Wi-Fi Enterprise Authentication

---

Wireless enterprise authentication is a wireless network authentication mode where the access point acts as pass-through for credentials that are verified by an AAA server.

• main weakness of personal authentication:
  • distribution of the key or passphrase cannot be secured properly
  • users may choose insecure phrases
  • fails to provide accounting
    • all users share same credential
• WPA’s enterprise authentication method implements IEEE 802.1X
  • to use an Extensible Authentication Protocol (EAP) mechanism to authenticate against a network directory
    • EAP-TLS
      • uses client-server certificates for mutual authentication
    • EAP-TTLS and PEAP (Protected EAP)
      • use server-side certificate to
        • establish a secure tunnel
        • validate legitimacy of access point
  • defines the use of EAP over Wireless (EAPoW)
    • allow an access point to forward authentication data without allowing any other type of network access
  • configured by selecting
    • WPA2-Enterprise
    • or WPA3-Enterprise
• uses dynamic encryption key management
  • automatically changing the encryption key used during a user’s session

How it Works

• when a wireless client requests an association
  • AP enables the channel for EAPoW traffic only
  • wireless client is referred to as the supplicant device
  • AP passes the credentials of the supplicant to an AAA (RADIUS or TACACS+) server for validation
  • When supplicant is authenticated
    • AAA server transmits a master key (MK) to the supplicant
    • supplicant and authentication server then derive the same pairwise master key (PMK) from the MK
  • AAA server transmits the PMK to the access point
  • wireless station and access point use the PMK to derive session keys
    • using either
      • WPA2 four-way handshake
      • or WPA3 SAE methods