On 11/18/2004 12:20 AM, Andrea G. Forte wrote:
On 11/17/2004 11:01 AM, Andrea G. Forte wrote:Why the authentication is done every single time L2 handoff occurs? Usually for 802.11b, I can cover a buildingHi all,
I am new to WPA/802.11i and I have a few doubts. I hope you can help me. What is not clear to me is how often a supplicant needs to authenticate to the server...is it everytime the supplicant performs a L2 handoff?
The supplicant needs to authenticate anytime it wishes to get L2 access. It is an extention of the Authenticate & Associate MAC processes.
floor with about two or three APs and for 802.11a each AP covers even a smaller area. This means that
I will have to authenticate even if I move "from one room to another" (exageration!).
This to me sounds like an uneccesary overhead.
There is a fundamental authentication/security problem you are glossing over: How does the AP you roam to know who you are? How does one AP know you authenticated against another? How does the new AP know the session key you were using with the prior one? If it doesn't how to make a new one? How does that AP trust the other AP? How does it know you are really the same station? and not some hacker spoofing the same MAC address?
Answer those questions throughly and you will be on the way to solving the roaming problem.
How is my port blocked?Another doubt I have is: if I am a malicious user and set a static IP address and know the key, am I able to use the network or am I blocked somehow by the authenticator? How does the authenticator know if it has to block my ports or not when I connect to the AP?
Your port is blocked (by your MAC address and MAC state) at the AP until you pass authentication. IP has nothing to do with it. I'm not sure what "the key" you know, but session keys are derived dynamically from the master key. In fact you must know your "key", as it's not exchanged over the network. It could be your account password, or a machine certificate. What's different from WEP is the master key is unique per user, and the derived session key is unique for every authentication instance.
Until you pass authentication, only EAPOL data frames will be processed, all other data frames will be discarded. This is what 802.11i and 802.1x standards describe. It's part of the operation of an AP that adheres to those standards.
Also, if I return to an AP I previously authenticated with, does this AP have some sort of
"allowed" MAC list without having me to start the whole authentication process over (i.e. with exchange
of certificates, etc.) for a second time?
It might. There is a Re-Associate control frame that can be used. However, there is still the problem of proving you are whom you say you are. I've forgotten how much of that process is settled.
Dave.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
