Wi-Fi Handshaking (Enterprise Networks)

Summary

Excerpt From Wi-fi vulnerabilities part 2 Webinar
Watch the Video Below to Learn More About Wi-Fi Handshaking (Enterprise Networks).
An access point, a client, and a RADIUS server are involved in authentication in an enterprise network. As the gatekeeper, the RADIUS server communicates with the access point to enable authentication. An identification exchange and a start message precede the process’s start. Through a challenge-response process, where the server issues a challenge unique to the user’s identification, the client must demonstrate its legitimacy. Learn more with CTO Dr. Brett Walkenhorst in this short video below.

Video Transcript

In an enterprise network, in addition to the two players that we had before, in the previous sequence diagram, you saw a client and an access point. We still have the client on the far right, and we have the access point now in the middle because we've added a third entity to this exchange that we call a radius server.

And this server is speaking an IP protocol called radius that's going to allow it to to exchange information with the access point such that it serves as the authenticator. So the server is the gatekeeper in an enterprise network. And if you implement this in your system, and most enterprise systems should do this.

I can't say they all do, but but it's a good idea to implement it as an enterprise and not as a PSK kind of personal network. If you do this, there's a set of exchanges that set things up with this e a pull start message, and then there's this identity exchange.

At that point, the access point sort of steps out of the way. It starts to just act as a middleman to facilitate the communication between the client and the server. Now the client has to prove to the server that that the client is legitimate, and it does this through this process of of challenge and response.

So the server gets the identity of the client and credentials as opposed to a shared secret with a personal network. The credentials are now gonna be specific to a user, possibly a client, but more likely a user. So when the identity is sent to the server, the server now knows who it's talking to, and it's going to send a challenge specific to that user.

The client then has to be able to respond to that challenge in such a way as to convince the server that it is a legitimate client, at which point the server will authorize the access point to negotiate connectivity with the client, and then we're back to that four way handshake, which is no longer an authentication mechanism as it was for the personal network.

But in this case, it's simply used to establish a session a set of session keys, which will be used to encrypt traffic from that point on. So these extra steps are for exchanging credentials, and that can come in a number of different ways. And it often involves a two step process where we establish an outer tunnel and an inner tunnel where the credentials are exchanged inside of some cryptographic scheme.

That exchange could include things like a password, but it may also include things like certificates. And certificates could could be exchanged in both directions with validation in one or both directions as well. That's the basic overview of what an EAP protocol is that's used to implement authentication in an enterprise Wi Fi network.

Now there's lots of different ways to do it. That's this is just the bare bones. There's over forty different methods out there. I'm not gonna talk about them all. I'm just gonna talk about one. But they all look something like this. One variation on a theme is that this challenge response process can be iterated a number of times depending on the method that's being used for authentication.

So that portion in the middle there, you do that any any number one to n times, however many you like.