenticated, the client then associates with the access point. Associated is the state at which a client is allowed to pass data through an access point. If your PC card is associated to an access point, you are connected to that access point, and hence, the network.

The process of becoming associated is as follows. When a client wishes to connect, the client sends an authentication request to the access point and receives back an authentication response. After authentication is completed, the station sends an association request frame to the access point who replies to the client with an association response frame either allowing or disallowing association.


States of Authentication & Association

The complete process of authentication and association has three distinct states:

1. Unauthenticated and unassociated
2. Authenticated and unassociated
3. Authenticated and associated

Authentication Methods

FIGURE 7.4 Open System Authentication Process The IEEE 802.11 standard specifies two methods of authentication: Open System authentication and Shared Key authentication. The simpler and also the more secure of the two methods is Open System authentication. For a client to become authenticated, the client must walk through a series of steps with the access point. This series of steps varies depending on the authentication process used. Below, we will discuss each authentication process specified by the 802.11 standard, how they work, and why they are used.

Open System Authentication
Open System authentication is a method of null authentication and is specified by the IEEE 802.11 as the default setting in wireless LAN equipment. Using this method of authentication, a station can associate with any access point that uses Open System authentication based only on having the right service set identifier (SSID). The SSIDs must match on both the access point and client before a client is allowed to complete the authentication process. The Open System authentication process is used effectively in both secure and non-secure environments.

Open System Authentication Process

The Open System authentication process occurs as follows:

1. The wireless client makes a request to associate to the access point
2. The access point authenticates the client and sends a positive response and the client becomes associated (connected)

These steps can be seen in Figure 7.4.


Open System authentication is a very simple process. As the wireless LAN administrator, you have the option of using WEP (wired equivalent privacy) encryption with Open System authentication. If WEP is used with the Open System authentication process, there is still no verification of the WEP key on each side of the connection during authentication. Rather, the WEP key is used only for encrypting data once the client is authenticated and associated.

Open System authentication is used in several scenarios, but there are two main reasons to use it. First, Open System authentication is considered the more secure of the two available authentication methods for reasons explained below. Second, Open System authentication is simple to configure because it requires no configuration at all. All 802.11-compliant wireless LAN hardware is configured to use Open System authentication by default, making it easy to get started building and connecting your wireless LAN right out of the box.


Shared Key Authentication

Shared Key authentication is a method of authentication that requires use of WEP. WEP encryption uses keys that are entered (usually by the administrator) into both the client and the access point. These keys must match on both sides for WEP to work properly. Shared Key authentication uses WEP keys in two fashions, as we will describe here.


Shared Key Authentication Process

The authentication process using Shared Key authentication occurs as follows.

1. A client requests association to an access point – this step is the same as that of Open System authentication.

2. The access point issues a challenge to the client – this challenge is randomly generated plain text, which is sent from the access point to the client in the clear.

3. The client responds to the challenge – the client responds by encrypting the challenge text using the client’s WEP key and sending it back to the access point.

4. The access point responds to the client’s response – The access point decrypts the client's encrypted response to verify that the challenge text is encrypted using a matching WEP key. Through this process, the access point determines whether or not the client has the correct WEP key. If the client’s WEP key is correct, the access point will respond positively and authenticate the client. If the client’s WEP key is not correct, the access point will respond negatively, and not authenticate the client, leaving the client unauthenticated and unassociated.

This process is shown in Figure 7.5.


It would seem that the Shared Key authentication process is more secure than that of Open System authentication, but as you will soon see, it is not. Rather, Shared Key authentication opens the door for would-be hackers. It is important to understand both ways that WEP is used. The WEP key can be used during the Shared Key authentication process to verify a client's identity, but it can also be used for encryption of the data payload send by the client through the access point.

Locating a Wireless LAN

When you install, configure, and finally start up a wireless LAN client device such as a USB client or PCMCIA card, the client will automatically “listen" to see if there is a wireless LAN within range. The client is also discovering if it can associate with that wireless LAN. This process of listening is called scanning. Scanning occurs before any other process, since scanning is how the client finds the network.

There are two kinds of scanning: passive scanning and active scanning. In finding an access point, client stations follow a trail of breadcrumbs left by the access point. These breadcrumbs are called service set identifiers (SSID) and beacons. These tools serve as a means for a client station to find any and all access points.


Service Set Identifier

The service set identifier (SSID) is a unique, case sensitive, alphanumeric value from 2- 32 characters long used by wireless LANs as a network name. This naming handle is used for segmenting networks, as a rudimentary security measure, and in the process of joining a network. The SSID value is sent in beacons, probe requests, probe responses, and other types of frames. A client station must be configured for the correct SSID in order to join a network. The administrator configures the SSID (sometimes called the ESSID) in each access point. Some stations have the ability to use any SSID value instead of only one manually specified by the administrator. If clients are to roam seamlessly among a group of access points, the clients and all access points must be configured with matching SSIDs. The most important point about an SSID is that it must match EXACTLY between access points and clients.


Beacons

Beacons (short for beacon management frame) are short frames that are sent from the access point to stations (infrastructure mode) or station-to-station (ad hoc mode) in order to organize and synchronize wireless communication on the wireless LAN.


Passive Scanning


Passive scanning is the process of listening for beacons on each channel for a specific period of time after the station is initialized. These beacons are sent by access points (infrastructure mode) or client stations (ad hoc mode), and the scanning station catalogs characteristics about the access points or stations based on these beacons. The station searching for a network listens for beacons until it hears a beacon listing the SSID of the network it wishes to join. The station then attempts to join the network through the access point that sent the beacon. Passive scanning is illustrated in Figure 7.1. In configurations where there are multiple access points, the SSID of the network the station wishes to join may be broadcast by more than one of these access points. In this situation, the station will attempt to join the network through the access point with the strongest signal strength and the lowest bit error rate.

Stations continue passive scanning even after associating to an access point. Passive scanning saves time reconnecting to the network if the client is disconnected (disassociated) from the access point to which the client is currently connected. By maintaining a list of available access points and their characteristics (channel, signal strength, SSID, etc), the station can quickly locate the best access point should its current connection be broken for any reason.

Stations will roam from one access point to another after the radio signal from the access point where the station is connected gets to a certain low level of signal strength. Roaming is implemented so that the station can stay connected to the network. Stations use the information obtained through passive scanning for locating the next best access point (or ad hoc network) to use for connectivity back into the network. For this reason, overlap between access point cells is usually specified at approximately 20-30%. This overlap allows stations to seamlessly roam between access points while disconnecting and reconnecting without the user’s knowledge.


Active Scanning


Stations send this probe frame when they are actively seeking a network to join. The probe frame will contain either the SSID of the network they wish to join or a broadcast SSID. If a probe request is sent specifying an SSID, then only access points that are servicing that SSID will respond with a probe response frame. If a probe request frame is sent with a broadcast SSID, then all access points within reach will respond with a probe response frame, as can be seen in Figure 7.2.

The point of probing in this manner is to locate access points through which the station can attach to the network. Once an access point with the proper SSID is found, the station initiates the authentication and association steps of joining the network through that access point.

The information passed from the access point to the station in probe response frames is almost identical to that of beacons. Probe response frames differ from beacons only in that they are not time-stamped and they do not include a Traffic Indication Map (TIM).

The signal strength of the probe response frames that the PC Card receives back helps determine the access point with which the PC card will attempt to associate. The station generally chooses the access point with the strongest signal strength and lowest bit error rate (BER). The BER is a ratio of corrupted packets to good packets typically determined by the Signal-to-Noise Ratio of the signal. If the peak of an RF signal is somewhere near the noise floor, the receiver may confuse the data signal with noise.

IEEE standards

The Institute of Electrical and Electronics Engineers (IEEE) is the key standards maker for most things related to information technology in the United States. The IEEE creates its standards within the laws created by the FCC. The IEEE specifies many technology standards such as Public Key Cryptography (IEEE 1363), FireWire (IEEE 1394), Ethernet (IEEE 802.3), and Wireless LANs (IEEE 802.11).

It is part of the mission of the IEEE to develop standards for wireless LAN operation within the framework of the FCC rules and regulations. Following are the four main IEEE standards for wireless LANs that are either in use or in draft form:

• 802.11
• 802.11b
• 802.11a
• 802.11g

IEEE 802.11

The 802.11 standard was the first standard describing the operation of wireless LANs. This standard contained all of the available transmission technologies including Direct Sequence Spread Spectrum (DSSS), Frequency Hopping Spread Spectrum (FHSS), and infrared.

The IEEE 802.11 standard describes DSSS systems that operate at 1 Mbps and 2 Mbps only. If a DSSS system operates at other data rates as well, such as 1 Mbps, 2 Mbps, and 11 Mbps, then it can still be an 802.11-compliant system. If, however, the system is operating at any rate other than 1 or 2 Mbps, then, even though the system is 802.11- compliant because of its ability to work at 1 & 2 Mbps, it is not operating in an 802.11- compliant mode and cannot be expected to communicate with other 802.11-compliant devices.

IEEE 802.11 is one of two standards that describe the operation of frequency hopping wireless LAN systems. If a wireless LAN administrator encounters a frequency hopping system, then it is likely to be either an 802.11-compliant or OpenAir compliant system (discussed below). The 802.11 standard describes use of FHSS systems at 1 and 2 Mbps. There are many FHSS systems on the market that extend this functionality by offering proprietary modes that operate at 3-10 Mbps, but just as with DSSS, if the system is operating at speeds other than 1 & 2 Mbps, it cannot be expected to automatically communicate with other 802.11-compliant devices.

802.11 compliant products operate strictly in the 2.4 GHz ISM band between 2.4000 and 2.4835 GHz. Infrared, also covered by 802.11, is light-based technology and does not fall into the 2.4 GHz ISM band.


IEEE 802.11b

Though the 802.11 standard was successful in allowing DSSS as well as FHSS systems to interoperate, the technology has outgrown the standard. Soon after the approval and implementation of 802.11, DSSS wireless LANs were exchanging data at up to 11 Mbps. But, without a standard to guide the operation of such devices, there came to be problems with interoperability and implementation. The manufacturers ironed out most of the implementation problems, so the job of IEEE was relatively easy: create a standard that complied with the general operation of wireless LANs then on the market. It is not uncommon for the standards to follow the technology in this way, particularly when the technology evolves quickly.

IEEE 802.11b, referred to as "High-Rate" and Wi-Fi™, specifies direct sequencing (DSSS) systems that operate at 1, 2, 5.5 and 11 Mbps. The 802.11b standard does not describe any FHSS systems, and 802.11b-compliant devices are also 802.11-compliant by default, meaning they are backward compatible and support both 2 and 1 Mbps data rates. Backward compatibility is very important because it allows a wireless LAN to be upgraded without the cost of replacing the core hardware. This low-cost feature, together with the high data rate, has made the 802.11b-compliant hardware very popular.

The high data rate of 802.11b-compliant devices is the result of using a different coding technique. Though the system is still a direct sequencing system, the way the chips are coded (CCK rather than Barker Code) along with the way the information is modulated (QPSK at 2, 5.5, & 11 Mbps and BPSK at 1 Mbps) allows for a greater amount of data to be transferred in the same time frame. 802.11b compliant products operate only in the 2.4 GHz ISM band between 2.4000 and 2.4835 GHz.


IEEE 802.11a

The IEEE 802.11a standard describes wireless LAN device operation in the 5 GHz UNII bands. Operation in the UNII bands automatically makes 802.11a devices incompatible with all other devices complying with the other 802.11 series of standards. The reason for this incompatibility is simple: systems using 5 GHz frequencies will not communicate with systems using 2.4 GHz frequencies.

Using the UNII bands, most devices are able to achieve data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. Some of the devices employing the UNII bands have achieved data rates of 108 Mbps by using proprietary technology, such as rate doubling. The highest rates of some of these devices are the result of newer technologies not specified by the 802.11a standard. IEEE 802.11a specifies data rates of only 6, 12, and 24 Mbps. A wireless LAN device must support at least these data rates in the UNII bands in order to be 802.11a-compliant. The maximum data rate specified by the 802.11a standard is 54 Mbps.


IEEE 802.11g

802.11g provides the same maximum speed of 802.11a, coupled with backwards compatibility for 802.11b devices. This backwards compatibility will make upgrading wireless LANs simple and inexpensive. Since 802.11g technology is new, 802.11g devices are not yet available as of this writing.

IEEE 802.11g specifies operation in the 2.4 GHz ISM band. To achieve the higher data rates found in 802.11a, 802.11g compliant devices utilize Orthogonal Frequency Division Multiplexing (OFDM) modulation technology. These devices can automatically switch to QPSK modulation in order to communicate with the slower 802.11b- and 802.11- compatable devices. With all of the apparent advantages, 802.11g’s use of the crowded 2.4 GHz band could prove to be a disadvantage.