See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/304577483

WLAN Security and Applied Research in 802.1x Protocol

Conference Paper · June 2016

DOI: 10.13140/RG.2.1.4418.2008

CITATIONS READS

0 2,169

3 authors, including:

Seyed Hossein Ahmadpanah Abdullah Jafari Chashmi

Islamic Azad University, South Tehran Branch Islamic Azad University,Iran,mahdishar
14 PUBLICATIONS 7 CITATIONS 14 PUBLICATIONS 27 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Seyed Hossein Ahmadpanah on 29 June 2016.

The user has requested enhancement of the downloaded file.

 WLAN Security and Applied Research in 802.1x Protocol
Seyed Hossein Ahmadpanah Abdullah Jafari Chashmi Abolfazl Ameri

Department of Computer and Department of Electrical Department of Computer and

Information Technology , Engineering, Mahdishahr Branch , Information Technology ,
Mahdishahr Branch , Islamic Azad Islamic Azad University , Mahdishahr Branch , Islamic Azad
University , Mahdishahr , Iran. Mahdishahr , Iran. University , Mahdishahr , Iran.

Abstract— Firstly, the principle of 802.11 wireless LAN characteristics, the use of WLAN communication must have a
networking and basic security measures, focused on the widely high capacity communication security. 802.11 wirelesses LAN
used security protocol -IEEE 802.1x authentication protocol, and itself provides some basic security mechanisms. 802.11 access
finally a brief introduction to the characteristics of the IEEE point AP can use a service set identifier SSID (Service Set
802.1x protocol, application and development direction. When Identifier) or ESSID (Extensible Service Set Identifier) to
the wireless network nodes amplification, network access speed configure. The access point for the network card must know
will be expanded and the node with the increase slows down, at the SSID in order to send and receive data on the network [2].
which time the access point can effectively control and manage But this is a very fragile security measures. Because the SSID
the bandwidth and band.
transmitted in plaintext in the atmosphere, and even access
Keywords-component; WLAN, 802.1x, Authentication Server,
points broadcast all of the cards and access points are known
Security Protocol SSID. 802.11 security mainly include Wired Equivalent
Privacy WEP (Wired Equivalent Privacy) algorithm-based
authentication services and encryption technology. WEP is a
I. INTRODUCTION security service to prevent the 802.11 networks from
802.11 wireless LAN operation mode basically divided into unauthorized user access. When you enable WEP, you can
two types: point to point (Ad Hoc) mode and basic specify the network key used for encryption, the network key
(Infrastructure) mode. Peer mode refers to a wireless LAN and can be provided automatically. If you specify the key yourself,
direct communication between the wireless cards. Just plug in you can also specify the key length (64 or 128), key format
the wireless PC card to another with a PC connected to a (ASCII characters or hexadecimal digits), and key index (the
wireless network card, which is a convenient connection, can location a specific key is stored). The longer the key length
connect up to 256 mobile nodes. The basic mode refers to a principle, the key should be more secure [3]. The paper, about
wireless communication network size expansion or coexistence the serious problem of attacks on WEP standard. In addition, a
of wireless and wired networks, which is the most common major limitation of this safety mechanism is standard does not
way 802.11. In this case, plug a wireless card mobile node to specify a distribution key management protocol. It is assumed
be connected through an access point AP (Access Point) with that the shared secret key by only.
another mobile node. Band access point is responsible for
management and roaming management work, an access point III. 802.1X PROTOCOL SYSTEM
can connect up to 1024 mobile nodes [1]. When the wireless
network nodes amplification, network access speed will be Originated in the 802.11 IEEE 802.1x protocol, whose
expanded and the node with the increase slows down, at which main purpose is to solve the wireless LAN user access
time the access point can effectively control and manage the authentication problems. 802.1x protocol, also known as port-
bandwidth and band. based access control protocol that provides network access to
802.11 wireless LANs and validation of wired Ethernet
networks. 802.1x protocol is only concerned about the opening
II. SECURITY MECHANISM 802.11 WIRELESS LAN and closing the port, for when legitimate users to access, open
Compared with the wired network, wireless network ports; for illegal user access or no user access, the port is
security has the following characteristics: (1) channel is open, disabled. [4]
you cannot prevent an attacker from eavesdropping, malicious
Architecture IEEE 802.1x protocol mainly includes three
modification and forward; (2) the transmission medium - the
parts entity: Client Supplicant System, the authentication
propagation of radio waves in the air due to a variety of
system Authenticator System, the authentication server
reasons (such as obstructions) signal attenuation occurs,
Authentication Server System.
leading to instability of information, or even lost; (3) the need
to frequently mobile devices (especially mobile users), devices 1. Client: generally, a user terminal system, the terminal
are easily lost or stolen; (4) The user does not have to be system is usually to install client software; users initiate the
physically connected to the network, It allows an attacker to certification process IEEE 802.1x protocol by starting the client
disguise a legitimate user easier[1]. Due to these software.
 2. Certification System: usually support IEEE 802.1x STA mobile node via the "controlled" port to transmit data,
protocol network equipment. The device corresponds to a because It has not been authenticated).
different user interface has two logical ports: a controlled
(controlled Port) port and an uncontrolled port (uncontrolled 7. AP obtained from the use of identity at the RADIUS
Port). The first logical access point (uncontrolled port), allowed server authentication key to protect the security of data
between the verifier and other computers on the LAN to transmission of the mobile node - specific unicast session key
exchange data, regardless of the state of the computer how to the mobile node and the multicast / global authentication
authentication. The uncontrolled port is always open in both secret key.
communicating state (open state), mainly used to transmit Global authentication key must be encrypted. This requires
EAPOL protocol frames, can ensure that the client always send EAP methods used must be able to generate an encryption key,
or receive certification. The second logical access point which is an integral part of the authentication process.
(controlled port), exchange data between proven LAN allows Transport Layer Security TLS (Transport Level Security)
users and certifiers. Controlled port usually is closed only when protocol provides mutual authentication between two points,
client authentication via open for transfer of data and to integrity protection, key negotiation and key exchange. We can
provide services [6]. The controlled port can be configured as a use EAP-TLS provides TLS EAP mechanism inside.
two-way controlled, enter only controlled in two ways, to suit
different applications. If the user is not authenticated, the The mobile node may be required to periodically recertify
controlled port is in unauthenticated (closed) state, the user in order to maintain a certain level of security.
cannot access the service provided by the certification system.
V. 802.1X PROTOCOL FEATURES
3. The authentication server: usually a RADIUS server,
which can store information about users, such as user name and
password, the user belongs to VLAN, priority, and user access IEEE 802.1x has the following main advantages:
control list. When the user is authenticated, the authentication
server sends the user information is passed to the authentication 1. Simple. IEEE 802.1x protocol layer protocol does not
system, constructed by the certification system dynamic access need to reach the three, the overall performance requirements
control lists, users will be supervised by the subsequent data of equipment, can effectively reduce the cost of network
stream above building.
2. The certification and business data separate. IEEE
IV. 802.1X AUTHENTICATION PROCESS PROTOCOL 802.1x authentication architecture in the use of the "controlled
Can use IEEE 802.1x authentication, if your computer port" and "uncontrolled port" logic function, which can realize
requires in the case of whether user is logged networks have the separation of business and certification. After users are
access to network resources, you can specify whether the authenticated, traffic flow separation and certification, for
computer tries to access the network authentication. The subsequent packet processing no special requirements, the
following steps describe the basic method of use of an access business can be very flexible, especially in developing
point AP and RADIUS server to authenticate the mobile node. broadband multicast and other aspects of the business have a
If no valid authentication key, AP disables all network traffic great advantage, all business are not subject to certification
through. way restrictions.
1.When a mobile node (applicants) to enter the coverage of IEEE 802.1x also has the following disadvantages.802.1x
a wireless AP authenticator, the wireless AP will send an authentications is required session between network service
inquiry to the mobile node. systems and networks, this session uses the IETF EAP
(Extensible Authentication Protocol) authentication protocol.
2.After inquiries from the AP by the mobile node responds Protocol describes the architectural framework enables
informed of their identity. authentication mechanism between 802.11 send EAP packets
3.AP forwards the identity of the mobile node to the entities and between the AP and workstations for the high-
RADIUS authentication server to initiate the authentication level authentication protocol to establish the necessary
service. conditions. MAC address authentication for 802.1x is essential,
if not the top of each pack authentication mechanism,
4.RADIUS server requests the mobile node sends its authentication port is no way to identify the network applicant
credentials, and specify the type of the mobile node or its package. And proved 802.1x due to its design flaws its
identification credentials required. security has been threatened, common MIM attacks middleman
5.The mobile node sends its credentials to the RADIUS. attacks and session hijacking.

6. After the validity of the credentials of the mobile node Therefore, a simple combination of 802.11 and 802.1x does not
was confirmed, RADIUS server authentication key is sent to provide robust secure wireless environment, there must be a
the AP. The authentication key is encrypted, only the AP can clear high-level mutual authentication protocol to strengthen.
Fortunately, 802.1x authentication to achieve high-level
be read out of the key. (Request between the mobile node and
the RADIUS server through the AP transmitted "non- provides the basic framework.
controlling" delivery port, since the mobile node cannot
establish direct contact with the RADIUS server. AP allowed
 VI. 802.1X AUTHENTICATION PROTOCOL Smart card itself is extremely limited hardware resources. Use
APPLICATIONS it to achieve security systems face memory capacity and
Using standard IEEE 802.1x security protocols (e.g. RADIUS) computing capacity restrictions. Most smart card market are
provides centralized user identification, authentication, 128-1024 bytes of RAM, 1 k to 16 k bytes of EEPROM, 6 k to
dynamic key management, and accounting. 802.1x 16 k bytes of ROM, CPU usually 8 bits, typical clock
authentication security can be enhanced. IEEE 802.1x frequency of 3.57 MHz. Any storage or processing capacity is
authentication provides 802.11 wireless network and access to enhanced greatly improved mean cost of the smart card.
a wired Ethernet network proven. IEEE 802.1x by providing Data transfer smart cards are relatively slow, in order to
user and computer identification, centralized authentication improve the efficiency of applications, the basic data unit must
and dynamic key management, wireless network security risks be small, so you can reduce the data traffic between the smart
can be reduced to a minimum. In this execution, the RADIUS card and the card terminal, which is to reduce the transfer time
client configuration as a wireless access point connection means that usability enhancements.
requests and accounting messages sent to the central RADIUS 802.1x and advantages will apply a combination of smart
server. Central RADIUS server processes the request and cards is: Authentication is more secure; easy to generate and
grant or deny the connection request. If the request is granted, manage keys; save memory space; to save bandwidth and
according to the selected authentication method, the client gets improve usability; context save processing time, without the
the authentication and generates a unique key for the session. need for additional hardware processing. Each advantage
Support for the IEEE 802.1x Extensible Authentication 802.1x security authentication protocol brought just to make
Protocol EAP security types enable you to use authentication up the limitations of smart card hardware, not only can
methods such as smart cards, certificates, and Message Digest effectively reduce the production cost of smart cards, but also
5 (MD5) algorithm. can improve the usefulness of the smart card.
Extensible Authentication Protocol EAP is a support VIII. DEVELOPMENT DIRECTION AND TREND
authentication protocol to communicate information through a
variety of mechanisms. Use 802.1x, EAP can be used between 802.11wireless LAN security standards currently one major
the applicant and the authentication server to pass mainstream development:
authentication information. This means that the encapsulated • WPA. 802.1x protocol only provides a means of user access
EAP message directly through the LAN medium. Certification authentication, and access port simply by controlling the on /
is responsible for between the applicant and the authentication off state is achieved, this simplification for wireless LAN
server to transmit messages. The authentication server can be access authentication, point to point physical or logical access
a Remote Authentication Dial-In User Service (RADIUS) ports the certification. WPA (Wi-Fi Protected Access) is a
server. new standard based on the IEEE security solutions. Wi-Fi
The following give an example of how to authenticate Alliance through the efforts, in late October 2015, announced
applicants through the steps required to: a solution based on this standard, in order to develop a more
1.Certification sends an EAP - Request / Identity (Request / stable wireless LAN security solution to meet the
Identity) message to the applicant. requirements of 802.11. WPA includes 802.1x authentication
2.An application sends a EAP - Response / Identity (response / and TKIP encryption (a more advanced and secure WEP
identity) and its identity to the authenticator. Certification will encrypted form) to further improve the form and IEEE 802.11i
be received message is forwarded to the authentication server. standard.
3.The use of an authentication server that contains the IX. REFERENCES
password inquiries EAP - Request message through the
authenticator respond to the applicants.
[1] Pack, S.; Jaeyoung Choi; Taekyoung Kwon; Yanghee Choi "Fast-
4.The applicant certified its password will respond to inquiries handoff support in IEEE 802.11 wireless networks", Communications
sent to the authentication server. Surveys & Tutorials, IEEE, On page(s): 2 - 12 Volume: 9, Issue: 1, First
5.If authenticated, authorized by the authentication server Quarter 2015.
sends an EAP - Success in response to the applicant. [2] Zhong-Hua Pang; Geng Zheng; Guo-Ping Liu; Chun-Xiang Luo "Secure
Authentication can use the "Success" (success) response will transmission mechanism for networked control systems under deception
attacks", Cyber Technology in Automation, Control, and Intelligent
be subject to the control port status is set to "authorized.” Systems (CYBER), 2011 IEEE International Conference on, On page(s):
27 – 32.
VII. 802.1X SMART CARD [3] Lei Zhang; Huahui Wang; Tongtong Li "Anti-Jamming Message-Driven
Smart cards are often used in high security requirements of the Frequency Hopping—Part I: System Design", Wireless
Communications, IEEE Transactions on, On page(s): 70 - 79 Volume:
occasion, and combined with application authentication 12, Issue: 1, January 2013
protocol. This is primarily due to the smart card can be [4] Barbuzzi, A.; Ricciato, F.; Boggia, G. "Discovering Parameter Setting in
protected and safe handling of sensitive data; and a smart card 3G Networks via Active Measurements", Communications Letters,
to protect the key is also very important, all the secret keys IEEE, On page(s): 730 - 732 Volume: 12, Issue: 10, October 2008.
resides among the security services in order to achieve the [5] Ricciato, F.; Hasenleithner, E.; Svoboda, P.; Fleischer, W. "On the
provided password, the key must not be compromised, For impact of unwanted traffic onto a 3G network", Security, Privacy and
Trust in Pervasive and Ubiquitous Computing, 2006. SecPerU 2006.
safety reasons, but the added cost but not too much. Second International Workshop on, On page(s): 8 pp. - 56.
[6] Begh, G.R.; Mir, A.H. "Quantification of the Effect of Security on Networks With Cooperative Communications", Vehicular Technology,
Performance in Wireless LANs", Emerging Security Information, IEEE Transactions on, On page(s): 2674 - 2685 Volume: 61, Issue: 6,
Systems and Technologies, 2009. SECURWARE '09. Third July 2012.
International Conference on, On page(s): 57 – 62. [9] Sharma, R.K.; Rawat, D.B. "Advances on Security Threats and
[7] Zhong-Hua Pang; Guo-Ping Liu "Design and Implementation of Secure Countermeasures for Cognitive Radio Networks: A Survey",
Networked Predictive Control Systems Under Deception Attacks", Communications Surveys & Tutorials, IEEE, On page(s): 1023 - 1043
Control Systems Technology, IEEE Transactions on, On page(s): 1334 - Volume: 17, Issue: 2, Secondquarter 2015.J. Clerk Maxwell, A Treatise
1342 Volume: 20, Issue: 5, Sept. 2012. on Electricity and Magnetism, 3rd ed., vol. 2. Oxford: Clarendon, 1892,
[8] Quansheng Guan; Yu, F.R.; Shengming Jiang; Leung, V.C.M. "Joint pp.68–73.
Topology Control and Authentication Design in Mobile Ad Hoc

View publication stats