Hi all,
I am new to WPA/802.11i and I have a few doubts. I hope you can help me. What is not clear to me is how often a supplicant needs to authenticate to the server...is it everytime the supplicant performs a L2 handoff?
The supplicant needs to authenticate anytime it wishes to get L2 access. It is an extention of the Authenticate & Associate MAC processes.
It seems like if the supplicant does not authenticate it does not get an IP address, so I would think that authentication would happen only when the supplicant performs L3 and not L2 handoff. Am I right?
No. 802.1x authentication is L2 access, and has nothing to do with IP addressing. If a station moves to another AP, it must become authenticated (somehow) at that AP. Either by another AAA exchange, or a back-end protocol between AP's and maybe a AAA server (See 802.11f) or a central controller (see CAPWAP).
Making authentication work quickly across handoffs is a current working effort in several groups.
Obviously, IP topology becomes a configuration issue, but not an authentication problem, per se.
Another doubt I have is: if I am a malicious user and set a static IP address and know the key, am I able to use the network or am I blocked somehow by the authenticator? How does the authenticator know if it has to block my ports or not when I connect to the AP?
Your port is blocked (by your MAC address and MAC state) at the AP until you pass authentication. IP has nothing to do with it. I'm not sure what "the key" you know, but session keys are derived dynamically from the master key. In fact you must know your "key", as it's not exchanged over the network. It could be your account password, or a machine certificate. What's different from WEP is the master key is unique per user, and the derived session key is unique for every authentication instance.
Your help is very much appreciated. Thank you. Andrea Forte
Good luck,
Dave.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
